IPsec key rotation command. #2266
Conversation
viktor-kurchenko
force-pushed
the
pr/vk/encryption/rotate-key
branch
from
7748386
to
7df30d1
Compare
There was a problem hiding this comment.
Thanks! Regarding the ipsecKeyFromString function, this PR takes care of keys like 3 rfc4106(gcm(aes)) 3c7ae6f6c0e9a09255fce39440df90619514709e 128. However, cilium can also accept a key with other formats.
I think these have been in your plan, just a reminder. 👍
I've added other key format support. |
Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com> Please enter the commit message for your changes. Lines starting Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
SPI suffix added to support SPI with `+` sign. Tests added. Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
viktor-kurchenko
force-pushed
the
pr/vk/encryption/rotate-key
branch
from
c8061d9
to
2a6ff2d
Compare
There was a problem hiding this comment.
In the secret format with five fields,
3 hmac(sha256) e6b4bab427cd37bb64b39cd66a8476a62963174b78bc544fb525f4c2f548342b cbc(aes) 0f12337d9ee75095ff21402dc98476f5f9107261073b70bb37747237d2691d3e
the first field is the SPI, the second field is the authentication algorithm, the third field is the authentication key, the fourth field is the symmetric encryption mode, and the fifth field is the symmetric encryption key.
For symmetric encryption mode cbc(aes) means AES using the Cipher Block Chaining mode. There are many other valid algorithm choices and modes, such as ctr(aes), Counter Mode, or xctr(aes), an optimized implementation of Counter Mode. Other ciphers besides AES are also possible, although not available with typical kernel configs.
The reason that GCM has fewer parameters is that it's a mode of encryption that performs a hash and encipherment simultaneously.
All this is to say that your struct should not call the latter parameters cbcAlgo, and cbcRandom, these are the cipherMode and encryptionKey
Thank you for the explanation @asauber. correct? |
|
My recommendation would be: |
viktor-kurchenko
force-pushed
the
pr/vk/encryption/rotate-key
branch
from
2a6ff2d
to
ec0b6cb
Compare
Fixed, thank you! |
encrypt/ipsec_rotate_key.go
Outdated
| return key, nil | ||
| } | ||
|
|
||
| func cbcKeyFromSlice(parts []string) (ipsecKey, error) { |
There was a problem hiding this comment.
This function name (and other instances of "cbc") should be changed to cipherKeyFromSlice or similar.
encrypt/ipsec_rotate_key.go
Outdated
| } | ||
|
|
||
| var ( | ||
| ipsecKeyRegex = regexp.MustCompile(`^([[:digit:]]+\+?)[[:space:]](\S+)[[:space:]]([[:alnum:]]+)[[:space:]]([[:digit:]]+)$`) |
There was a problem hiding this comment.
Many security issues (CVEs) are the result of imprecise parsing, with Regex often being implicated.
The related threat model here is that an attacker can somehow control the ipsec key Kubernetes secret, which may make such hardening out of scope, although it is something that should be considered.
There was a problem hiding this comment.
So, do you think we should avoid using regexp and parse it like a CSV string instead?
There was a problem hiding this comment.
My gut feeling is that this is more precise than a simple field split, and is fine for now given the threat model.
viktor-kurchenko
force-pushed
the
pr/vk/encryption/rotate-key
branch
from
ec0b6cb
to
f8e6d45
Compare
encrypt/ipsec_rotate_key.go
Outdated
| return newKey, nil | ||
| } | ||
|
|
||
| func generateRandom(size int) (string, error) { |
There was a problem hiding this comment.
Because this size is the length of a hex string, and not a number of bytes, this function is better named generateRandomHex. Otherwise, it's unclear that the size is a number of nybbles.
There was a problem hiding this comment.
Makes sense, renamed. Thank you!
Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
viktor-kurchenko
force-pushed
the
pr/vk/encryption/rotate-key
branch
from
f8e6d45
to
c60d49c
Compare
viktor-kurchenko
added
the
ready-to-merge
GitHub Pull Request: #623 chore(deps): update dependency cilium/cilium-cli to v0.15.23 (v1.15) [](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [cilium/cilium-cli](https://togithub.com/cilium/cilium-cli) | | patch | `v0.15.22` -> `v0.15.23` | | [cilium/cilium-cli](https://togithub.com/cilium/cilium-cli) | action | patch | `v0.15.22` -> `v0.15.23` | --- ### Release Notes <details> <summary>cilium/cilium-cli (cilium/cilium-cli)</summary> ### [`v0.15.23`](https://togithub.com/cilium/cilium-cli/releases/tag/v0.15.23) [Compare Source](https://togithub.com/cilium/cilium-cli/compare/v0.15.22...v0.15.23) #### What's Changed - gateway: Upgrade API version by [@&cilium#8203;sayboras](https://togithub.com/sayboras) in [cilium/cilium-cli#2285 - chore(deps): update dependency kubernetes-sigs/kind to v0.21.0 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [cilium/cilium-cli#2284 - IPsec key rotation command. by [@&cilium#8203;viktor-kurchenko](https://togithub.com/viktor-kurchenko) in [cilium/cilium-cli#2266 - IPsec key status command implementation. by [@&cilium#8203;viktor-kurchenko](https://togithub.com/viktor-kurchenko) in [cilium/cilium-cli#2287 - AWS OIDC instead of access key. by [@&cilium#8203;viktor-kurchenko](https://togithub.com/viktor-kurchenko) in [cilium/cilium-cli#2297 - Remove no longer necessary step from the external workloads installation script generation process by [@&cilium#8203;giorio94](https://togithub.com/giorio94) in [cilium/cilium-cli#2275 - Enable no-errors-in-logs check by default, and extend it to all Cilium components by [@&cilium#8203;giorio94](https://togithub.com/giorio94) in [cilium/cilium-cli#2184 - chore(deps): update golangci/golangci-lint-action action to v4 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [cilium/cilium-cli#2295 - chore(deps): update helm/kind-action action to v1.9.0 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [cilium/cilium-cli#2296 - chore(deps): update golang docker tag to v1.22.0 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [cilium/cilium-cli#2289 - fix(deps): update module golang.org/x/mod to v0.15.0 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [cilium/cilium-cli#2294 - chore(deps): update go to v1.22.0 (minor) by [@&cilium#8203;renovate](https://togithub.com/renovate) in [cilium/cilium-cli#2293 - chore(deps): update all github action dependencies (patch) by [@&cilium#8203;renovate](https://togithub.com/renovate) in [cilium/cilium-cli#2286 - chore(deps): update golangci/golangci-lint docker tag to v1.56.1 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [cilium/cilium-cli#2290 - IPsec key rotation with algorithm change support. by [@&cilium#8203;viktor-kurchenko](https://togithub.com/viktor-kurchenko) in [cilium/cilium-cli#2291 - chore: Amend connectivity tests for OpenShift by [@&cilium#8203;fgiloux](https://togithub.com/fgiloux) in [cilium/cilium-cli#2303 - Increase timeouts in AKS and GKE GHA workflows by [@&cilium#8203;giorio94](https://togithub.com/giorio94) in [cilium/cilium-cli#2307 - gha: increase GKE disk size in external workloads workflow to 15GB by [@&cilium#8203;giorio94](https://togithub.com/giorio94) in [cilium/cilium-cli#2301 - Prepare for v0.15.23 release by [@&cilium#8203;michi-covalent](https://togithub.com/michi-covalent) in [cilium/cilium-cli#2302 #### New Contributors - [@&cilium#8203;fgiloux](https://togithub.com/fgiloux) made their first contribution in [cilium/cilium-cli#2303 **Full Changelog**: cilium/cilium-cli@v0.15.22...v0.15.23 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "on monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/aanm/cilium). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMjAuMiIsInVwZGF0ZWRJblZlciI6IjM3LjIyMC4yIiwidGFyZ2V0QnJhbmNoIjoidjEuMTUifQ==--> Patch-set: 1 Change-id: I515325620aa4905df61d31323487f6936237e3a5 Subject: chore(deps): update dependency cilium/cilium-cli to v0.15.23 Branch: refs/heads/v1.15 Status: new Topic: Commit: 7c37f7d Tag: autogenerated:gerrit:newPatchSet Groups: 7c37f7d Private: false Work-in-progress: false
](https://renovatebot.com){kind=link}
encryption rotate-keycommand implementation to address: cilium/cilium#28174