New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BPF: Encrypted Overlay Support #31073
BPF: Encrypted Overlay Support #31073
Conversation
b5f0705
to
ceb1eec
Compare
/test |
f2f6671
to
9433bad
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cilium/wireguard changes LGTM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Neat pull request! I really like the code comments 🙂
Couple comments below. IIUC, I think there's an issue with the SPI and security identity.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR @ldelossa, on the Hubble side:
- Please add
TraceReasonEncryptOverlay
introduced by this PR inTraceReasonIsEncap
. That way the corresponding Hubble flow won't have theIsReply
field set. The test case should be similar to SRV6 encap, except that theSource
should behostEP
instead (since this trace is emitted frombpf_host.c
). - I'm not sure whether
decodeTrafficDirection
will correctly infer EGRESS for the corresponding flow. Can you runhubble observe -o json
and see what theTraceReasonCtReply
flow looks like? If shown as INGRESS, please add a comment indecodeTrafficDirection
stating that it is currently broken for this particular trace reason 🙏
discussion with @joestringer lead to the following suggested changes:
These suggestions are to mitigate any shenanigans that could occur from leaking nonsensical VXLAN ids. |
9433bad
to
a01c9d1
Compare
cilium#30154 and cilium#31073 introduced new datapath trace reasons and had an impact on Hubble, but the sig-hubble team doesn't get automatically pulled in for review. This patch adds the sig-hubble team to review datapath_trace.go changes. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
a01c9d1
to
27ef8dc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good, thank you!
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
@ldelossa We just merged the IPsec fixes so there's a conflict. Ping me on Slack if you need help on that. |
This commit adds a new reserved security identity for signaling overlay traffic which must be IPSec encrypted. When the eBPF datapath encounters an egress packet with this security identity in an overlay header (currently only VXLan supported) it will subject the packet to IPSec encryption and rewrite the overlay header with the correct security identity before the packet leaves the host. Therefore, this identity should NEVER be seen on traffic ingress or egress the node from the network. Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
This commits and both the agent and datapath flag required to enable the "Encrypted Overlay" feature. The datapath will use ENABLE_ENCRYPTED_OVERLAY feature flag. The agent will use "encryption.ipsec.encryptOverlay" Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
@pchaigno handling this now, the diff looks pretty simple on my end. Just a change in includes in Just pushed conflict resolution. |
This commit introduces the ability to encrypt overlay traffic before it leaves the host. The 'cil_to_netdev' function is updated to sniff into overlay packets (only VXLAN supported for now) and determine if the ENCRYPTED_OVERLAY_ID security identifier is present in the overlay's header. If it is, a new function in encrypt.h will set the appropriate packet mark on the skb and redirect the packet to the ingress of the interface it was egressing on. When the packet is seen on the ingress side of the device it will be submitted to the XFRM hooks in the output routing path and the XFRM subsystem will encrypt the packet. Subsequent changes to the IPSec control plane to create the appropriate states and policies to support this are required. Signed-off-by: ldelossa <louis.delos@isovalent.com>
Add a trace notification when we are redirecting a packet back into the stack for XFRM encryption. Trace example: -> stack flow 0xc218244b , identity unknown->unknown state encrypt-overlay ifindex 0 orig-ip 0.0.0.0: 172.18.0.3:58167 -> 172.18.0.2:8472 udp Signed-off-by: ldelossa <louis.delos@isovalent.com>
Add unit tests for new vxlan helper functions in tunnel.h Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
40d4347
to
bcd5eec
Compare
/test |
https://github.com/cilium/cilium/actions/runs/8437738465 is failing, but this is an unrelated error. Marking this PR as ready to merge. |
cilium#30154 and cilium#31073 introduced new datapath trace reasons and had an impact on Hubble, but the sig-hubble team doesn't get automatically pulled in for review. This patch adds the sig-hubble team to review datapath_trace.go changes. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
cilium#30154 and cilium#31073 introduced new datapath trace reasons and had an impact on Hubble, but the sig-hubble team doesn't get automatically pulled in for review. This patch adds the sig-hubble team to review datapath_trace.go changes. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
cilium#30154 and cilium#31073 introduced new datapath trace reasons and had an impact on Hubble, but the sig-hubble team doesn't get automatically pulled in for review. This patch adds the sig-hubble team to review datapath_trace.go changes. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
cilium#30154 and cilium#31073 introduced new datapath trace reasons and had an impact on Hubble, but the sig-hubble team doesn't get automatically pulled in for review. This patch adds the sig-hubble team to review datapath_trace.go changes. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
cilium#30154 and cilium#31073 introduced new datapath trace reasons and had an impact on Hubble, but the sig-hubble team doesn't get automatically pulled in for review. This patch adds the sig-hubble team to review datapath_trace.go changes. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
cilium#30154 and cilium#31073 introduced new datapath trace reasons and had an impact on Hubble, but the sig-hubble team doesn't get automatically pulled in for review. This patch adds the sig-hubble team to review datapath_trace.go changes. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
cilium#30154 and cilium#31073 introduced new datapath trace reasons and had an impact on Hubble, but the sig-hubble team doesn't get automatically pulled in for review. This patch adds the sig-hubble team to review datapath_trace.go changes. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
cilium#30154 and cilium#31073 introduced new datapath trace reasons and had an impact on Hubble, but the sig-hubble team doesn't get automatically pulled in for review. This patch adds the sig-hubble team to review datapath_trace.go changes. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
This pull request implements the data-path side of "Encrypted Overlay" support.
"Encrypted Overlay" allows Cilium to IPSec encrypt overlay traffic and deliver the encrypted overlay traffic to a remote node via IPSec tunnel.
A subsequent PR will follow which enables this in the IPSec control plane, creating the necessary policies and states to configure the tunnel source and destination addresses correctly.
This feature is useful when an application's traffic destined for a remote host cannot be routed into the XFRM netfilter hooks for various reasons.
In these cases we can first encapsulate the traffic in VXLAN, catch it at the egress interface, and recirculate the packet back into the system, at which point the traffic looks like unicast traffic that should be routed off host (and XFRM will be applied at this point).
It's important to note that the following sysctl configs must be applied to any interfaces which tunnels traffic toward a remote node for this to work