IPSEC backend #516
IPSEC backend #516
Conversation
IPSEC Mode: Tunnel This means that the entire IP packet is encrypted. We encapsulate using the host IP addresses therefore we can have a separate IPSEC backend instead of integrating it with existing backends. Running in tunnel mode has the added advantage of not leaking the container IPs. Authentication Mechanism: Pre-shared key (PSK) For authentication, we use a PSK, generated by flannel and distributed through etcd which in turn uses client-side certificates for authentication. Internet key exchange (IKE): Charon We use charon daemon from the strongSwan project to negotiate Security Associations (SAs) between the endpoints. SAs define the security attributes, used to enable secure communication between endpoints [1]. IKE has two phases, the first establishes a secure channel using the Diffie-Hellman key exchange and the second phase uses this secure channel to negotiate the security attributes like, for example the keys used to encrypt traffic. We use, 4096 bit Diffie-Hellman, AES-256-CBC for encryption and SHA-256 for integrity. Note IKEv1 is used and phase 1 is run in Main mode. Configuration The only configuration parameter required is whether UDP Encapsulation should be enabled.
|
@eyakubovich Congratulations on the new job! Are you looking for someone to take over this PR now? |
|
@tomdee Thanks! I was temporarily helping out CoreOS and took some time to update the PR. However I am no longer working on this. On a personal level, I would love it if this PR finally got merged, @MohdAhmad worked very hard on it and I think it would be a good addition to flannel. Lots of people have asked for this feature. |
| LocalAddrs: []string{localLease.Attrs.PublicIP.String()}, | ||
| RemoteAddrs: []string{remoteLease.Attrs.PublicIP.String()}, | ||
| Proposals: []string{"aes256-sha256-modp4096"}, | ||
| Version: "1", |
There was a problem hiding this comment.
Is there an advantage to using IKEv1 here? IKEv2 seems to be simpler and more reliable.
There was a problem hiding this comment.
Looks like this was taken directly from library docs.
https://github.com/bronze1man/goStrongswanVici
What is wrong with v1 is it just works?
I'm still running some ikev1 without any problems.
|
Any progress on this? |
|
I've made a follow-up PR #637 |
|
Closing in favour of #637 |
Updated version of #290
This is still a WIP on the packaging front.
charondaemon depends onlibatomicwich is missing from the base image.