ipsec

package
v1.12.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 16, 2022 License: Apache-2.0 Imports: 28 Imported by: 8

Documentation

Overview

Package ipsec provides the Linux datpaath specific abstraction and useful helpers to manage IPSec via Linux xfrm.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DeleteIPsecEncryptRoute

func DeleteIPsecEncryptRoute()

DeleteIPsecEncryptRoute removes nodes in main routing table by walking routes and matching route protocol type.

func DeleteIPsecEndpoint

func DeleteIPsecEndpoint(remote net.IP)

DeleteIPsecEndpoint deletes a endpoint associated with the remote IP address

func DeleteXfrm

func DeleteXfrm()

DeleteXfrm remove any remaining XFRM policy or state from tables

func IpSecReplacePolicyFwd

func IpSecReplacePolicyFwd(dst *net.IPNet, tmplDst net.IP) error

func LoadIPSecKeysFile

func LoadIPSecKeysFile(path string) (int, uint8, error)

LoadIPSecKeysFile imports IPSec auth and crypt keys from a file. The format is to put a key per line as follows, (auth-algo auth-key enc-algo enc-key) Returns the authentication overhead in bytes, the key ID, and an error.

func NewXFRMCollector

func NewXFRMCollector() prometheus.Collector

NewXFRMCollector returns a new prometheus.Collector for /proc/net/xfrm_stat https://www.kernel.org/doc/Documentation/networking/xfrm_proc.txt

func ProbeXfrmStateOutputMask

func ProbeXfrmStateOutputMask() error

ProbeXfrmStateOutputMask probes the kernel to determine if it supports setting the xfrm state output mask (Linux 4.19+). It returns an error if the output mask is not supported or if an error occurred, nil otherwise.

func StartKeyfileWatcher

func StartKeyfileWatcher(ctx context.Context, keyfilePath string, nodediscovery *nodediscovery.NodeDiscovery, nodeHandler datapath.NodeHandler) error

func StartStaleKeysReclaimer

func StartStaleKeysReclaimer(ctx context.Context)

func UpsertIPsecEndpoint

func UpsertIPsecEndpoint(local, remote *net.IPNet, outerLocal, outerRemote net.IP, dir IPSecDir, outputMark bool) (uint8, error)

UpsertIPsecEndpoint updates the IPSec context for a new endpoint inserted in * the ipcache. Currently we support a global crypt/auth keyset that will encrypt * all traffic between endpoints. An IPSec context consists of two pieces a policy * and a state, the security policy database (SPD) and security association * database (SAD). These are implemented using the Linux kernels XFRM implementation. * * For all traffic that matches a policy, the policy tuple used is * (sip/mask, dip/mask, dev) with an optional mark field used in the Cilium implementation * to ensure only expected traffic is encrypted. The state hashtable is searched for * a matching state associated with that flow. The Linux kernel will do a series of * hash lookups to find the most specific state (xfrm_dst) possible. The hash keys searched are * the following, (daddr, saddr, reqid, encap_family), (daddr, wildcard, reqid, encap), * (mark, daddr, spi, proto, encap). Any "hits" in the hash table will subsequently * have the SPI checked to ensure it also matches. Encap is ignored in our case here * and can be used with UDP encap if wanted. * * The implications of the (inflexible!) hash key implementation is that in-order * to have a policy/state match we _must_ insert a state for each daddr. For Cilium * this translates to a state entry per node. We learn the nodes/endpoints by * listening to ipcache events. Finally, because IPSec is unidirectional a state * is needed for both ingress and egress. Denoted by the DIR on the xfrm cmd line * in the policy lookup. In the Cilium case, where we have IPSec between all * endpoints this results in two policy rules per node, one for ingress * and one for egress. * * For a concrete example consider two cluster nodes using transparent mode e.g. * without an IPSec tunnel IP. Cluster Node A has host_ip 10.156.0.1 with an * endpoint assigned to IP 10.156.2.2 and cluster Node B has host_ip 10.182.0.1 * with an endpoint using IP 10.182.3.3. Then on Node A there will be a two policy * entries and a set of State entries, * * Policy1(src=10.182.0.0/16,dst=10.156.0.1/16,dir=in,tmpl(spi=#spi,reqid=#reqid)) * Policy2(src=10.156.0.0/16,dst=10.182.0.1/16,dir=out,tmpl(spi=#spi,reqid=#reqid)) * State1(src=*,dst=10.182.0.1,spi=#spi,reqid=#reqid,...) * State2(src=*,dst=10.156.0.1,spi=#spi,reqid=#reqid,...) * * Design Note: For newer kernels a BPF xfrm interface would greatly simplify the * state space. Basic idea would be to reference a state using any key generated * from BPF program allowing for a single state per security ctx.

func UpsertIPsecEndpointPolicy

func UpsertIPsecEndpointPolicy(local, remote *net.IPNet, localTmpl, remoteTmpl net.IP, dir IPSecDir) error

UpsertIPsecEndpointPolicy adds a policy to the xfrm rules. Used to add a policy when the state rule is already available.

Types

type IPSecDir

type IPSecDir string
const (
	IPSecDirIn      IPSecDir = "IPSEC_IN"
	IPSecDirOut     IPSecDir = "IPSEC_OUT"
	IPSecDirBoth    IPSecDir = "IPSEC_BOTH"
	IPSecDirOutNode IPSecDir = "IPSEC_OUT_NODE"
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL