Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
Revision 0551b5dfa61fe539eca20637d075fa4319855b51 authored by Paul Chaignon on 14 May 2023, 21:16:14 UTC, committed by Aditi Ghag on 21 July 2023, 22:13:45 UTC 
bpf: Don't encrypt on path hostns -> remote pod
 
[ upstream commit 5fe2b2d6da76d6b1d334f3ce9c0c59371b239892 ]

In pod-to-pod encryption with IPsec and tunneling, Cilium currently
encrypts traffic on the path hostns -> remote pod even though traffic
is in plain-text on the path remote pod -> hostns. When using native
routing, neither of those paths is encrypted because traffic from the
hostns doesn't go through the bpf_host BPF program.

Cilium's Transparent Encryption with IPsec aims at encrypting pod-to-pod
traffic. It is therefore unclear why we are encrypting traffic from the
hostns. The simple fact that only one direction of the connection is
encrypted begs the question of its usefulness. It's possible that this
traffic was encrypted by mistake: some of this logic is necessary for
node-to-node encryption with IPsec (not supported anymore) and
pod-to-pod encryption may have been somewhat simplified to encrypt
*-to-pod traffic.

Encrypting traffic from the hostns nevertheless creates several issues.
First, this situation creates a path asymmetry between the forward and
reply paths of hostns<>remote pod connections. Path asymmetry issues are
well known to be a source of bugs, from of '--ctstate INVALID -j DROP'
iptables rules to NAT issues.

Second, Gray recently uncovered a separate bug which, when combined with
this encryption from hostns, can prevent Cilium from starting. That
separate bug is still being investigated but it seems to cause the
reload of bpf_host to depend on Cilium connecting to etcd in a
clustermesh context. If this etcd is a remote pod, Cilium connects to it
on hostns -> remote pod path. The bpf_host program being unloaded[1], it
fails. We end up in a cyclic dependency: bpf_host requires connectivity
to etcd, connectivity to etcd requires bpf_host.

This commit therefore removes encryption with IPsec for the path hostns
-> remote pod when using tunneling (already unencrypted when using
native routing).

1 - More specifically, in Gray's case, the bpf_host program is already
    loaded, but it needs to be reloaded because the IPsec XFRM config
    changed. Without this reload, encryption fails.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
1 parent 6892a24
History
Tip revision: 0551b5dfa61fe539eca20637d075fa4319855b51 authored by Paul Chaignon on 14 May 2023, 21:16:14 UTC
bpf: Don't encrypt on path hostns -> remote pod
Tip revision: 0551b5d
File Mode Size
.github
.travis
Documentation
api
bpf
bugtool
cilium
cilium-health
clustermesh-apiserver
contrib
daemon
envoy
examples
hack
hubble-relay
images
install
jenkinsfiles
operator
pkg
plugins
proxylib
test
tools
vendor
.authors.aux -rw-r--r-- 416 bytes
.gitattributes -rw-r--r-- 301 bytes
.gitignore -rw-r--r-- 1.5 KB
.gitmodules -rw-r--r-- 0 bytes
.golangci.yaml -rw-r--r-- 3.3 KB
.mailmap -rw-r--r-- 5.0 KB
.travis.yml -rw-r--r-- 1.2 KB
AUTHORS -rw-r--r-- 26.3 KB
CHANGELOG.md -rw-r--r-- 156.1 KB
CODEOWNERS -rw-r--r-- 1.2 KB
CODE_OF_CONDUCT.md -rw-r--r-- 2.2 KB
CONTRIBUTING.md -rw-r--r-- 227 bytes
FURTHER_READINGS.rst -rw-r--r-- 4.9 KB
GO_VERSION -rw-r--r-- 8 bytes
LICENSE -rw-r--r-- 11.1 KB
MAINTAINERS.md -rw-r--r-- 3.8 KB
Makefile -rw-r--r-- 29.1 KB
Makefile.defs -rw-r--r-- 6.0 KB
Makefile.docker -rw-r--r-- 6.3 KB
Makefile.quiet -rw-r--r-- 788 bytes
README.rst -rw-r--r-- 15.0 KB
SECURITY.md -rw-r--r-- 615 bytes
USERS.md -rw-r--r-- 8.1 KB
VERSION -rw-r--r-- 8 bytes
Vagrantfile -rw-r--r-- 12.9 KB
go.mod -rw-r--r-- 10.9 KB
go.sum -rw-r--r-- 206.7 KB
netlify.toml -rw-r--r-- 92 bytes
stable.txt -rw-r--r-- 8 bytes
vagrant_box_defaults.rb -rw-r--r-- 394 bytes

README.rst

back to top