Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove MaxConcurrentStreams in the proxy peering gRPC server. #39218

Merged
merged 1 commit into from
Mar 12, 2024
Merged

Remove MaxConcurrentStreams in the proxy peering gRPC server. #39218

merged 1 commit into from
Mar 12, 2024

Conversation

espadolini
Copy link
Contributor

@espadolini espadolini commented Mar 11, 2024
edited

The mitigation for CVE-2023-44487 added a limit of 1000 concurrent streams to all gRPC servers used in Teleport; this PR removes that limit for the proxy peering gRPC server.

The proxy peering server uses transport authentication to check that the client is using valid credentials for a builtin Proxy role in the same cluster (i.e. it's another proxy server), and it's very unique in that the single gRPC service handled by the server consists of a single bidirectional rpc used to forward connections - with potentially unbounded duration - between proxy servers. With this limit in place, new connections across any given pair of proxy servers will start timing out once there's 1000 already active connections. In Teleport Cloud, because there's two proxies in each region by default, this results in timeouts at 3900 or so connections, which is lower than what the Cloud platform was previously tested to be able to handle.

changelog: raised concurrent connection limits between Teleport Cloud regions and in clusters that use proxy peering

@espadolini espadolini requested a review from jentfoo March 11, 2024 22:55
@github-actions github-actions bot requested review from jakule and rudream March 11, 2024 22:55
@gravitational gravitational deleted a comment from github-actions bot Mar 11, 2024
@zmb3
Copy link
Collaborator

zmb3 commented Mar 11, 2024

Nice find @espadolini!

@espadolini espadolini added this pull request to the merge queue Mar 12, 2024
Merged via the queue into master with commit 6629d9a Mar 12, 2024
40 of 41 checks passed
@espadolini espadolini deleted the espadolini/proxy-peering-concurrent-streams branch March 12, 2024 02:56
@public-teleport-github-review-bot
Copy link

@espadolini See the table below for backport results.

Branch Result
branch/v13 Create PR
branch/v14 Create PR
branch/v15 Create PR

This was referenced Mar 12, 2024
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jentfoo jentfoo jentfoo approved these changes

@zmb3 zmb3 zmb3 approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees
No one assigned
Labels
backport/branch/v13 backport/branch/v14 backport/branch/v15 size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@espadolini @zmb3 @jentfoo @rosstimothy