涉及两个以上端口的 TCP 握手
TCP handshake involving more than two ports
我在 Kubernetes 集群上部署了一个应用程序。我在此部署中使用 Istio/Envoy 来控制 inbound/outbound 流量。我使用 TCPdump 收集了一些 TCP 数据包以调查一些问题。
据我了解,TCP 握手应该只涉及一对 5 元组(src-IP、src-Port、dst-IP、dst-Port、协议)。
例如
IP: 198.168.1.100 Port: 52312 ----SYN----> IP: 198.168.1.101 Port: 80
IP: 198.168.1.100 Port: 52312 <--SYN ACK-- IP: 198.168.1.101 Port: 80
IP: 198.168.1.100 Port: 52312 ----ACK----> IP: 198.168.1.101 Port: 80
但是在我收集的数据包中,我不明白的是:
10.X.X.X 127.0.0.1 TCP 76 33500 → 15001 [SYN] Seq=3333992218
X.X.X.X 10.X.X.X TCP 76 80 → 33500 [SYN, ACK] Seq=2228273021 Ack=3333992219
10.X.X.X 127.0.0.1 TCP 68 33500 → 15001 [ACK] Seq=3333992219 Ack=2228273022
注意SYN ACK是从一个80端口返回的。首先,我以为可能是丢包,实际上是两次握手,但看序列号和确认号,好像是单次握手。
如果这是一次握手,你会如何解释?是否有一种不同的 TCP 握手技术?
If this is a single handshake, how would you explain this? Is there a technique that does the TCP handshake differently?
据此blog:
这是一次握手,只有 2 个独立的连接,首先去 envoy sidecar,然后 envoy sidecar 作为中间人将它发送到你的 pod。
So this is the magic: the connection is not established between client and server directly, but split into 2 separate connections:
connection between client and sidecar
connection between sidecar and server
Those two connections are independently handshaked, thus even if the latter failed, the former could still be succesful.
Actual view of the two sides: a middleman sits between client and server
如果您正在寻找有关 15001 端口本身的更多信息,您可以访问 istio documentation。
有更详细的解释here。
我在 Kubernetes 集群上部署了一个应用程序。我在此部署中使用 Istio/Envoy 来控制 inbound/outbound 流量。我使用 TCPdump 收集了一些 TCP 数据包以调查一些问题。
据我了解,TCP 握手应该只涉及一对 5 元组(src-IP、src-Port、dst-IP、dst-Port、协议)。 例如
IP: 198.168.1.100 Port: 52312 ----SYN----> IP: 198.168.1.101 Port: 80
IP: 198.168.1.100 Port: 52312 <--SYN ACK-- IP: 198.168.1.101 Port: 80
IP: 198.168.1.100 Port: 52312 ----ACK----> IP: 198.168.1.101 Port: 80
但是在我收集的数据包中,我不明白的是:
10.X.X.X 127.0.0.1 TCP 76 33500 → 15001 [SYN] Seq=3333992218
X.X.X.X 10.X.X.X TCP 76 80 → 33500 [SYN, ACK] Seq=2228273021 Ack=3333992219
10.X.X.X 127.0.0.1 TCP 68 33500 → 15001 [ACK] Seq=3333992219 Ack=2228273022
注意SYN ACK是从一个80端口返回的。首先,我以为可能是丢包,实际上是两次握手,但看序列号和确认号,好像是单次握手。
如果这是一次握手,你会如何解释?是否有一种不同的 TCP 握手技术?
If this is a single handshake, how would you explain this? Is there a technique that does the TCP handshake differently?
据此blog:
这是一次握手,只有 2 个独立的连接,首先去 envoy sidecar,然后 envoy sidecar 作为中间人将它发送到你的 pod。
So this is the magic: the connection is not established between client and server directly, but split into 2 separate connections:
connection between client and sidecar
connection between sidecar and server
Those two connections are independently handshaked, thus even if the latter failed, the former could still be succesful.
Actual view of the two sides: a middleman sits between client and server
如果您正在寻找有关 15001 端口本身的更多信息,您可以访问 istio documentation。
有更详细的解释here。