ipsec: Fix xfrm output mask #14381
Merged
ipsec: Fix xfrm output mask #14381
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pchaigno
added
kind/bug
pchaigno
force-pushed
the
pr/pchaigno/fix-xfrm-outputmark-mask
branch
2 times, most recently
from
54752d3
to
9758513
Compare
|
Are there any valid cases where we would be sending over zero identities over tunnel header? In other words, can we distinguish between a set/unset identity? |
jrfastab
reviewed
Dec 12, 2020
|
Other than small nit about using the default value RouteMarkMask LGTM |
pchaigno
force-pushed
the
pr/pchaigno/fix-xfrm-outputmark-mask
branch
from
9758513
to
3c0387e
Compare
pchaigno
added
the
area/encryption
I can't think of any. If we fail to resolve an identity we should fallback to Are you thinking we could fallback to an ipcache lookup at the destination node if the identity is unset? That might work, but (1) I'm not sure we always have all the identities on the remote ipcaches and (2) we would need to consider the complexity impact. |
I was thinking more from detecting such error conditions. Perhaps we can log a warning? |
Could be a topic for the next SIG Datapath meeting? It would definitely help uncovering such bugs in CI. It may be a bit hard to implement though because we either need to trace traffic from time to time and know which identity should be non-zero, or we need to extend the datapath to report such cases. Maybe there's a middle ground where we point those out in the |
|
An observation, and So using IPsecMarkMask is slightly different from original patch. LGTM though. |
jrfastab
approved these changes
Dec 13, 2020
pchaigno
force-pushed
the
pr/pchaigno/fix-xfrm-outputmark-mask
branch
from
3c0387e
to
b4bdba9
Compare
pchaigno
removed
the
dont-merge/blocked
Commit b6f2e75 set the xfrm output mark for the tunneling mode, but did not set a mask. As a result, the packet mark is zeroed before writing the new mark value, clearing our source security context. In particular, this loss of security context happen when packets are passed from the lxc devices to cilium_host via the stack. We then receive a zero source identity in bpf_host and transmit it over the tunnel to the destination nodes. That causes policy deny drops on remote nodes when policies are enforced. The bug can be observed by tracing the packets leaving the containers on the source node. The source identity becomes unknown when it leaves cilium_host (-> overlay trace event): <- endpoint 684 flow 0x10b975f7 identity 14765->unknown state new ifindex 0 orig-ip 0.0.0.0: 10.0.1.68:41856 -> 10.0.0.206:80 tcp SYN -> stack flow 0x10b975f7 identity 14765->30552 state new ifindex 0 orig-ip 0.0.0.0: 10.0.1.68:41856 -> 10.0.0.206:80 tcp SYN -> overlay flow 0x10b975f7 identity unknown->unknown state new ifindex cilium_vxlan orig-ip 0.0.0.0: 10.0.1.122 -> 10.0.0.184 This commit fixes the bug by setting the mask appropriately. That requires us to temporarily use our cilium/netlink fork which has support for setting the output mask [1], until that support is upstreamed. 1 - https://github.com/cilium/netlink/tree/outputmark-mask Fixes: b6f2e75 ("cilium: set output mark for tunnel case") Suggested-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Paul Chaignon <paul@cilium.io>
pchaigno
force-pushed
the
pr/pchaigno/fix-xfrm-outputmark-mask
branch
from
b4bdba9
to
616cef3
Compare
maintainer-s-little-helper
bot
moved this from Needs backport from master
to Backport pending to v1.9
in 1.9.2
maintainer-s-little-helper
bot
moved this from Needs backport from master
to Backport pending to v1.9
in 1.9.2
maintainer-s-little-helper
bot
moved this from Needs backport from master
to Backport pending to v1.8
in 1.8.7
maintainer-s-little-helper
bot
moved this from Needs backport from master
to Backport pending to v1.8
in 1.8.7
maintainer-s-little-helper
bot
moved this from Backport pending to v1.9
to Backport done to v1.9
in 1.9.2
maintainer-s-little-helper
bot
moved this from Backport pending to v1.9
to Backport done to v1.9
in 1.9.2
pchaigno
added a commit
that referenced
this pull request
Jan 5, 2021
When using IPSec with Cilium in tunneling mode, we need support for the xfrm state output mask in the kernel (cf. #14381). This commit probes for such kernel support, introduced upstream in 9b42c1f ("xfrm: Extend the output_mark to support input direction and masking"), on startup and fatals if the kernel is too old. The lack of kernel support only breaks policy enforcement across nodes and we can probably make it work in the future, but in the meantime, it's best to cleanly fatal. Signed-off-by: Paul Chaignon <paul@cilium.io>
maintainer-s-little-helper
bot
moved this from Backport pending to v1.8
to Backport done to v1.8
in 1.8.7
maintainer-s-little-helper
bot
moved this from Backport pending to v1.8
to Backport done to v1.8
in 1.8.7
pchaigno
added a commit
that referenced
this pull request
Jan 11, 2021
When using IPSec with Cilium in tunneling mode, we need support for the xfrm state output mask in the kernel (cf. #14381). This commit probes for such kernel support, introduced upstream in 9b42c1f ("xfrm: Extend the output_mark to support input direction and masking"), on startup and fatals if the kernel is too old. The lack of kernel support only breaks policy enforcement across nodes and we can probably make it work in the future, but in the meantime, it's best to cleanly fatal. Signed-off-by: Paul Chaignon <paul@cilium.io>
nathanjsweet
pushed a commit
that referenced
this pull request
Jan 11, 2021
[ upstream commit 1870713 ] When using IPSec with Cilium in tunneling mode, we need support for the xfrm state output mask in the kernel (cf. #14381). This commit probes for such kernel support, introduced upstream in 9b42c1f ("xfrm: Extend the output_mark to support input direction and masking"), on startup and fatals if the kernel is too old. The lack of kernel support only breaks policy enforcement across nodes and we can probably make it work in the future, but in the meantime, it's best to cleanly fatal. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
nathanjsweet
pushed a commit
that referenced
this pull request
Jan 11, 2021
[ upstream commit 1870713 ] When using IPSec with Cilium in tunneling mode, we need support for the xfrm state output mask in the kernel (cf. #14381). This commit probes for such kernel support, introduced upstream in 9b42c1f ("xfrm: Extend the output_mark to support input direction and masking"), on startup and fatals if the kernel is too old. The lack of kernel support only breaks policy enforcement across nodes and we can probably make it work in the future, but in the meantime, it's best to cleanly fatal. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
gandro
pushed a commit
that referenced
this pull request
Jan 13, 2021
[ upstream commit 1870713 ] When using IPSec with Cilium in tunneling mode, we need support for the xfrm state output mask in the kernel (cf. #14381). This commit probes for such kernel support, introduced upstream in 9b42c1f ("xfrm: Extend the output_mark to support input direction and masking"), on startup and fatals if the kernel is too old. The lack of kernel support only breaks policy enforcement across nodes and we can probably make it work in the future, but in the meantime, it's best to cleanly fatal. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
aanm
pushed a commit
that referenced
this pull request
Jan 13, 2021
[ upstream commit 1870713 ] When using IPSec with Cilium in tunneling mode, we need support for the xfrm state output mask in the kernel (cf. #14381). This commit probes for such kernel support, introduced upstream in 9b42c1f ("xfrm: Extend the output_mark to support input direction and masking"), on startup and fatals if the kernel is too old. The lack of kernel support only breaks policy enforcement across nodes and we can probably make it work in the future, but in the meantime, it's best to cleanly fatal. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
First commit temporarily uses our netlink fork to be able to set the xfrm output mask. Second commit sets said mask in our xfrm rules. See commit messages for details.
I tested by applying the following diff to our existing test and manually checking the source identity is preserved when making requests between nodes: