safe retry on reset

[rgs1]

We currently support retrying after an upstream reset, but this could happen after the request has been seen -- partially or totally -- by the upstream:

https://github.com/envoyproxy/envoy/blob/master/source/common/router/router.cc#L966

at which point, it might be unsafe to retry. Note only downstream_response_started_ is checked for, we are not checking if the request was sent out already.

Would something like reset-before-request make sense? We currently have this issue, where we have an upstream that closes idle connections just before we start sending the request. But it can't currently be retried, because it would only be safe to retry on connect-failure.

cc: @mattklein123 @derekargueta @fishcakez