Tag: Ztunnel
Issues specific to Istio's Ztunnel node proxy in Ambient mode—covering DNS-proxy binding errors, HBONE traffic capture failures, socket binding problems and other per-node proxy concerns
| ID | Title | Description | Category | Technology | Tags |
|---|---|---|---|---|---|
| CRE-2025-0109 Medium Impact: 0/10 Mitigation: 0/10 | Ambient HTTP status codes by Ztunnel | When Ambient mode is enabled, Ztunnel tunnels HTTP over HBONE (HTTP CONNECT) and although it's a TCP proxy, it still tags its \"connection complete\" log lines with the HTTP status code from the upstream response (e.g. 503, 401). This CRE verifies that non-2xx responses are correctly surfaced. | Istio Ambient Troubleshooting | ambient | IstioAmbientZtunnel |
| CRE-2025-0110 High Impact: 0/10 Mitigation: 0/10 | Ztunnel Traffic timeouts in Istio Ambient Mode | Detects when Istio Ambient-mode HBONE (mTLS) traffic is blocked or dropped— resulting in Ztunnel logging timeouts such as `io error: deadline has elapsed` or `connection timed out, maybe a NetworkPolicy is blocking HBONE port 15008`. | Istio Ambient Troubleshooting | ambient | IstioAmbientZtunnel |
| CRE-2025-0111 Medium Impact: 0/10 Mitigation: 0/10 | Ztunnel IPv6 Bind Failure | Detects when Ztunnel's DNS proxy or control-plane component attempts to bind to the IPv6 loopback address `[::1]:15053` on a node where IPv6 is disabled, resulting in an `Address family not supported` error. | Istio Ambient Troubleshooting | ambient | IstioAmbientZtunnelNetwork |