Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
Revision 0c1d3ca750db1de2d774fbf8de1a7a879006f00e authored by Paul Chaignon on 20 September 2022, 12:28:34 UTC, committed by Timo Beckers on 04 October 2022, 10:21:36 UTC 
ipsec: Simplify XFRM IN policies
 
[ upstream commit 592ff13ae8f93f18fe78180d91f5b4cb4be02562 ]

**TL;DR.** We only need one of an XFRM IN policy or an XFRM IN state to
match each packet. This commit removes one superfluous XFRM IN policy
and enables some additional simplification as a result.

What XFRM IN policy we install currently depends of whether we are
running in tunneling mode and with or without endpoint routes:

In tunneling mode:
    XFRM IN policy matching on mark 0x200/0xf00 (for proxy)
    XFRM IN policy matching on mark 0xd00/0xf00 (for decrypt.)

In native routing mode with endpoint routes:
    XFRM IN policy matching on mark 0x200/0xf00 (for proxy)

In all cases, we also have:
    XFRM IN state matching on mark 0xd00/0xf00 (for decrypt.)

The two policies in tunneling mode were introduced by a9f18f36
("datapath/linux/ipsec: Insert additional In rule when tunneling"). The
additional case for endpoint routes was introduced by 3ffe49e1 ("ipsec:
Fix L7 with endpoint routes"). Now, I got to wonder how 3ffe49e1 even
worked as it was missing an XFRM IN policy for 0xd00 which a9f18f36
suggested was necessary.

After some local testing, it turns out that the two XFRM IN policies for
tunneling mode are not required. All we need is to have either (1) an
XFRM IN policy or (2) an XFRM IN state matching the packets. The XFRM
state is needed if we want to decrypt packets; the XFRM policy is needed
to not drop packets that don't match an XFRM state.

Given we always have an XFRM IN state for packets coming with the
decryption mark, we don't need an XFRM IN policy for that. We only need
an XFRM IN policy for packets coming with the proxy mark because we
don't have a state for those, rightly so as we don't want to decrypt
them.

This commit therefore removes the XFRM IN policy for decryption. It also
removes any dependency on particular options: we will always install the
XFRM IN policy for the proxy. It doesn't hurt to have that policy even
if not required (e.g., in native routing mode without endpoint routes).

**How was this tested?**

This change was tested with our Jenkins IPsec tests (including the
quarantined one for VXLAN), as well as with GKE and EKS clusters of 3
nodes. In all cases, the connectivity tests were executed and L7
policies were thus covered.

Signed-off-by: Paul Chaignon <paul@cilium.io>
Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
1 parent 714bbd3
History
Tip revision: 0c1d3ca750db1de2d774fbf8de1a7a879006f00e authored by Paul Chaignon on 20 September 2022, 12:28:34 UTC
ipsec: Simplify XFRM IN policies
Tip revision: 0c1d3ca
File Mode Size
.github
.travis
Documentation
api
bpf
bugtool
cilium
cilium-health
clustermesh-apiserver
contrib
daemon
envoy
examples
hack
hubble-relay
images
install
jenkinsfiles
operator
pkg
plugins
proxylib
test
tests
tools
vendor
.authors.aux -rw-r--r-- 416 bytes
.gitattributes -rw-r--r-- 260 bytes
.gitignore -rw-r--r-- 1.5 KB
.gitmodules -rw-r--r-- 0 bytes
.golangci.yaml -rw-r--r-- 3.3 KB
.mailmap -rw-r--r-- 4.3 KB
.travis.yml -rw-r--r-- 1.1 KB
AUTHORS -rw-r--r-- 21.7 KB
CHANGELOG.md -rw-r--r-- 184.1 KB
CODEOWNERS -rw-r--r-- 592 bytes
CODE_OF_CONDUCT.md -rw-r--r-- 2.2 KB
CONTRIBUTING.md -rw-r--r-- 227 bytes
FURTHER_READINGS.rst -rw-r--r-- 4.9 KB
GO_VERSION -rw-r--r-- 8 bytes
LICENSE -rw-r--r-- 11.1 KB
MAINTAINERS.md -rw-r--r-- 3.6 KB
Makefile -rw-r--r-- 28.4 KB
Makefile.defs -rw-r--r-- 6.0 KB
Makefile.docker -rw-r--r-- 6.1 KB
Makefile.quiet -rw-r--r-- 718 bytes
README.rst -rw-r--r-- 14.7 KB
SECURITY.md -rw-r--r-- 615 bytes
USERS.md -rw-r--r-- 6.8 KB
VERSION -rw-r--r-- 8 bytes
Vagrantfile -rw-r--r-- 12.8 KB
go.mod -rw-r--r-- 5.7 KB
go.sum -rw-r--r-- 136.4 KB
netlify.toml -rw-r--r-- 92 bytes
vagrant_box_defaults.rb -rw-r--r-- 392 bytes

README.rst

back to top