BPF: Encrypted Overlay Support #31073
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ldelossa
added
sig/datapath
ldelossa
requested review from
julianwiedmann,
brb,
a team and
lambdanis
and removed request for
a team
ldelossa
commented
Feb 29, 2024
ldelossa
force-pushed
the
ldelossa/encrypted-overlay-oss
branch
2 times, most recently
from
b5f0705
to
ceb1eec
Compare
|
/test |
ldelossa
force-pushed
the
ldelossa/encrypted-overlay-oss
branch
2 times, most recently
from
f2f6671
to
9433bad
Compare
pchaigno
added
release-note/major
pchaigno
reviewed
Mar 1, 2024
kaworu
requested changes
Mar 1, 2024
There was a problem hiding this comment.
Thanks for the PR @ldelossa, on the Hubble side:
- Please add
TraceReasonEncryptOverlayintroduced by this PR inTraceReasonIsEncap. That way the corresponding Hubble flow won't have theIsReplyfield set. The test case should be similar to SRV6 encap, except that theSourceshould behostEPinstead (since this trace is emitted frombpf_host.c). - I'm not sure whether
decodeTrafficDirectionwill correctly infer EGRESS for the corresponding flow. Can you runhubble observe -o jsonand see what theTraceReasonCtReplyflow looks like? If shown as INGRESS, please add a comment indecodeTrafficDirectionstating that it is currently broken for this particular trace reason 🙏
|
discussion with @joestringer lead to the following suggested changes:
These suggestions are to mitigate any shenanigans that could occur from leaking nonsensical VXLAN ids. |
joestringer
reviewed
Mar 1, 2024
ldelossa
force-pushed
the
ldelossa/encrypted-overlay-oss
branch
from
9433bad
to
a01c9d1
Compare
1 task
kaworu
added a commit
to kaworu/cilium
that referenced
this pull request
Mar 6, 2024
cilium#30154 and cilium#31073 introduced new datapath trace reasons and had an impact on Hubble, but the sig-hubble team doesn't get automatically pulled in for review. This patch adds the sig-hubble team to review datapath_trace.go changes. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
ldelossa
force-pushed
the
ldelossa/encrypted-overlay-oss
branch
from
a01c9d1
to
27ef8dc
Compare
julianwiedmann
approved these changes
Mar 26, 2024
This comment was marked as outdated.
This comment was marked as outdated.
pchaigno
approved these changes
Mar 26, 2024
This comment was marked as outdated.
This comment was marked as outdated.
|
@ldelossa We just merged the IPsec fixes so there's a conflict. Ping me on Slack if you need help on that. |
This commit adds a new reserved security identity for signaling overlay traffic which must be IPSec encrypted. When the eBPF datapath encounters an egress packet with this security identity in an overlay header (currently only VXLan supported) it will subject the packet to IPSec encryption and rewrite the overlay header with the correct security identity before the packet leaves the host. Therefore, this identity should NEVER be seen on traffic ingress or egress the node from the network. Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
This commits and both the agent and datapath flag required to enable the "Encrypted Overlay" feature. The datapath will use ENABLE_ENCRYPTED_OVERLAY feature flag. The agent will use "encryption.ipsec.encryptOverlay" Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
|
@pchaigno handling this now, the diff looks pretty simple on my end. Just a change in includes in Just pushed conflict resolution. |
This commit introduces the ability to encrypt overlay traffic before it leaves the host. The 'cil_to_netdev' function is updated to sniff into overlay packets (only VXLAN supported for now) and determine if the ENCRYPTED_OVERLAY_ID security identifier is present in the overlay's header. If it is, a new function in encrypt.h will set the appropriate packet mark on the skb and redirect the packet to the ingress of the interface it was egressing on. When the packet is seen on the ingress side of the device it will be submitted to the XFRM hooks in the output routing path and the XFRM subsystem will encrypt the packet. Subsequent changes to the IPSec control plane to create the appropriate states and policies to support this are required. Signed-off-by: ldelossa <louis.delos@isovalent.com>
Add a trace notification when we are redirecting a packet back into the stack for XFRM encryption. Trace example: -> stack flow 0xc218244b , identity unknown->unknown state encrypt-overlay ifindex 0 orig-ip 0.0.0.0: 172.18.0.3:58167 -> 172.18.0.2:8472 udp Signed-off-by: ldelossa <louis.delos@isovalent.com>
Add unit tests for new vxlan helper functions in tunnel.h Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
ldelossa
force-pushed
the
ldelossa/encrypted-overlay-oss
branch
from
40d4347
to
bcd5eec
Compare
|
/test |
|
https://github.com/cilium/cilium/actions/runs/8437738465 is failing, but this is an unrelated error. Marking this PR as ready to merge. |
ldelossa
added
the
ready-to-merge
kaworu
added a commit
to kaworu/cilium
that referenced
this pull request
Mar 27, 2024
cilium#30154 and cilium#31073 introduced new datapath trace reasons and had an impact on Hubble, but the sig-hubble team doesn't get automatically pulled in for review. This patch adds the sig-hubble team to review datapath_trace.go changes. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
kaworu
added a commit
to kaworu/cilium
that referenced
this pull request
Apr 10, 2024
cilium#30154 and cilium#31073 introduced new datapath trace reasons and had an impact on Hubble, but the sig-hubble team doesn't get automatically pulled in for review. This patch adds the sig-hubble team to review datapath_trace.go changes. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
kaworu
added a commit
to kaworu/cilium
that referenced
this pull request
Apr 19, 2024
cilium#30154 and cilium#31073 introduced new datapath trace reasons and had an impact on Hubble, but the sig-hubble team doesn't get automatically pulled in for review. This patch adds the sig-hubble team to review datapath_trace.go changes. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
kaworu
added a commit
to kaworu/cilium
that referenced
this pull request
Apr 19, 2024
cilium#30154 and cilium#31073 introduced new datapath trace reasons and had an impact on Hubble, but the sig-hubble team doesn't get automatically pulled in for review. This patch adds the sig-hubble team to review datapath_trace.go changes. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
kaworu
added a commit
to kaworu/cilium
that referenced
this pull request
Apr 22, 2024
cilium#30154 and cilium#31073 introduced new datapath trace reasons and had an impact on Hubble, but the sig-hubble team doesn't get automatically pulled in for review. This patch adds the sig-hubble team to review datapath_trace.go changes. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
kaworu
added a commit
to kaworu/cilium
that referenced
this pull request
Apr 23, 2024
cilium#30154 and cilium#31073 introduced new datapath trace reasons and had an impact on Hubble, but the sig-hubble team doesn't get automatically pulled in for review. This patch adds the sig-hubble team to review datapath_trace.go changes. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
kaworu
added a commit
to kaworu/cilium
that referenced
this pull request
Apr 26, 2024
cilium#30154 and cilium#31073 introduced new datapath trace reasons and had an impact on Hubble, but the sig-hubble team doesn't get automatically pulled in for review. This patch adds the sig-hubble team to review datapath_trace.go changes. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
kaworu
added a commit
to kaworu/cilium
that referenced
this pull request
Apr 30, 2024
cilium#30154 and cilium#31073 introduced new datapath trace reasons and had an impact on Hubble, but the sig-hubble team doesn't get automatically pulled in for review. This patch adds the sig-hubble team to review datapath_trace.go changes. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request implements the data-path side of "Encrypted Overlay" support.
"Encrypted Overlay" allows Cilium to IPSec encrypt overlay traffic and deliver the encrypted overlay traffic to a remote node via IPSec tunnel.
A subsequent PR will follow which enables this in the IPSec control plane, creating the necessary policies and states to configure the tunnel source and destination addresses correctly.
This feature is useful when an application's traffic destined for a remote host cannot be routed into the XFRM netfilter hooks for various reasons.
In these cases we can first encapsulate the traffic in VXLAN, catch it at the egress interface, and recirculate the packet back into the system, at which point the traffic looks like unicast traffic that should be routed off host (and XFRM will be applied at this point).
It's important to note that the following sysctl configs must be applied to any interfaces which tunnels traffic toward a remote node for this to work