Skip to content

ipsec: Deprecate global IPsec keys #33504

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 3, 2024
Merged

ipsec: Deprecate global IPsec keys #33504

merged 1 commit into from
Jul 3, 2024

Conversation

pchaigno
Copy link
Member

@pchaigno pchaigno commented Jul 1, 2024

Using a single IPsec key for all IPsec tunnels is insecure. It was only preserved to allow for a smooth switch to per-tunnel keys. Per-tunnel keys have been released in v1.13, v1.14, and v1.15, so we can now deprecate the insecure alternative for v1.16.

@pchaigno pchaigno added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. feature/ipsec Relates to Cilium's IPsec feature needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Jul 1, 2024
@pchaigno
ipsec: Deprecate global IPsec keys
2f9a943 
Using a single IPsec key for all IPsec tunnels is insecure. It was only
preserved to allow for a smooth switch to per-tunnel keys. Per-tunnel
keys have been released in v1.13, v1.14, and v1.15, so we can now
deprecate the insecure alternative for v1.16.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
@pchaigno pchaigno force-pushed the deprecate-global-ipsec-key branch from 72cf1d8 to 2f9a943 Compare July 1, 2024 15:06
@pchaigno
Copy link
Member Author

pchaigno commented Jul 1, 2024

/test

@pchaigno pchaigno marked this pull request as ready for review July 1, 2024 18:23
@pchaigno pchaigno requested a review from a team as a code owner July 1, 2024 18:23
@pchaigno pchaigno requested a review from rgo3 July 1, 2024 18:23
@pchaigno pchaigno enabled auto-merge July 3, 2024 09:57
julianwiedmann
julianwiedmann approved these changes Jul 3, 2024
View reviewed changes
Copy link
Member

@julianwiedmann julianwiedmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

I think this would benefit from a mention in the upgrade notes. And maybe a few lines in the IPsec docs to describe the new key system, so that users understand what the deprecation actually means?

@pchaigno pchaigno added this pull request to the merge queue Jul 3, 2024
Merged via the queue into cilium:main with commit c707781 Jul 3, 2024
@pchaigno pchaigno deleted the deprecate-global-ipsec-key branch July 3, 2024 12:00
@pchaigno
Copy link
Member Author

pchaigno commented Jul 3, 2024

I think this would benefit from a mention in the upgrade notes. And maybe a few lines in the IPsec docs to describe the new key system, so that users understand what the deprecation actually means?

Done at #33564.

@jibi jibi mentioned this pull request Jul 8, 2024
Merged
32 tasks
@jibi jibi added backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. and removed needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Jul 8, 2024
@julianwiedmann julianwiedmann added backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. and removed backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. labels Jul 12, 2024
@cilium-release-bot cilium-release-bot bot mentioned this pull request Jul 15, 2024
Merged
julianwiedmann added a commit that referenced this pull request Oct 8, 2024
@julianwiedmann
ci: switch remaining workflows to new IPsec key system
eeb33ab 
The global IPsec key system is deprecated [0], prefer the new per-tunnel
key system.

[0] #33504

Reported-by: Marcel Zięba <marcel.zieba@isovalent.com>
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann julianwiedmann mentioned this pull request Oct 8, 2024
Merged
julianwiedmann added a commit that referenced this pull request Oct 8, 2024
@julianwiedmann
ci: switch most remaining workflows to new IPsec key system
7e38710 
The global IPsec key system is deprecated [0], prefer the new per-tunnel
key system. This switches most workflows over to the new system, except
conformance-eks which needs [1] addressed first.

[0] #33504
[1] #32040

Reported-by: Marcel Zięba <marcel.zieba@isovalent.com>
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
github-merge-queue bot pushed a commit that referenced this pull request Oct 9, 2024
@julianwiedmann @aanm
ci: switch most remaining workflows to new IPsec key system
512943a 
The global IPsec key system is deprecated [0], prefer the new per-tunnel
key system. This switches most workflows over to the new system, except
conformance-eks which needs [1] addressed first.

[0] #33504
[1] #32040

Reported-by: Marcel Zięba <marcel.zieba@isovalent.com>
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
tklauser added a commit to cilium/cilium-cli that referenced this pull request Nov 28, 2024
@tklauser
ci: switch kind workflow to new IPsec key system
9a85536 
The global IPsec key system is deprecated[^1], prefer the new per-tunnel
key system. This switches most workflows over to the new system, except
conformance-eks which needs[^2] addressed first.

[^1]: cilium/cilium#33504
[^2]: cilium/cilium#32040

Signed-off-by: Tobias Klauser <tobias@cilium.io>
tklauser added a commit to cilium/cilium-cli that referenced this pull request Nov 29, 2024
@tklauser
ci: switch kind workflow to new IPsec key system
083981c 
The global IPsec key system is deprecated[^1], prefer the new per-tunnel
key system. This switches most workflows over to the new system, except
conformance-eks which needs[^2] addressed first.

[^1]: cilium/cilium#33504
[^2]: cilium/cilium#32040

Signed-off-by: Tobias Klauser <tobias@cilium.io>
tklauser added a commit to cilium/cilium-cli that referenced this pull request Dec 6, 2024
@tklauser
ci: switch kind workflow to new IPsec key system
eae6d1b 
The global IPsec key system is deprecated[^1], prefer the new per-tunnel
key system. This switches most workflows over to the new system, except
conformance-eks which needs[^2] addressed first.

[^1]: cilium/cilium#33504
[^2]: cilium/cilium#32040

Signed-off-by: Tobias Klauser <tobias@cilium.io>
tklauser added a commit to cilium/cilium-cli that referenced this pull request Dec 6, 2024
@tklauser
ci: switch kind workflow to new IPsec key system
c2716e4 
The global IPsec key system is deprecated[^1], prefer the new per-tunnel
key system. This switches most workflows over to the new system, except
conformance-eks which needs[^2] addressed first.

[^1]: cilium/cilium#33504
[^2]: cilium/cilium#32040

Signed-off-by: Tobias Klauser <tobias@cilium.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@julianwiedmann julianwiedmann julianwiedmann approved these changes

@rgo3 rgo3 Awaiting requested review from rgo3 rgo3 is a code owner automatically assigned from cilium/ipsec

Assignees
No one assigned
Labels
area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. feature/ipsec Relates to Cilium's IPsec feature release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pchaigno @julianwiedmann @jibi