Track active (downtream) tls handshakes #33608
Labels
area/tls
enhancement
Feature requests. Not bugs or questions.
stale
stalebot believes this issue/PR has not been touched recently
TLS handshake nowadays are still cpu insenstive.
Even In the service mesh env where no intended attacker or few compromised workload,
a TLS client can easily create DOS attack to a TLS server with unbounded TLS retry.
In this situation, the server side envoy with limited CPU resources should leave decent
cycles to serve the established connections.
It's generally available if we can maintain a queue of active TLS shake, and avoid enqueue
too many tls handshake tasks.
I am proposing usig a L4 filter to track the active handshakes.
The L4 filter can treat connections that have not received ConnectionEvent::Connected as
"active handshaking" connections.
Once we have this metric, either listener or l4 filter can early shutdown the connection.
Or overload manager can be plumbed to stop enqueue.
Alternatively the queuing can be achieved by handshake agent, but there is no timeline yet.
Does anyone have similar requirement? This could be treated as extended "connection limit filter"
The text was updated successfully, but these errors were encountered: