WG tunneling #29000

brb · 2023-11-06T09:37:20Z

Forward port of #28917 (minus the optional flag and the strict mode removal).

When tunneling is enabled, a packet will be encapsulated by Cilium's tunnel netdev before encrypting with WireGuard.

brb · 2023-11-06T09:42:37Z

/test

brb · 2023-11-06T09:57:40Z

/test

So that a src security ID can be transferred to a remote node (e.g., for netpol checks). This commit changes a pkt path when WireGuard + tunneling are enabled AND the newly introduced --wireguard-encapsulate is set. Previously, we had the following: ┌──────┐ 1. ┌──────┐ 4. │ lxc0 ├──────────────► eth0 ├──────► └──────┘ └─┬───▲┘ │ │ │ │ 2.│ │ 3. │ │ ┌───────────────┐ ┌───▼───┴────┐ │ cilium_vxlan │ │cilium_wg0 │ └───────────────┘ └────────────┘ With this change: ┌──────┐ ┌──────┐ │ lxc0 │ ┌──────────► eth0 ├─────► └───┬──┘ │ └─┬───▲┘ 5. │ │ │ │ │ │ │ │ 1.│ 2.│ 3. │ │ 4. │ │ │ │ ┌─────▼──────┴──┐ ┌───▼───┴────┐ │ cilium_vxlan │ │cilium_wg0 │ └───────────────┘ └────────────┘ A side effect of this change is that host-to-remote-pod traffic is going to be encrypted (previously it was not). The change was first made available in v1.14 [1] (controlled w/ --wireguard-encapsulate, which defaults to false). To avoid breaking connections during an upgrade from v1.14 to v1.15 (due to missing node IPs within allowed-ips), in v1.14 we populate those IPs regardless whether the feature is enabled. [1]: #28917 Signed-off-by: Martynas Pumputis <m@lambda.lt>

brb · 2023-11-06T10:54:00Z

/ci-e2e

It's going to be enabled on Cilium >= 1.15 [1]. [1]: cilium/cilium#29000 Signed-off-by: Martynas Pumputis <m@lambda.lt>

brb · 2023-11-06T13:58:49Z

/test

brb · 2023-11-06T16:42:29Z

/test

It's going to be enabled on Cilium >= 1.15 [1]. [1]: cilium/cilium#29000 Signed-off-by: Martynas Pumputis <m@lambda.lt>

To include the encryption suite changes [1] [2] [1]: cilium/cilium-cli#2055 [2]: cilium/cilium-cli#2089 Signed-off-by: Martynas Pumputis <m@lambda.lt>

Previously, the strict encrypt check [1] was running in bpf_overlay (in addition to bpf_host). That particular check was assuming that no pod-to-pod unencrypted packet should be seen by bpf_overlay. However, after the previous commit it's no longer the case. So, remove the check, and only keep the one in bpf_host. A nice side-effect of the previous commit is that for WG+tunnel we automatically enforce the strict mode w/o relying on strict_allow(). I.e., any tunnel encaped traffic is going to be dropped until cilium-agent has propogated destination node's IP addr into WG's allowed-ips list for that node. This commit also drops the WG strict mode test case for tunneling, as the test configuration is no longer applicable, and the test is going to be migrated to the CLI connectivity suite. [1]: #21856 Signed-off-by: Martynas Pumputis <m@lambda.lt>

brb · 2023-11-07T06:32:10Z

/test

Since cilium#29000 packets are always encapsulated before they are encrypted with WireGuard. Therefore, we also need to take the tunnel overhead for the route MTU into account. This fixes a performance regression. Before this commit WireGuard encrypted pod-to-pod traffic the iperf3 bandwidth was ~102 Mbits/sec. With this patch the bandwidth increases to 656 Mbits/sec. Without encryption the bandwidth is ~2 Gbits/sec. Signed-off-by: Leonard Cohnen <lc@edgeless.systems>

Since cilium#29000 packets are always encapsulated before they are encrypted with WireGuard. Therefore, we also need to take the tunnel overhead for the route MTU into account. This fixes a performance regression. Before this commit WireGuard encrypted pod-to-pod traffic the iperf3 bandwidth was ~102 Mbits/sec. With this patch the bandwidth increases to 656 Mbits/sec. Without encryption the bandwidth is ~2 Gbits/sec. Fixes: b67291f Signed-off-by: Leonard Cohnen <lc@edgeless.systems>

Since #29000 packets are always encapsulated before they are encrypted with WireGuard. Therefore, we also need to take the tunnel overhead for the route MTU into account. This fixes a performance regression. Before this commit WireGuard encrypted pod-to-pod traffic the iperf3 bandwidth was ~102 Mbits/sec. With this patch the bandwidth increases to 656 Mbits/sec. Without encryption the bandwidth is ~2 Gbits/sec. Fixes: b67291f Signed-off-by: Leonard Cohnen <lc@edgeless.systems>

[ upstream commit 44c3dd0 ] Since #29000 packets are always encapsulated before they are encrypted with WireGuard. Therefore, we also need to take the tunnel overhead for the route MTU into account. This fixes a performance regression. Before this commit WireGuard encrypted pod-to-pod traffic the iperf3 bandwidth was ~102 Mbits/sec. With this patch the bandwidth increases to 656 Mbits/sec. Without encryption the bandwidth is ~2 Gbits/sec. Fixes: b67291f Signed-off-by: Leonard Cohnen <lc@edgeless.systems> Signed-off-by: Jussi Maki <jussi@isovalent.com>

cilium#29000 changed how we mix WireGuard with VXLAN / Geneve tunneling. Reflect this in the docs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>

#29000 changed how we mix WireGuard with VXLAN / Geneve tunneling. Reflect this in the docs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>

[ upstream commit f604ce2 ] cilium#29000 changed how we mix WireGuard with VXLAN / Geneve tunneling. Reflect this in the docs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>

julianwiedmann · 2024-03-06T07:26:54Z

Adding backport-label to account for #28917.

[ upstream commit f604ce2 ] #29000 changed how we mix WireGuard with VXLAN / Geneve tunneling. Reflect this in the docs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>

brb added kind/enhancement This would improve or streamline existing functionality. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. labels Nov 6, 2023

brb requested a review from gandro November 6, 2023 09:37

brb force-pushed the pr/brb/wg-tunnel branch from 3c4cd2a to d4868e5 Compare November 6, 2023 09:42

brb force-pushed the pr/brb/wg-tunnel branch from d4868e5 to f72480f Compare November 6, 2023 09:57

brb force-pushed the pr/brb/wg-tunnel branch from f72480f to 72c22af Compare November 6, 2023 10:50

brb added a commit to cilium/cilium-cli that referenced this pull request Nov 6, 2023

connectivity: Detect WG encap on >= 1.15

9a7a086

It's going to be enabled on Cilium >= 1.15 [1]. [1]: cilium/cilium#29000 Signed-off-by: Martynas Pumputis <m@lambda.lt>

brb mentioned this pull request Nov 6, 2023

connectivity: Detect WG encap on >= 1.15 cilium/cilium-cli#2089

Merged

brb force-pushed the pr/brb/wg-tunnel branch from 8b8ce80 to 20451b2 Compare November 6, 2023 15:33

brb marked this pull request as ready for review November 6, 2023 18:44

brb requested review from a team as code owners November 6, 2023 18:44

brb requested review from ldelossa, nebril and brlbil November 6, 2023 18:44

brb force-pushed the pr/brb/wg-tunnel branch from 20451b2 to ba2add7 Compare November 6, 2023 19:41

pchaigno pushed a commit to cilium/cilium-cli that referenced this pull request Nov 6, 2023

connectivity: Detect WG encap on >= 1.15

7013a61

It's going to be enabled on Cilium >= 1.15 [1]. [1]: cilium/cilium#29000 Signed-off-by: Martynas Pumputis <m@lambda.lt>

brb added 2 commits November 7, 2023 07:28

ci-e2e,ipsec: Bump CLI vsn

f92ffd1

To include the encryption suite changes [1] [2] [1]: cilium/cilium-cli#2055 [2]: cilium/cilium-cli#2089 Signed-off-by: Martynas Pumputis <m@lambda.lt>

brb force-pushed the pr/brb/wg-tunnel branch from ba2add7 to 3a54baf Compare November 7, 2023 06:29

aanm merged commit 81c45d2 into main Nov 7, 2023
220 checks passed

aanm deleted the pr/brb/wg-tunnel branch November 7, 2023 10:09

maintainer-s-little-helper bot removed ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Nov 7, 2023

brb mentioned this pull request Nov 7, 2023

CI: Conformance E2E (ci-e2e) - [pod-to-pod-encryption] + [node-to-node-encryption] #29029

Closed

This was referenced Nov 7, 2023

Extended Clustermesh (Clustermesh511) #27520

Merged

CI: Conformance E2E Setup & Test (9, 5.10-20231026.065108...) #29061

Closed

3u13r mentioned this pull request Jan 18, 2024

Network performance with Wireguard extremely poor #28413

Open

2 tasks

3u13r mentioned this pull request Jan 18, 2024

wireguard: also account for tunnel overhead #30329

Merged

julianwiedmann added the feature/wireguard Relates to Cilium's Wireguard feature label Mar 1, 2024

julianwiedmann mentioned this pull request Mar 1, 2024

docs: update note on WireGuard with tunnel routing #31083

Merged

github-merge-queue bot pushed a commit that referenced this pull request Mar 4, 2024

docs: update note on WireGuard with tunnel routing

f604ce2

#29000 changed how we mix WireGuard with VXLAN / Geneve tunneling. Reflect this in the docs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>

julianwiedmann added the backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. label Mar 6, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

WG tunneling #29000

WG tunneling #29000

brb commented Nov 6, 2023 •

edited

brb commented Nov 6, 2023

brb commented Nov 6, 2023

brb commented Nov 6, 2023

brb commented Nov 6, 2023

brb commented Nov 6, 2023

brb commented Nov 7, 2023

julianwiedmann commented Mar 6, 2024

WG tunneling #29000

WG tunneling #29000

Conversation

brb commented Nov 6, 2023 • edited

brb commented Nov 6, 2023

brb commented Nov 6, 2023

brb commented Nov 6, 2023

brb commented Nov 6, 2023

brb commented Nov 6, 2023

brb commented Nov 7, 2023

julianwiedmann commented Mar 6, 2024

brb commented Nov 6, 2023 •

edited