Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ipsec: Change XFRM FWD policy to simplest wildcard #25953

Merged
merged 2 commits into from
Jun 9, 2023
Merged

ipsec: Change XFRM FWD policy to simplest wildcard #25953

merged 2 commits into from
Jun 9, 2023

Conversation

pchaigno
Copy link
Member

@pchaigno pchaigno commented Jun 6, 2023
edited

This fixes the XFRM FWD policies and the IPv6 catch-all default-drop policy. See commits.

Fixes: #24030.

Fix leak of IPsec XFRM FWD policies in IPAM modes `cluster-pool`, `kubernetes`, and `crd` when nodes are deleted.
Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug.

@pchaigno pchaigno added release-note/bug This PR fixes an issue in a previous release of Cilium. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. release-blocker/1.11 This issue will prevent the release of the next version of Cilium. needs-backport/1.11 release-blocker/1.12 This issue will prevent the release of the next version of Cilium. release-blocker/1.13 This issue will prevent the release of the next version of Cilium. needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Jun 6, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.12.11 Jun 6, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.13.4 Jun 6, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.11.18 Jun 6, 2023
@pchaigno pchaigno marked this pull request as ready for review June 6, 2023 19:55
@pchaigno pchaigno requested review from a team as code owners June 6, 2023 19:55
@pchaigno pchaigno marked this pull request as draft June 7, 2023 11:08
@pchaigno pchaigno force-pushed the fix-xfrm-fwd-policy-leak branch 2 times, most recently from e7b7fdd to e1b8322 Compare June 7, 2023 12:54
@pchaigno pchaigno removed release-blocker/1.11 This issue will prevent the release of the next version of Cilium. release-blocker/1.12 This issue will prevent the release of the next version of Cilium. release-blocker/1.13 This issue will prevent the release of the next version of Cilium. labels Jun 7, 2023
@pchaigno
ipsec: Change XFRM FWD policy to simplest wildcard
d22edee 
We recently changed our XFRM configuration to have one XFRM OUT policy
per remote node, regardless of the IPAM mode being used. In doing so, we
also moved the XFRM FWD policy to be installed once per remote node.

With ENI and Azure IPAM modes, this wouldn't cause any issue because the
XFRM FWD policy is the same regardless of the remote node. On other IPAM
modes, however, the XFRM FWD policy is for some reason different
depending on the remote node that triggered the installation. As a
result, for those IPAM modes, one FWD policy is installed per remote
node. And the deletion logic triggered on node deletions wasn't updated
to take that into account. We thus have a leak of XFRM FWD policies.

In the end, our FWD policy just needs to allow everything through
without encrypting it. It doesn't need to be specific to any remote
node. We can simply completely wildcard the match, to look like:

    src 0.0.0.0/0 dst 0.0.0.0/0
        dir fwd priority 2975 ptype main
        tmpl src 0.0.0.0 dst 192.168.134.181
            proto esp reqid 1 mode tunnel
            level use

So we match all packets regardless of source and destination IPs. We
don't match on the packet mark.

There's a small implementation hurdle here. Because we used to install
FWD policies of the form "src 0.0.0.0/0 dst 10.0.1.0/24", the kernel was
able to deduce which IP family we are matching against and would adapt
the 0.0.0.0/0 source CIDR to ::/0 as needed. Now that we are matching on
0/0 for both CIDRs, it cannot deduce this anymore. So instead, we must
detect the IP family ourself and use the proper CIDRs.

In addition to changing the XFRM FWD policy to the above, we can also
stop installing it once per remote node. It's enough to install it when
we receive the event for the local node, once.

Fixes: 3e59b68 ("ipsec: Per-node XFRM states & policies for EKS & AKS")
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
@pchaigno
ipsec: Fix IPv6 wildcard CIDR used in some IPsec policies
d92e6bb 
We use this wildcard IPv6 CIDR in the catch-all default-drop OUT policy
as well as in the FWD policy. It was incorrectly set to ::/128 instead
of ::/0 and would therefore not match anything instead of matching
everything. This commit fixes it.

Fixes: e802c29 ("ipsec: Refactor wildcard IP variables")
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
@pchaigno
Copy link
Member Author

pchaigno commented Jun 7, 2023

/test

@pchaigno pchaigno marked this pull request as ready for review June 7, 2023 16:08
@pchaigno
Copy link
Member Author

pchaigno commented Jun 7, 2023

I needed to repush to address two issues. One in the first commit (see 👇) and another one fixed in the second commit.

There's a small implementation hurdle here. Because we used to install FWD policies of the form "src 0.0.0.0/0 dst 10.0.1.0/24", the kernel was able to deduce which IP family we are matching against and would adapt the 0.0.0.0/0 source CIDR to ::/0 as needed. Now that we are matching on 0/0 for both CIDRs, it cannot deduce this anymore. So instead, we must detect the IP family ourself and use the proper CIDRs.

@jschwinger233 I've therefore re-requested a review from you just to be on the safe side 🙂

@pchaigno pchaigno merged commit d0ab559 into cilium:main Jun 9, 2023
63 of 64 checks passed
@pchaigno pchaigno deleted the fix-xfrm-fwd-policy-leak branch June 9, 2023 10:07
@pchaigno pchaigno mentioned this pull request Jun 9, 2023
Merged
5 tasks
@pchaigno pchaigno added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Jun 9, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Backport pending to v1.13 in 1.13.4 Jun 9, 2023
@qmonnet qmonnet removed this from Needs backport from main in 1.13.5 Jun 9, 2023
@michi-covalent michi-covalent added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Jun 9, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.13 to Backport done to v1.13 in 1.13.4 Jun 9, 2023
@michi-covalent michi-covalent mentioned this pull request Jun 9, 2023
Closed
@gandro gandro mentioned this pull request Jun 12, 2023
Merged
2 tasks
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.12 in 1.12.11 Jun 12, 2023
@gandro gandro mentioned this pull request Jun 12, 2023
Closed
1 task
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.11 in 1.11.18 Jun 12, 2023
@gandro gandro mentioned this pull request Jun 12, 2023
Merged
8 tasks
@michi-covalent michi-covalent added backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. and removed backport-pending/1.12 labels Jun 12, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.12 to Backport done to v1.12 in 1.12.11 Jun 12, 2023
@michi-covalent michi-covalent mentioned this pull request Jun 12, 2023
Closed
@qmonnet qmonnet added backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. and removed backport-pending/1.11 labels Jun 14, 2023
@qmonnet qmonnet moved this from Backport pending to v1.11 to Backport done to v1.11 in 1.11.18 Jun 14, 2023
This was referenced Jun 14, 2023
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jschwinger233 jschwinger233 jschwinger233 approved these changes

@jibi jibi Awaiting requested review from jibi jibi is a code owner automatically assigned from cilium/ipsec

Assignees
No one assigned
Labels
area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
No open projects
1.11.18
Backport done to v1.11
1.12.11
Backport done to v1.12
1.13.4
Backport done to v1.13
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@pchaigno @jschwinger233 @gandro @qmonnet @michi-covalent