Istio 1.3 introduced a new capability to automatically sniff the protocol used when two containers communicate. This is a powerful benefit to easily get started with Istio, but it has some tradeoffs.  Aspen Mesh recommends that production deployments of Aspen Mesh (built on Istio) do not use protocol sniffing, and Aspen Mesh 1.3.3-am2 turns off protocol sniffing by default. This blog explains the tradeoffs and the reasoning we think turning off protocol sniffing is the better tradeoff.  

What Protocol Sniffing Is

Protocol sniffing predates Istio. For our purposes, we’re going to define it as examining some communication stream and classifying it as implementing one protocol (like HTTP) or another (like SSH), without additional information. For example, here’s two streams from client to server, if you’ve ever debugged these protocols you won’t have a hard time telling them apart:

Protocol Sniffing Service Mesh

In an active service mesh, the Envoy sidecars will be handling thousands of these streams a second.  The sidecar is a proxy, so it reads every byte in the stream from one side, examines it, applies policy to it and then sends it on.  In order to apply proper policy (“Send all PUTs to /create_* to create-handler.foo.svc.cluster.local”), Envoy needs to understand the bytes it is reading.  Without protocol sniffing, that’s done by configuring Envoy:

  • Layer 7 (HTTP): “All streams with a destination port of 8000 are going to follow the HTTP protocol”
  • Layer 4 (SSH): “All streams with a destination port of 22 are going to follow the SSH protocol”

When Envoy sees a stream with destination port 8000, it reads each byte and runs its own HTTP protocol implementation to understand those bytes and then apply policy.  Port 22 has SSH traffic; Envoy doesn’t have an SSH protocol implementation so Envoy treats it as opaque TCP traffic. In proxies this is often called “Layer 4 mode” or “TCP mode”; this is when the proxy doesn’t understand the higher-level protocol inside, so it can only apply a simpler subset of policy or collect a subset of telemetry.

For instance, Envoy can tell you how many bytes went over the SSH stream, but it can’t tell you anything about whether those bytes indicated a successful SSH session or not.  But since Envoy can understand HTTP, it can say “90% of HTTP requests are successful and get a 200 OK response”.

Here’s an analogy – I speak English but not Italian; however, I can read and write the Latin alphabet that covers both.  So I could copy an Italian message from one piece of paper to another without understanding what’s inside. Suppose I was your proxy and you said, “Andrew, copy all mail correspondence into email for me” – I could do that whether you received letters from English-speaking friends or Italian-speaking ones.  Now suppose you say, “Copy all mail correspondence into email unless it has Game of Thrones spoilers in it.”  I can detect spoilers in English correspondence because I actually understand what’s being said, but not Italian, where I can only copy the letters from one page to the other.

If I were a proxy, I’m a layer 7 English proxy but I only support Italian in layer 4 mode.

In Aspen Mesh and Istio, the protocol for a stream is configured in the Kubernetes service.  These are the options:

  • Specify a layer 7 protocol: Start the name of the service with a layer 7 protocol that Istio and Envoy understand, for example “http-foo” or “grpc-bar”.
  • Specify a layer 4 protocol: Start the name of the service with a layer 4 protocol, for example “tcp-foo”.  (You also use this if you know the layer 7 protocol but it’s not one that Istio and Envoy support; for example, you might name a port “tcp-ssh”)
  • Don’t specify protocol at all: Name it without a protocol prefix, e.g. “clients”.

If you don’t specify a protocol at all, then Istio has to make a choice.  Before protocol sniffing was a feature, Istio chose to treat this with layer 4 mode.  Protocol sniffing is a new behavior that says, “try reading some of it – if it looks like a protocol you know, treat it like that protocol”.

An important note here is that this sniffing applies for both passive monitoring and active management.  Istio both collects metrics and applies routing and policy. This is important because if a passive system has a sniff failure, it results only in a degradation of monitoring – details for a request may be unavailable.  But if an active system has a sniff failure, it may misapply routing or policy; it could send a request to the wrong service.

Benefits of Protocol Sniffing

The biggest benefit of protocol sniffing is that you don’t have to specify the protocols.  Any communication stream can be sniffed without human intervention. If it happens to be HTTP, you can get detailed metrics on it.

That removes a significant amount of configuration burden and reduces time-to-value for your first service mesh install.  Drop it in and instantly get HTTP metrics.

Protocol Sniffing Failure Modes

However, as with most things, there is a tradeoff.  In some cases, protocol sniffing can produce results that might surprise you.  This happens when the sniffer classifies a stream differently than you or some other system would.

False Positive Match

This occurs when a protocol happens to look like HTTP, but the administrator doesn’t want it to be treated by the proxy as HTTP.

One way this can happen is if the apps are speaking some custom protocol where the beginning of the communication stream looks like HTTP, but it later diverges.  Once it diverges and is no longer conforming to HTTP, the proxy has already begun treating it as HTTP and now must terminate the connection. This is one of the differences between passive sniffers and active sniffers – a passive sniffer could simply “cancel” sniffing.

Behavior Change:

  • Without sniffing: Stream is considered Layer 4 and completes fine.
  • With sniffing: Stream is considered Layer 7, and then when it later diverges, the proxy closes the stream.

False Negative Match

This occurs when the client and server think they are speaking HTTP, but the sniffer decides it isn’t HTTP.  In our case, that means the sniffer downgrades to Layer 4 mode. The proxy no longer applies Layer 7 policy (like Istio’s HTTP Authorization) or collects Layer 7 telemetry (like request success/failure counts).

One case where this occurs is when the client and server are both technically violating a specification but in a way that they both understand.  A classic example in the HTTP space is line termination – technically, lines in HTTP must be terminated with a CRLF; two characters 0x0d 0x0a.  But most proxies and web servers will also accept HTTP where lines are only terminated with LF (just the 0x0a character), because some ancient clients and hacked-together UNIX tools just sent LFs.

That example is usually harmless but a riskier one is if a client can speak something that looks like HTTP, that the server will treat as HTTP, but the sniffer will downgrade.  This allows the client to bypass any Layer 7 policies the proxy would enforce. Istio currently applies sniffing to outbound traffic where the outbound target is unknown (often occurs for Egress traffic) or the outbound target is a service port without a protocol annotation.

Here’s an example: I know of two non-standard behaviors that node.js’ HTTP server framework allows.  The first is allowing extra spaces between the Request-URI and the HTTP-Version in the Request-Line. The second is allowing spaces in a Header field-name.  Here’s an example with the weird parts highlighted:

If I send this to a node.js server, it accepts it as a valid HTTP request (for the curious, the extra whitespace in the request line is dropped, and the whitespace in the Header field-name is included so the header is named “x-foo   bar”). Node.js’ HTTP parser is taken from nginx which also accepts the extra spaces. Nginx is pretty darn popular so other web frameworks and a lot of servers accept this. Interestingly, so does the HTTP parser in Envoy (but not the HTTP inspector).

Suppose I have a situation like this:  We just added a new capability to delete in-progress orders to the beta version of our service, so we want all DELETE requests to be routed to “foo-beta” and all other normal requests routed to “foo”.  We might write an Istio VirtualService to route DELETE requests like this:

If I send a request like this, it is properly routed to foo-2.

But if I send one like this, I bypass the route and go to foo-1.  Oops!

This means that clients can choose to “step around” routing if they can find requests that trick the sniffer. If those requests aren’t accepted by the server at the other end, it should be OK.  However, if they are accepted by the server, bad things can happen. Additionally, you won’t be able to audit or detect this case because you won’t have Jaeger traces or access logs from the proxy since it thought the request wasn’t HTTP.

(We investigated this particular case and ran our results past the Envoy and Istio security vulnerability teams before publishing this blog. While it didn’t rise to the level of security issue, we want it to be obvious to our users what the tradeoffs are. While the benefits of protocol sniffing may be worthwhile in many cases, most users will want to avoid protocol sniffing in security-sensitive applications.)

Behavior Change:

  • Without sniffing: Stream is Layer 7 and invalid requests are consistently rejected.
  • With sniffing: Some streams may be classified as Layer 4 and bypass Layer 7 routing or policy.

Recommendation

Protocol sniffing lessens the configuration burden to get started with Istio, but creates uncertainty about behaviors.  Because this uncertainty can be controlled by the client, it can be surprising or potentially hazardous. In production, I’d prefer to tell the proxy everything I know and have the proxy reject everything that doesn’t look as expected.  Personally, I like my test environments to look like my prod environments (“Test Like You Fly“) so I’m going to also avoid sniffing in test.

I would use protocol sniffing when I first dropped a service mesh into an evaluation scenario, when I’m at the stage of, “Let’s kick the tires and see what this thing can tell me about my environment.”

For this reason, Aspen Mesh recommends users don’t rely on protocol sniffing in production.  All service ports should be declared with a name that specifies the protocol (things like “http-app” or “tcp-custom”).  Our users will continue to receive “vet” warnings for service ports that don’t comply, so they can be confident that their clusters will behave predictably.