Metadata Exchange Filter

[gargnupur]

Work left:

1. Move writing of metadata to the callback when TLS handshake is complete.
   onNewConnection gets called when connection is established but before handshake is complete. Thus couldnt do metadata write here.

Things to note:

1. In Upstream Filter, onWrite happens first, thus we write metadata in "OnWrite".
2. In Downstream Filter, onData happens first, thus we write metadata in "OnData".
3. Both Upstream and Downstream filter consume metadata in OnData.

[istio-testing]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gargnupur
To complete the pull request process, please assign rshriram
You can assign the PR to them by writing /assign @rshriram in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kyessenov]

FYI The upstream filter facility is now merge into Envoy, so it should be ready to use. We don't have to combine both filters in one PR, upstream can be done separately from downstream.

[kyessenov]

Please make this a constant

[gargnupur]

Fixed

[kyessenov]

Why is it incremented per each write?

[gargnupur]

Left from testing... removed

[kyessenov]

MessageDifferencer is public now, you can find a use of it in envoy.

[gargnupur]

Thanks..Fixed

[gargnupur]

@kyessenov, @mandarjog , @lizan : Looks like tests are failing because of the following error:
[2019-08-03 16:21:21.167][32983][warning][testing] [external/envoy/test/test_common/environment.cc:175] Testing with IPv6 addresses may not be supported on this machine. If testing fails, set the environment variable ENVOY_IP_TEST_VERSIONS.

and I see this in other PR's too..

[mandarjog]

Yes it is failing on PRs since prow nodes were upgraded.

[gargnupur]

/retest

[kyessenov]

I think this has to fall-through to WriteMetadata. Can you make that explicit or add a comment?

[gargnupur]

Done.. removed the else stmt.

[kyessenov]

Same here, this is intended to fall through I think.

[gargnupur]

Fixed

[kyessenov]

This does not seem right to increment header on buffering. This is mostly random depending how TCP data is chunked, right?

[gargnupur]

Please check replied above...
I thought "return Network::FilterStatus::StopIteration;" is doing that and we don't need to drain "data" and buffer bytes read till now..

[kyessenov]

Same here. If buffer is large, then we need to drain the proxy header.

[gargnupur]

I thought "return Network::FilterStatus::StopIteration;" is doing that and we don't need to drain "data" and buffer bytes read till now..

[kyessenov]

nit: naming suggestion setMetadata so as not to confuse with network writes.

[gargnupur]

Changed.. to be in sync with set.. changed readMetadata to getMetadata too.

[kyessenov]

set conn_state_ = Done?

[gargnupur]

State Machine fall through will take care of it.. in default section?

[kyessenov]

I'm thinking this guard may not be necessary. This essentially validates the expectation that onData is called first for downstream and onWrite is called first upstream. However, this is not important since one of them has to be called first anyways, and both callbacks do the right thing and transition out of the writing state (so not possible to write twice).

In fact, it might be necessary to remove this guard for server-first protocol. If the server (envoy) writes first on the downstream connection, then there is a bug with this guard. This can happen with MySQL, for example.

[gargnupur]

I thought that assumption was needed.. Thanks for the info.. Removed the guard.

[kyessenov]

Thank you for changing it to use a state machine. This is more readable IMHO.
@lizan are you still requesting changes? It's preventing the merge.

[lizan]

From implementation this looks much better than last time.

A few higher level question/request:

• Can you have a one pager document (or is there any design doc for the protocol other than https://docs.google.com/document/d/1bWQAsrBZguk5HCmBVDEgEMVGS91r9uh3SIr7D7ELZBk/edit#heading=h.n6jc1obl82s7?) describing what the wire protocol is? I could read from the implementation but it is not clear and hard to read implementation against implementation to check if they can communicate correctly.

• The name "ALPN Proxy" is very confusing because it has nothing to do with ALPN, we use ALPN to select this filter but itself doesn't deal with ALPN, I guess it is better to name "metadata_proxy" or something else (cc @PiotrSikora)

[lizan]

how this number is chosen?

[gargnupur]

It's a random number..

[lizan]

Can you double check this doesn't conflict with major protocols? (i.e. couldn't be first 4 bytes of TLS, HTTP/1.1, HTTP/2, MySQL, etc..)

[gargnupur]

Done..

[gargnupur]

@lizan: One Pager Implementation doc can be found at: https://docs.google.com/document/d/15jKV_muOZKX4CccnA1w-X73SkqGt8cV3a9TBXxzs0TA/edit?usp=sharing.
Agree with name change suggestion, in a meeting today at Google, metadata exchange was suggested too.. I am thinking to do name change in a separate PR, if that works for you?

[lizan]

Thanks for putting the doc!

I am thinking to do name change in a separate PR, if that works for you?

I'm in favor of doing that in this PR. At very least the registered name should be changed because it appears in config.

[mandarjog]

I agree, lets rename it to metadata_exchange .
The alpn link is there in the implementation, but one could use the same filter within plaintext tcp, with prior knowledge.

Re magic_number, we should check against other common magics, like beginning of an http1, http2 transactions. Is there a systematic way to go about this?

If we can't be certain, we should have the ability override magic_number through config.

[gargnupur]

@lizan, @mandarjog , @kyessenov , @PiotrSikora: looks like newly generated random 0x3D230467 magic number should not conflict with Http, http/2, TLS, Redis, SQL... (googling this number doesn't say it's any protocol's magic number.)

Summarizing the findings from chat here(thanks to @kyessenov,@PiotrSikora for the help):

1. HTTP: starts with GET, POST.. binaries of these do not match with our magic number.
2. HTTP/2: starts with a predefined prefix 0x505249202a20485454502f322e300d0a0d0a534d0d0a0d0a.
3. TLS: first 8 bits are TLS major version then next 8 bits TLS minor version.it's {3, 3} for TLS 1.2. First 4 bits of our magic number is 1111, so TLS will take a long time to collide.
4. SQL: https://dev.mysql.com/doc/internals/en/connection-phase-packets.html#packet-Protocol::Handshake. First byte is protocol version
   , whose some info can be found here: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tds/135d0ebe-5c4c-4a94-99bf-1811eccb9f4a?redirectedfrom=MSDN). Doesn't look like it will conflict.
5. Redis: looks like data type is the first byte : https://redis.io/topics/protocol
   does not collide with the magic number.

[mandarjog]

@lizan ping !

[lizan]

mostly lgtm. defer to @PiotrSikora

[lizan]

nit: std::make_unique

[gargnupur]

Fixed

[lizan]

I believe this is an undefined behavior (unaligned access) when initial_header_buf.c_str() is not aligned to uint32_t, UBSAN doesn't fail just because of luck.

[gargnupur]

But shouldn't marking MetadataExchangeInitialHeader struct as packed attribute help with misalignment errors?

[lizan]

No packed struct doesn't mitigate misalignment errors, because you're doing reinterpret_cast from a raw pointer which is not guaranteed to be aligned.

Since you're already doing a copy here, why not just do:

MetadataExchangeInitialHeader initial_header;
data.copyOut(0, initial_header_length, &initial_header);

then where you copied to is aligned.