detecting IPSEC SPI unchanged #34037

smagnani96 · 2024-07-26T14:51:12Z

Adding logic (and unit test) to detect unchanged SPI while creating a new IPSEC key.

In case of an IPsec key rotation, error if the user forgot to increment the SPI per the documentation.

rgo3

When I was assigned to the issue that's being addressed here, the originally proposed solution involved checking the key and SPI from an existing XFRM state and comparing it to the key and SPI we read in LoadIPSecKeys. Overall I prefer the simplicity of the approach here but LoadIPSecKeys not behaving the same if it's called on the same key file even if underlying kernel state has not changed worries me a bit.

pkg/datapath/linux/ipsec/ipsec_linux_test.go

smagnani96 · 2024-07-30T20:24:18Z

When I was assigned to the issue that's being addressed here, the originally proposed solution involved checking the key and SPI from an existing XFRM state and comparing it to the key and SPI we read in LoadIPSecKeys. Overall I prefer the simplicity of the approach here but LoadIPSecKeys not behaving the same if it's called on the same key file even if underlying kernel state has not changed worries me a bit.

I modified the code to:

allow providing two identical keys. Though, now the ipSecKeysRemovalTime[oldKey.Spi] = time.Now() is executed only when needed;
throw error when different keys with same spi.
changed the tests accordingly. In particular, the SPI of all the keys variables declared for the legit TestLoadKeys, since now different keys with same SPI is not allowed.

My last doubt are:

we could even load and compare the spi from the XFRM state, but AFAIU the latest spi and key should correspond to the last valid parsed key in this scan loop. If that is correct, it might not be needed to retrieve the XFRM state.
why would someone have more than 1 key (duplicate or even different ones) in the secret file? Is it for backward compatibility?

pkg/datapath/linux/ipsec/ipsec_linux_test.go

pkg/datapath/linux/ipsec/ipsec_linux.go

smagnani96 · 2024-09-03T11:38:01Z

This PRs has been rebased based on #34652 (1st commit 4e74c4a).

pchaigno

I think this is good to go without the first commit.

I'd remove it so we can merge because I suspect the other PR will take a bit longer to get ready.

smagnani96 · 2024-09-11T10:25:55Z

/test

smagnani96 · 2024-09-12T15:47:52Z

/test

smagnani96 · 2024-09-13T10:29:00Z

/test

pkg/datapath/linux/node_linux_test.go

smagnani96 · 2024-09-16T07:52:39Z

/test

jibi · 2024-09-17T14:48:35Z

removing myself as Paul has already approved on behalf of sig-datapath

rgo3

Left one comment with regards to cleaning state after individual tests, otherwise LGTM. Sorry for the long delay on my part.

This commit introduce a control during the `LoadIPSecKeys` to return an error when providing a new key (e.g., during rotation) without incrementing the SPI. In this fix, such case is intercepted and logged with an error, while preserving status and policies referring to the latest/previous valid key by not inserting the key in `ipSecKeysRemovalTime`. Moreover, this commit adjusts the SPI fields in the test data so that they can preserve their expected behaviour. Finally, a new test is introduced to verify that `LoadIPSecKeys` effectively returns an error when the SPI does not while loading a new IPSec key. This "bug" has a user-visible impact during the IPSec key-rotation: if performing the key rotation without changing the SPI, an error message is logged. In this case, the oldKey is not marked to be removed and is still in use. Expected error in the daemons logs while reproducing after the fix: `invalid SPI: changing IPSec keys requires incrementing the key id`. Fixes: cilium#14873 Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>

This commit introduces the `UnsetTestIPSecKey` API for testing purpose only. This function is used to reset the current state of IPSec global variables during testing. In particular, it helps to prevent loading two IPSec keys with the same SPI in `node_linux_test`, which would cause the tests to fail after the previous commit. With this function, it is easy to reset the internal state of the IPSec-related variables either while executing a test or when tearing down a test suite. This function is also used in the local `ipsec_linux_test.go`, to expect a coherent behavior while tearing down a test suite. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>

smagnani96 · 2024-09-19T15:55:06Z

/test

julianwiedmann · 2024-10-01T10:56:32Z

@smagnani96 fyi there's an outstanding discussion here, once that is resolved the PR should auto-merge.

smagnani96 · 2024-10-01T12:16:41Z

@smagnani96 fyi there's an outstanding discussion here, once that is resolved the PR should auto-merge.

Yep, I wanted to wait for the last feedback from @pchaigno to make sure I got what he meant 👍

smagnani96 requested a review from a team as a code owner July 26, 2024 14:51

smagnani96 requested a review from rgo3 July 26, 2024 14:51

maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jul 26, 2024

github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Jul 26, 2024

rgo3 requested changes Jul 26, 2024

View reviewed changes

pkg/datapath/linux/ipsec/ipsec_linux_test.go Outdated Show resolved Hide resolved

pkg/datapath/linux/ipsec/ipsec_linux_test.go Outdated Show resolved Hide resolved

smagnani96 force-pushed the enhancement/ipsec_key_parse_robustness branch from 2990185 to d3f0fed Compare July 30, 2024 18:12

smagnani96 requested a review from rgo3 August 8, 2024 07:55

julianwiedmann added area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. feature/ipsec Relates to Cilium's IPsec feature release-note/minor This PR changes functionality that users may find relevant to operating Cilium. labels Aug 9, 2024

maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Aug 9, 2024

pchaigno self-requested a review August 12, 2024 14:11

pchaigno reviewed Aug 14, 2024

View reviewed changes

smagnani96 mentioned this pull request Aug 14, 2024

Throw error if IPSec key changed but key ID didn't #14873

Closed

3 tasks

smagnani96 marked this pull request as draft September 2, 2024 17:05

smagnani96 force-pushed the enhancement/ipsec_key_parse_robustness branch from d3f0fed to d4cb5c4 Compare September 3, 2024 00:12

smagnani96 marked this pull request as ready for review September 3, 2024 11:36

pchaigno approved these changes Sep 3, 2024

View reviewed changes

smagnani96 force-pushed the enhancement/ipsec_key_parse_robustness branch 2 times, most recently from c81b1e0 to f9f3549 Compare September 11, 2024 09:01

smagnani96 force-pushed the enhancement/ipsec_key_parse_robustness branch from f9f3549 to 0bedf7e Compare September 12, 2024 11:38

smagnani96 requested a review from a team as a code owner September 12, 2024 11:38

smagnani96 requested a review from jibi September 12, 2024 11:38

pchaigno self-requested a review September 12, 2024 12:09

pchaigno approved these changes Sep 12, 2024

View reviewed changes

smagnani96 force-pushed the enhancement/ipsec_key_parse_robustness branch from 0bedf7e to e55ab8d Compare September 13, 2024 09:46

pchaigno reviewed Sep 13, 2024

View reviewed changes

pkg/datapath/linux/node_linux_test.go Outdated Show resolved Hide resolved

smagnani96 force-pushed the enhancement/ipsec_key_parse_robustness branch from e55ab8d to c986b49 Compare September 13, 2024 16:33

jibi removed their request for review September 17, 2024 14:48

rgo3 approved these changes Sep 18, 2024

View reviewed changes

maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Sep 18, 2024

rgo3 added the dont-merge/discussion A discussion is ongoing and should be resolved before merging, regardless of reviews & tests status. label Sep 18, 2024

ldelossa removed the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Sep 18, 2024

smagnani96 added 2 commits September 19, 2024 16:16

smagnani96 force-pushed the enhancement/ipsec_key_parse_robustness branch from c986b49 to 609d010 Compare September 19, 2024 15:05

rgo3 added ready-to-merge This PR has passed all tests and received consensus from code owners to merge. and removed dont-merge/discussion A discussion is ongoing and should be resolved before merging, regardless of reviews & tests status. labels Sep 25, 2024

julianwiedmann enabled auto-merge October 1, 2024 10:55

julianwiedmann added this pull request to the merge queue Oct 2, 2024

Merged via the queue into cilium:main with commit c8e0131 Oct 2, 2024
63 checks passed

smagnani96 deleted the enhancement/ipsec_key_parse_robustness branch March 18, 2025 11:33

detecting IPSEC SPI unchanged #34037

detecting IPSEC SPI unchanged #34037

Uh oh!

Conversation

smagnani96 commented Jul 26, 2024 • edited by pchaigno Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rgo3 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

smagnani96 commented Jul 30, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

smagnani96 commented Sep 3, 2024

Uh oh!

pchaigno left a comment

Choose a reason for hiding this comment

Uh oh!

smagnani96 commented Sep 11, 2024

Uh oh!

smagnani96 commented Sep 12, 2024

Uh oh!

smagnani96 commented Sep 13, 2024

Uh oh!

Uh oh!

smagnani96 commented Sep 16, 2024

Uh oh!

jibi commented Sep 17, 2024

Uh oh!

rgo3 left a comment

Choose a reason for hiding this comment

Uh oh!

smagnani96 commented Sep 19, 2024

Uh oh!

julianwiedmann commented Oct 1, 2024

Uh oh!

smagnani96 commented Oct 1, 2024

Uh oh!

Uh oh!

Uh oh!

smagnani96 commented Jul 26, 2024 •

edited by pchaigno

Loading

smagnani96 commented Jul 30, 2024 •

edited

Loading