From 037e65fe1dba5443e8678204d40219936b57ae45 Mon Sep 17 00:00:00 2001 From: Yan Avlasov Date: Tue, 19 Jan 2021 20:07:47 -0500 Subject: [PATCH 1/2] Update threat model to treat untrusted upstreams equally with downstreams Signed-off-by: Yan Avlasov --- .../intro/arch_overview/security/threat_model.rst | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/docs/root/intro/arch_overview/security/threat_model.rst b/docs/root/intro/arch_overview/security/threat_model.rst index f0e4713e672be..2eb5ed607885a 100644 --- a/docs/root/intro/arch_overview/security/threat_model.rst +++ b/docs/root/intro/arch_overview/security/threat_model.rst @@ -56,16 +56,11 @@ Data and control plane ---------------------- We divide our threat model into data and control plane, reflecting the internal division in Envoy of -these concepts from an architectural perspective. Our highest priority in risk assessment is the -threat posed by untrusted downstream client traffic on the data plane. This reflects the use of -Envoy in an edge serving capacity and also the use of Envoy as an inbound destination in a service -mesh deployment. - -In addition, we have an evolving position towards any vulnerability that might be exploitable by -untrusted upstreams. We recognize that these constitute a serious security consideration, given the -use of Envoy as an egress proxy. We will activate the security release process for disclosures that -appear to present a risk profile that is significantly greater than the current Envoy upstream -hardening status quo. +these concepts from an architectural perspective. Envoy's core components are considered to be hardened +against both untrusted downstream and upstream peers. As such our highest priority in risk assessment is the +threat posed by untrusted downstream client or untrusted upstream server traffic on the data plane. This +reflects the use of Envoy in an edge serving capacity and also the use of Envoy as a networking component in a +mesh deployment with unstrusted services. The control plane management server is generally trusted. We do not consider wire-level exploits against the xDS transport protocol to be a concern as a result. However, the configuration delivered From d59ecc9e2bdc9416b76645940febda8773a5524e Mon Sep 17 00:00:00 2001 From: Yan Avlasov Date: Fri, 29 Jan 2021 10:12:25 -0500 Subject: [PATCH 2/2] Address comments Signed-off-by: Yan Avlasov --- docs/root/intro/arch_overview/security/threat_model.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/root/intro/arch_overview/security/threat_model.rst b/docs/root/intro/arch_overview/security/threat_model.rst index 2eb5ed607885a..553550023f050 100644 --- a/docs/root/intro/arch_overview/security/threat_model.rst +++ b/docs/root/intro/arch_overview/security/threat_model.rst @@ -60,7 +60,7 @@ these concepts from an architectural perspective. Envoy's core components are co against both untrusted downstream and upstream peers. As such our highest priority in risk assessment is the threat posed by untrusted downstream client or untrusted upstream server traffic on the data plane. This reflects the use of Envoy in an edge serving capacity and also the use of Envoy as a networking component in a -mesh deployment with unstrusted services. +service mesh deployment with unstrusted services. The control plane management server is generally trusted. We do not consider wire-level exploits against the xDS transport protocol to be a concern as a result. However, the configuration delivered