-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ipsec: Fix xfrm output mask #14381
ipsec: Fix xfrm output mask #14381
Conversation
54752d3
to
9758513
Compare
Are there any valid cases where we would be sending over zero identities over tunnel header? In other words, can we distinguish between a set/unset identity? |
Other than small nit about using the default value RouteMarkMask LGTM |
9758513
to
3c0387e
Compare
I can't think of any. If we fail to resolve an identity we should fallback to Are you thinking we could fallback to an ipcache lookup at the destination node if the identity is unset? That might work, but (1) I'm not sure we always have all the identities on the remote ipcaches and (2) we would need to consider the complexity impact. |
I was thinking more from detecting such error conditions. Perhaps we can log a warning? |
Could be a topic for the next SIG Datapath meeting? It would definitely help uncovering such bugs in CI. It may be a bit hard to implement though because we either need to trace traffic from time to time and know which identity should be non-zero, or we need to extend the datapath to report such cases. Maybe there's a middle ground where we point those out in the |
An observation,
and
So using IPsecMarkMask is slightly different from original patch. LGTM though. |
3c0387e
to
b4bdba9
Compare
Commit b6f2e75 set the xfrm output mark for the tunneling mode, but did not set a mask. As a result, the packet mark is zeroed before writing the new mark value, clearing our source security context. In particular, this loss of security context happen when packets are passed from the lxc devices to cilium_host via the stack. We then receive a zero source identity in bpf_host and transmit it over the tunnel to the destination nodes. That causes policy deny drops on remote nodes when policies are enforced. The bug can be observed by tracing the packets leaving the containers on the source node. The source identity becomes unknown when it leaves cilium_host (-> overlay trace event): <- endpoint 684 flow 0x10b975f7 identity 14765->unknown state new ifindex 0 orig-ip 0.0.0.0: 10.0.1.68:41856 -> 10.0.0.206:80 tcp SYN -> stack flow 0x10b975f7 identity 14765->30552 state new ifindex 0 orig-ip 0.0.0.0: 10.0.1.68:41856 -> 10.0.0.206:80 tcp SYN -> overlay flow 0x10b975f7 identity unknown->unknown state new ifindex cilium_vxlan orig-ip 0.0.0.0: 10.0.1.122 -> 10.0.0.184 This commit fixes the bug by setting the mask appropriately. That requires us to temporarily use our cilium/netlink fork which has support for setting the output mask [1], until that support is upstreamed. 1 - https://github.com/cilium/netlink/tree/outputmark-mask Fixes: b6f2e75 ("cilium: set output mark for tunnel case") Suggested-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Paul Chaignon <paul@cilium.io>
b4bdba9
to
616cef3
Compare
When using IPSec with Cilium in tunneling mode, we need support for the xfrm state output mask in the kernel (cf. #14381). This commit probes for such kernel support, introduced upstream in 9b42c1f ("xfrm: Extend the output_mark to support input direction and masking"), on startup and fatals if the kernel is too old. The lack of kernel support only breaks policy enforcement across nodes and we can probably make it work in the future, but in the meantime, it's best to cleanly fatal. Signed-off-by: Paul Chaignon <paul@cilium.io>
When using IPSec with Cilium in tunneling mode, we need support for the xfrm state output mask in the kernel (cf. #14381). This commit probes for such kernel support, introduced upstream in 9b42c1f ("xfrm: Extend the output_mark to support input direction and masking"), on startup and fatals if the kernel is too old. The lack of kernel support only breaks policy enforcement across nodes and we can probably make it work in the future, but in the meantime, it's best to cleanly fatal. Signed-off-by: Paul Chaignon <paul@cilium.io>
[ upstream commit 1870713 ] When using IPSec with Cilium in tunneling mode, we need support for the xfrm state output mask in the kernel (cf. #14381). This commit probes for such kernel support, introduced upstream in 9b42c1f ("xfrm: Extend the output_mark to support input direction and masking"), on startup and fatals if the kernel is too old. The lack of kernel support only breaks policy enforcement across nodes and we can probably make it work in the future, but in the meantime, it's best to cleanly fatal. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
[ upstream commit 1870713 ] When using IPSec with Cilium in tunneling mode, we need support for the xfrm state output mask in the kernel (cf. #14381). This commit probes for such kernel support, introduced upstream in 9b42c1f ("xfrm: Extend the output_mark to support input direction and masking"), on startup and fatals if the kernel is too old. The lack of kernel support only breaks policy enforcement across nodes and we can probably make it work in the future, but in the meantime, it's best to cleanly fatal. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
[ upstream commit 1870713 ] When using IPSec with Cilium in tunneling mode, we need support for the xfrm state output mask in the kernel (cf. #14381). This commit probes for such kernel support, introduced upstream in 9b42c1f ("xfrm: Extend the output_mark to support input direction and masking"), on startup and fatals if the kernel is too old. The lack of kernel support only breaks policy enforcement across nodes and we can probably make it work in the future, but in the meantime, it's best to cleanly fatal. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
[ upstream commit 1870713 ] When using IPSec with Cilium in tunneling mode, we need support for the xfrm state output mask in the kernel (cf. #14381). This commit probes for such kernel support, introduced upstream in 9b42c1f ("xfrm: Extend the output_mark to support input direction and masking"), on startup and fatals if the kernel is too old. The lack of kernel support only breaks policy enforcement across nodes and we can probably make it work in the future, but in the meantime, it's best to cleanly fatal. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
First commit temporarily uses our netlink fork to be able to set the xfrm output mask. Second commit sets said mask in our xfrm rules. See commit messages for details.
I tested by applying the following diff to our existing test and manually checking the source identity is preserved when making requests between nodes: