have one h2 tunnel -> one h2 session in 1:1 relation with a single TOKEN
the connection isolation key consist of origin, origin attributes, tls flags, proxy info and now also the TOKEN
I think we over-isolate and we always create a new h2 session (+a connection to the proxy and a tunnel, obviously) for every new origin, container etc...
Maybe this is what we want, but I want to make sure we are aware of this issue and decide if that is really what we want from the perspective of possible scalability issues and performance.
The other option is to use one h2 session (+connection) bound to the token and let it carry create multiple tunnels to different origins (isolated normally); this means Necko changes...