Optional encryption #1758
Optional encryption #1758
Conversation
| @@ -27,7 +27,7 @@ var rootTemplate = template.New("root").Funcs(map[string]interface{}{ | |||
| } | |||
| return count | |||
| }, | |||
| "upstreamServers": func(servers []string) string { | |||
| "printList": func(servers []string) string { | |||
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
awh
force-pushed
the
issues/82-optional-encryption
branch
from
89af6cd
to
d6d36d7
Compare
|
I highly recommend "?w=1" for viewing the diff. |
This is why I submitted the whitespace change in a separate commit and recommended reviewing commits individually... |
awh
force-pushed
the
issues/82-optional-encryption
branch
2 times, most recently
from
f509aff
to
a910bdc
Compare
|
Why did we want to "restore leading whitespace"? |
|
The weave routers in GCE connect to each other's private (GCE internal) IP addresses, so we need to resolve their hostnames on the VMs themselves to get the correct trusted subnets.
Ah go on then 😄 |
|
I believe I have addressed all comments except the one about trailing curly braces, which I think merits discussion outside of this PR. Will autosquash when you're ready to merge. |
|
LGTM; please squash commits. |
awh
force-pushed
the
issues/82-optional-encryption
branch
from
4f1c362
to
b1d790f
Compare
|
Don't merge - I've found an issue with the overlay switch change. |
There was actually no need to stop any forwarders at all - now we just record the overlay name in the subforwarder structure (no actual need to do this, but it seemed neater) and continue; PTAL. Will squash again when ready. |
|
LGTM |
awh
force-pushed
the
issues/82-optional-encryption
branch
from
760b831
to
629a77e
Compare
| finished <-chan struct{} // closed to signal that actorLoop has finished | ||
| OverlayConn OverlayConnection | ||
| TrustRemote bool // is remote on a trusted subnet? | ||
| TrustedByRemote bool // does remote trust us? |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
Add a 'Trusted' feature to the protocol exchange which indicates whether the remote considers us to be reachable via a secure network; overlay encryption will be disabled in the event that both peers agree. For backwards compatibility purposes a default value of untrusted is assumed if the feature is missing.
If overlay encryption is required between peers, the fast datapath forwarder returns an error rather than aborting the process, allowing the overlay switch to fall back gracefully to an encrypted sleeve overlay connection.
`weave status` now displays the list of specified trusted subnets, and `weave staus connections` shows the encryption state of individual connections.
Update features and troubleshooting markdown.
awh
force-pushed
the
issues/82-optional-encryption
branch
from
629a77e
to
85d4b1f
Compare
|
I have added #1788 to the 'fixes' list for this PR, as it is addressed by the commit that disables the pcap optimisation. |
awh
force-pushed
the
issues/82-optional-encryption
branch
from
7d43ecc
to
ba9db8e
Compare
Prior to optional encryption support, enabling encryption disabled the fast datapath overlay (because it doesn't support encryption) but left the OVS datapath netdev in place for bridging (so that users could switch encryption on and off without resetting the bridge). In this situation the ODP miss handler is guaranteed to be invoked for every packet, so as an optimisation the weave script configured the router to use pcap to capture packets from the bridge as that is slightly more efficient. The introduction of optional encryption means the guarantee no longer holds, and so the optimisation must be removed.
awh
force-pushed
the
issues/82-optional-encryption
branch
from
ba9db8e
to
e12dbb4
Compare
As of e12dbb4 (#1758) we no longer force the usage of pcap when encryption is enabled. Hence... - we no longer need to figure out whether the router was started with a password when re-attaching it from the proxy. We therefore remove the code for that. - there is no longer any mode in which we pass both `--datapath` and `--iface` options to the router. Previously this would only happen when encryption was enabled and the only overlay used for connections was sleeve. It is not clear what the behaviour is when these conditions do not hold, so, to be safe, we prevent the specification of both flags.
This PR adds support for optional encryption via the
--trusted-subnetsargument toweave launch. Whilst the control plane is always secured when a password is specified, peers will forego authenticated encryption on the overlay (data plane) connection between them only if both consider the other to be located on a trusted subnet.I recommend that the commits are reviewed individually in sequence; most commit messages contain further explanatory text.
Fixes #82, #1788.