More secure kernel settings #250

mcgege · 2020-12-02T12:35:07Z

Following Telekom security requirement linux-15

Signed-off-by: Michael Geiger <info@mgeiger.de>

mvisonneau · 2020-12-22T09:34:44Z

👋 hey @mcgege, thanks for these improvements. I ran onto a situation when using net.ipv4.conf.all.arp_ignore=2 in conjunction with Cilium. I believe it could still be interesting to have the capability to keep it to net.ipv4.conf.all.arp_ignore=1 if necessary 🤔

~$ nsenter --net=/var/run/netns/cni-b8b6dc33-1875-e32d-c730-f3da8f2c21f9 tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:03:48.297180 IP ip-10-16-38-213.eu-west-1.compute.internal.47022 > ip-10-16-96-50.eu-west-1.compute.internal.https: Flags [S], seq 2712694359, win 62727, options [mss 8961,sackOK,TS val 1199655564 ecr 0,nop,wscale 7], length 0
22:03:48.297963 ARP, Request who-has ip-10-16-38-213.eu-west-1.compute.internal tell ip-10-16-41-160.eu-west-1.compute.internal, length 28
22:03:49.327777 IP ip-10-16-38-213.eu-west-1.compute.internal.47022 > ip-10-16-96-50.eu-west-1.compute.internal.https: Flags [S], seq 2712694359, win 62727, options [mss 8961,sackOK,TS val 1199656595 ecr 0,nop,wscale 7], length 0
22:03:49.327888 ARP, Request who-has ip-10-16-38-213.eu-west-1.compute.internal tell ip-10-16-41-160.eu-west-1.compute.internal, length 28
22:03:50.351809 ARP, Request who-has ip-10-16-38-213.eu-west-1.compute.internal tell ip-10-16-41-160.eu-west-1.compute.internal, length 28
22:03:51.343794 IP ip-10-16-38-213.eu-west-1.compute.internal.47022 > ip-10-16-96-50.eu-west-1.compute.internal.https: Flags [S], seq 2712694359, win 62727, options [mss 8961,sackOK,TS val 1199658611 ecr 0,nop,wscale 7], length 0
22:03:53.713681 ARP, Request who-has ip-10-16-38-213.eu-west-1.compute.internal tell ip-10-16-41-160.eu-west-1.compute.internal, length 28
22:03:54.735780 ARP, Request who-has ip-10-16-38-213.eu-west-1.compute.internal tell ip-10-16-41-160.eu-west-1.compute.internal, length 28
22:03:55.471780 IP ip-10-16-38-213.eu-west-1.compute.internal.47022 > ip-10-16-96-50.eu-west-1.compute.internal.https: Flags [S], seq 2712694359, win 62727, options [mss 8961,sackOK,TS val 1199662739 ecr 0,nop,wscale 7], length 0
22:03:55.759789 ARP, Request who-has ip-10-16-38-213.eu-west-1.compute.internal tell ip-10-16-41-160.eu-west-1.compute.internal, length 28

mcgege · 2020-12-26T11:46:37Z

@mvisonneau Sorry for the problems with this change ... we have some discussion now on this here, please be patient

mcgege · 2020-12-27T15:01:08Z

@mvisonneau Will bring back the old default of 1 with #256

mvisonneau · 2020-12-31T14:20:14Z

awesome, thanks a lot @mcgege 🙇

mcgege added 2 commits December 2, 2020 13:27

secure_redirects should be set to 1 (default)

dc96440

Signed-off-by: Michael Geiger <info@mgeiger.de>

set arp_ignore to "2" if arp_restricted (more secure)

bbfd55b

Signed-off-by: Michael Geiger <info@mgeiger.de>

mcgege added the enhancement label Dec 2, 2020

mcgege merged commit c1ee949 into master Dec 2, 2020

mcgege deleted the linux-15 branch December 3, 2020 08:41

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

More secure kernel settings #250

More secure kernel settings #250

mcgege commented Dec 2, 2020

mvisonneau commented Dec 22, 2020 •

edited

Loading

mcgege commented Dec 26, 2020

mcgege commented Dec 27, 2020

mvisonneau commented Dec 31, 2020

More secure kernel settings #250

More secure kernel settings #250

Conversation

mcgege commented Dec 2, 2020

mvisonneau commented Dec 22, 2020 • edited Loading

mcgege commented Dec 26, 2020

mcgege commented Dec 27, 2020

mvisonneau commented Dec 31, 2020

mvisonneau commented Dec 22, 2020 •

edited

Loading