Add IPSec backend #929
Merged
Add IPSec backend #929
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit adds the IPSEC backend. IPSEC Mode: Tunnel This means that the entire IP packet is encrypted. We encapsulate using the host IP addresses therefore we can have a separate IPSEC backend instead of integrating it with existing backends. Running in tunnel mode has the added advantage of not leaking the container IPs. Authentication Mechanism: Pre-shared key (PSK) For authentication, we use a PSK, generated by flannel and distributed through etcd which in turn uses client-side certificates for authentication. Internet key exchange (IKE): Charon We use charon daemon from the strongSwan project to negotiate Security Associations (SAs) between the endpoints. SAs define the security attributes, used to enable secure communication between endpoints [1]. IKE has two phases, the first establishes a secure channel using the Diffie-Hellman key exchange and the second phase uses this secure channel to negotiate the security attributes like, for example the keys used to encrypt traffic. We use, 4096 bit Diffie-Hellman, AES-256-CBC for encryption and SHA-256 for integrity. Note IKEv1 is used and phase 1 is run in Main mode. Configuration The only configuration parameter required is whether UDP Encapsulation should be enabled.
Update to use new Makefile based build Fixup k8s mgr for updated interface
Packaging and support for ikev2 Vendoring goStrongswanVici Make ESP proposals configurable & default to Suite-B-GCM-128 goStrongswanVici dependency update Removed CreateBackendData/GetBackendData * As flannel doesn't support multiple networks, this is not needed any more Splitting launch and management of charon * Transitional, (WIP) * Support for bundled/remote charon. * Cleanup after removal of CreateBackendData/GetBackendData Some packaging * It builds amd64. * Still much to do. RegisterNetwork can correctly shutdown spawned processes * Added sync.WaitGroup, so spawned processes can correctly shutdown. * Bundled charon daemon correctly shuts down.
amd64 standalone docker image with ipsec * Removed the build of strongswan compeletey. Even alpine linux has it build already. * We package docker with strongswan as a separate image. Switch back to setting charon executable path from cli * DRYer * Correct stop if hadn't finished init sequence.
- Add e2e tests - Documentation - Comments and logging tweaks - Remove the "initial events" code, which means that stale polciy won't be removed. - Various other small changes - Get it compiling on windows
Closed
|
The authors have been named, but a quick shout out & backlinks to the PR's which have come before: Thanks again @MohdAhmad @eyakubovich and @mkutsevol! Cheers to you all. 🥂 |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Strongswan adds ~5MB (uncompressed) to the image size.
I have added minimal documentation and automated tested but it would be great to
add more before this is released.
I have also only performed minimal manual testing, so this backend is
"experimental" until more testing has been performed.
Huge thanks to @MohdAhmad @eyakubovich and @mkutsevol for their initial work on
getting ipsec added to flannel.