Harden Envoy against untrusted upstream servers #12278
Labels
enhancement
Feature requests. Not bugs or questions.
no stalebot
Disables stalebot from closing an issue
untrusted-upstreams
Required before considering upstreams untrusted
This is top level issue for tracking tasks and progress of hardening Envoy against untrusted upstream servers. More specific sub-tasks are split into its own issues and linked to this issue.
Objective
Background
Presently Envoy’s threat model considers all upstream data and control plane infrastructure to be trusted. This includes upstream servers, auxiliary servers invoked by filters, such as remote authz server, control plane endpoints or user controlled portions of configuration. This approach meets requirements of all existing Envoy’s production deployments which are mostly reverse proxy to trusted production services or service mesh. As a result most security related fixes and improvements have been applied to client (downstream) requests only. For example mitigations to HTTP/2 flood attacks have been developed for downstream requests only and an upstream server may cause Envoy to consume excessive resources by flooding it with control frames.
However, a number of upcoming Envoy based products are required to be hardened against untrusted components of upstream infrastructure. For example L7ILB proxies requests to customer controlled upstream servers, and a buggy or malicious upstream server in multitenant mode may cause outage or intercept data of other customers.
This design document focuses on hardening against untrusted upstream servers. Hardening against other aspects of upstream infrastructure is covered elsewhere.
Overview
The entire scope can be split into several areas. This is preliminary list and it may change as we make progress:
The text was updated successfully, but these errors were encountered: