Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encryption docs update #14940

Merged
merged 1 commit into from
May 7, 2021
Merged

Encryption docs update #14940

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
121 changes: 90 additions & 31 deletions Documentation/gettingstarted/encryption-ipsec.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,17 +161,19 @@ following commands:

1. Install tcpdump

.. code:: bash
.. code-block:: shell-session

apt-get update
apt-get -y install tcpdump
$ apt-get update
$ apt-get -y install tcpdump

2. Check that traffic is encrypted. In the example below, this can be verified
by the fact that packets carry the IP Encapsulating Security Payload (ESP):
by the fact that packets carry the IP Encapsulating Security Payload (ESP).
In the example below, ``eth0`` is the interface used for pod-to-pod
communication. Replace this interface with ``cilium_vxlan`` if tunneling is enabled.

.. code:: bash

tcpdump -n -i cilium_vxlan
tcpdump -n -i eth0 esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on cilium_vxlan, link-type EN10MB (Ethernet), capture size 262144 bytes
15:16:21.626416 IP 10.60.1.1 > 10.60.0.1: ESP(spi=0x00000001,seq=0x57e2), length 180
Expand Down Expand Up @@ -229,26 +231,42 @@ Troubleshooting

* Routing rules matching on fwmark:

.. code:: bash
.. code-block:: shell-session

ip rule list
$ ip rule list
1: from all fwmark 0xd00/0xf00 lookup 200
1: from all fwmark 0xe00/0xf00 lookup 200
[...]

* Content of routing table 200
* Content of routing tables

.. code:: bash
.. code:: shell-session

ip route list table 200
$ ip route list table 200
local 10.60.0.0/24 dev cilium_vxlan proto 50 scope host
10.60.1.0/24 via 10.60.0.1 dev cilium_host

In case of IPAM ENI mode, check if routing rules exist for the the IP
address of ``cilium_host`` interface..

.. code:: shell-session

$ ip addr show cilium_host
5: cilium_host@cilium_net: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default qlen 1000
link/ether 96:b1:5c:82:75:a3 brd ff:ff:ff:ff:ff:ff
inet 192.168.174.161/32 scope link cilium_host
valid_lft forever preferred_lft forever
inet6 fe80::94b1:5cff:fe82:75a3/64 scope link
valid_lft forever preferred_lft forever

$ ip rule | grep 192.168.174.161
111: from 192.168.174.161 to 192.168.0.0/16 lookup 11

* XFRM policy:

.. code:: bash
.. code-block:: shell-session

ip xfrm p
$ ip xfrm p
src 10.60.1.1/24 dst 10.60.0.1/24
dir fwd priority 0
mark 0xd00/0xf00
Expand All @@ -265,25 +283,66 @@ Troubleshooting
tmpl src 10.60.0.1 dst 10.60.1.1
proto esp spi 0x00000001 reqid 1 mode tunnel

* XFRM state:

.. code:: bash

ip xfrm s
src 10.60.0.1 dst 10.60.1.1
proto esp spi 0x00000001 reqid 1 mode tunnel
replay-window 0
auth-trunc hmac(sha256) 0x6162636465666768696a6b6c6d6e6f70717273747576777a797a414243444546 96
enc cbc(aes) 0x6162636465666768696a6b6c6d6e6f70717273747576777a797a414243444546
anti-replay context: seq 0x0, oseq 0xe0c0, bitmap 0x00000000
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 10.60.1.1 dst 10.60.0.1
proto esp spi 0x00000001 reqid 1 mode tunnel
replay-window 0
auth-trunc hmac(sha256) 0x6162636465666768696a6b6c6d6e6f70717273747576777a797a414243444546 96
enc cbc(aes) 0x6162636465666768696a6b6c6d6e6f70717273747576777a797a414243444546
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 0.0.0.0/0 dst 0.0.0.0/0
* XFRM stats with state:

Check if the packets count increases as you send traffic.

Following is the output from the source node.

.. code-block:: shell-session

$ ip -s xfrm s
src 10.60.0.1 dst 10.60.1.1
proto esp spi 0x00000001 reqid 1 mode tunnel
replay-window 0
auth-trunc hmac(sha256) 0x6162636465666768696a6b6c6d6e6f70717273747576777a797a414243444546 96
enc cbc(aes) 0x6162636465666768696a6b6c6d6e6f70717273747576777a797a414243444546
anti-replay context: seq 0x0, oseq 0xe0c0, bitmap 0x00000000
sel src 0.0.0.0/0 dst 0.0.0.0/0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
9507(bytes), 137(packets)
add 2021-02-10 08:20:09 use 2021-02-10 08:30:12
stats:
replay-window 0 replay 0 failed 0

Following is the output from the destination node.

.. code-block:: shell-session

$ ip -s xfrm s
src 10.60.1.1 dst 10.60.0.1
proto esp spi 0x00000001 reqid 1 mode tunnel
replay-window 0
auth-trunc hmac(sha256) 0x6162636465666768696a6b6c6d6e6f70717273747576777a797a414243444546 96
enc cbc(aes) 0x6162636465666768696a6b6c6d6e6f70717273747576777a797a414243444546
anti-replay context: seq 0x0, oseq 0xe0c0, bitmap 0x00000000
sel src 0.0.0.0/0 dst 0.0.0.0/0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
9507(bytes), 137(packets)
add 2021-02-10 08:20:09 use 2021-02-10 08:30:12
stats:
replay-window 0 replay 0 failed 0

* BPF program to decrypt traffic:

Check if the BPF program to decrypt traffic is attached to all network facing
interfaces, or matching the configuration of ``--encrypt-interface`` (if specified).

.. code-block:: shell-session

$ tc filter show dev eth0 ingress
filter protocol all pref 1 bpf chain 0
filter protocol all pref 1 bpf chain 0 handle 0x1 bpf_network.o:[from-network] direct-action not_in_hw id 1145 tag 51b408acf94aa23f jited

Disabling Encryption
====================
Expand Down