ipsec

package
v1.17.0-pre.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 1, 2024 License: Apache-2.0 Imports: 36 Imported by: 8

Documentation

Overview

Package ipsec provides the Linux datapath specific abstraction and useful helpers to manage IPSec via Linux xfrm.

Index

Constants

View Source
const (
	IPSecDirIn IPSecDir = 1 << iota
	IPSecDirOut
	IPSecDirFwd

	// The request ID which signifies all Cilium managed policies and states.
	AllReqID = 0

	// DefaultReqID is the default reqid used for all IPSec rules.
	DefaultReqID = 1

	// EncryptedOverlayReqID is the reqid used for encrypting overlay traffic.
	EncryptedOverlayReqID = 2
)

Variables

View Source
var Cell = cell.Module(
	"ipsec-key-custodian",
	"Handles initial key setup and knows the key size",

	cell.Provide(newKeyCustodian),
)

The IPsec key custodian handles key-related initialisation tasks for the ipsec subsystem. It's an incremental step towards a more encompassing modularisation of the subsystem.

Functions

func DeleteIPsecEncryptRoute

func DeleteIPsecEncryptRoute(log *slog.Logger)

DeleteIPsecEncryptRoute removes nodes in main routing table by walking routes and matching route protocol type.

func DeleteIPsecEndpoint

func DeleteIPsecEndpoint(log *slog.Logger, nodeID uint16) error

DeleteIPsecEndpoint deletes a endpoint associated with the remote IP address

func DeleteXFRM added in v1.16.0

func DeleteXFRM(log *slog.Logger, reqID int) error

DeleteXFRM will remove XFRM policies and states by their XFRM request ID.

AllReqID can be used for `reqID` to remove all Cilium managed XFRM policies and states.

func IPsecDefaultDropPolicy

func IPsecDefaultDropPolicy(log *slog.Logger, ipv6 bool) error

Installs a catch-all policy for outgoing traffic that has the encryption bit. The goal here is to catch any traffic that may passthrough our encryption while we are replacing XFRM policies & states. Those operations cannot always be performed atomically so we may have brief moments where there is no XFRM policy to encrypt a subset of traffic. This policy ensures we drop such traffic and don't let it flow in plain text.

We do need to match on the mark because there is also traffic flowing through XFRM that we don't want to encrypt (e.g., hostns traffic).

func IpSecReplacePolicyFwd

func IpSecReplacePolicyFwd(params *IPSecParameters) error

func LoadIPSecKeys

func LoadIPSecKeys(log *slog.Logger, r io.Reader) (int, uint8, error)

func LoadIPSecKeysFile

func LoadIPSecKeysFile(log *slog.Logger, path string) (int, uint8, error)

LoadIPSecKeysFile imports IPSec auth and crypt keys from a file. The format is to put a key per line as follows, (auth-algo auth-key enc-algo enc-key) Returns the authentication overhead in bytes, the key ID, and an error.

func NewXFRMCollector

func NewXFRMCollector(log *slog.Logger) prometheus.Collector

func NewXfrmStateListCache added in v1.13.17

func NewXfrmStateListCache(ttl time.Duration) *xfrmStateListCache

func ProbeXfrmStateOutputMask

func ProbeXfrmStateOutputMask() (e error)

ProbeXfrmStateOutputMask probes the kernel to determine if it supports setting the xfrm state output mask (Linux 4.19+). It returns an error if the output mask is not supported or if an error occurred, nil otherwise.

func SetIPSecSPI

func SetIPSecSPI(log *slog.Logger, spi uint8) error

func StartKeyfileWatcher

func StartKeyfileWatcher(log *slog.Logger, group job.Group, keyfilePath string, nodeHandler datapath.NodeHandler) error

func UnsetTestIPSecKey

func UnsetTestIPSecKey()

UnsetTestIPSecKey reinitialize the IPSec key-related variables. This function is for testing purpose only and **must not** be used elsewhere.

func UpsertIPsecEndpoint

func UpsertIPsecEndpoint(log *slog.Logger, params *IPSecParameters) (uint8, error)

UpsertIPsecEndpoint updates the IPSec context for a new endpoint inserted in * the ipcache. Currently we support a global crypt/auth keyset that will encrypt * all traffic between endpoints. An IPSec context consists of two pieces a policy * and a state, the security policy database (SPD) and security association * database (SAD). These are implemented using the Linux kernels XFRM implementation. * * For all traffic that matches a policy, the policy tuple used is * (sip/mask, dip/mask, dev) with an optional mark field used in the Cilium implementation * to ensure only expected traffic is encrypted. The state hashtable is searched for * a matching state associated with that flow. The Linux kernel will do a series of * hash lookups to find the most specific state (xfrm_dst) possible. The hash keys searched are * the following, (daddr, saddr, reqid, encap_family), (daddr, wildcard, reqid, encap), * (mark, daddr, spi, proto, encap). Any "hits" in the hash table will subsequently * have the SPI checked to ensure it also matches. Encap is ignored in our case here * and can be used with UDP encap if wanted. * * The implications of the (inflexible!) hash key implementation is that in-order * to have a policy/state match we _must_ insert a state for each daddr. For Cilium * this translates to a state entry per node. We learn the nodes/endpoints by * listening to ipcache events. Finally, because IPSec is unidirectional a state * is needed for both ingress and egress. Denoted by the DIR on the xfrm cmd line * in the policy lookup. In the Cilium case, where we have IPSec between all * endpoints this results in two policy rules per node, one for ingress * and one for egress. * * For a concrete example consider two cluster nodes using transparent mode e.g. * without an IPSec tunnel IP. Cluster Node A has host_ip 10.156.0.1 with an * endpoint assigned to IP 10.156.2.2 and cluster Node B has host_ip 10.182.0.1 * with an endpoint using IP 10.182.3.3. Then on Node A there will be a two policy * entries and a set of State entries, * * Policy1(src=10.182.0.0/16,dst=10.156.0.1/16,dir=in,tmpl(spi=#spi,reqid=#reqid)) * Policy2(src=10.156.0.0/16,dst=10.182.0.1/16,dir=out,tmpl(spi=#spi,reqid=#reqid)) * State1(src=*,dst=10.182.0.1,spi=#spi,reqid=#reqid,...) * State2(src=*,dst=10.156.0.1,spi=#spi,reqid=#reqid,...) * * Design Note: For newer kernels a BPF xfrm interface would greatly simplify the * state space. Basic idea would be to reference a state using any key generated * from BPF program allowing for a single state per security ctx.

Types

type IPSecDir

type IPSecDir uint32

type IPSecParameters

type IPSecParameters struct {
	// The BootID for the local host is used to determine if creation of the
	// policy should occur and for key derivation purposes.
	LocalBootID string
	// The BootID for the remote host is used to determine if creation of the
	// policy should occur and for key derivation purposes.
	RemoteBootID string
	// The direction of the created XFRM policy.
	Dir IPSecDir
	// The source subnet selector for the XFRM policy/state
	SourceSubnet *net.IPNet
	// The destination subnet selector for the XFRM policy/state
	DestSubnet *net.IPNet
	// The source security gateway IP used to define an IPsec tunnel mode SA
	// For OUT policies this is the resulting source address of an ESP encrypted
	// packet.
	// For IN/FWD this should identify the source SA address of the state which
	// decrypted the the packet.
	SourceTunnelIP *net.IP
	// The destination security gateway IP used to define an IPsec tunnel mode SA
	// For OUT policies this is the resulting destination address of an ESP encrypted
	// packet.
	// For IN/FWD this should identify the destination SA address of the state which
	// decrypted the the packet.
	DestTunnelIP *net.IP
	// The ReqID used for the resulting XFRM policy/state
	ReqID int
	// The remote node ID used for SPI identification and appropriate packet
	// mark matching.
	RemoteNodeID uint16
	// Whether to use a zero output mark or not.
	// This is useful when you want the resulting encrypted packet to immediately
	// handled by the stack and not Cilium's datapath.
	ZeroOutputMark bool
	// Whether the remote has been rebooted, this is used for bookkeping and
	// informs the policy/state creation methods whether the creation should
	// take place.
	RemoteRebooted bool
}

func NewIPSecParamaters

func NewIPSecParamaters(template *IPSecParameters) *IPSecParameters

Creates a new IPSecParameters. If template is provided make a copy of it instead of returning a new empty structure.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL