Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-233 (Initial Public Draft)

Service Mesh Proxy Models for Cloud-Native Applications

Date Published: July 19, 2024
Comments Due: September 3, 2024 (public comment period is CLOSED)
Email Questions to: sp800-233-comments@nist.gov

Author(s)

Ramaswamy Chandramouli (NIST), Zack Butcher (Tetrate), James Callaghan (control-plane.io)

Announcement

The service mesh has become the de facto application services infrastructure for cloud-native applications. It enables an application’s runtime functions (e.g., network connectivity, access control, etc.) through proxies that form the data plane of the service mesh. Different proxy models or data plane architectures have emerged, depending on the distribution of the network layer functions (i.e., L4 and L7) and the granularity of association of the proxies to individual services/computing nodes.

The purposes of this document are two-fold:

  1. Develop a threat profile for each of the data plane architectures by considering a set of potential threats to various proxy functions and assign scores to the impacts and likelihoods of their exploits.
  2. Analyze the service mesh capabilities that are required for each class of cloud-native applications with different risk profiles (i.e., low, medium, and high) and provide recommendations for the data plane architectures or proxy models that are appropriate and applicable for each class.

Abstract

Keywords

proxy model; data plane architecture; service mesh; threat profile; cloud-native application
Control Families

None selected

Documentation

Publication:
https://doi.org/10.6028/NIST.SP.800-233.ipd
Download URL

Supplemental Material:
None available

Document History:
07/19/24: SP 800-233 (Draft)
10/16/24: SP 800-233 (Final)

Topics

Security and Privacy

threats

Technologies

cloud & virtualization, networks