Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IPsec key rotation command. #2266

Merged
merged 4 commits into from
Feb 6, 2024
Merged

IPsec key rotation command. #2266

merged 4 commits into from
Feb 6, 2024

Conversation

viktor-kurchenko
Copy link
Contributor

@viktor-kurchenko viktor-kurchenko commented Jan 27, 2024
edited
Loading

encryption rotate-key command implementation to address: cilium/cilium#28174

@viktor-kurchenko viktor-kurchenko requested a review from a team as a code owner January 27, 2024 18:51
@viktor-kurchenko viktor-kurchenko mentioned this pull request Jan 27, 2024
Closed
jschwinger233
jschwinger233 requested changes Jan 29, 2024
View reviewed changes
Copy link
Member

@jschwinger233 jschwinger233 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Viktor, this PR really helps! Just one small issue on new SPI calculation.

encrypt/ipsec_rotate_key.go Show resolved Hide resolved
@viktor-kurchenko viktor-kurchenko force-pushed the pr/vk/encryption/rotate-key branch from 7748386 to 7df30d1 Compare January 29, 2024 04:50
jschwinger233
jschwinger233 reviewed Jan 29, 2024
View reviewed changes
Copy link
Member

@jschwinger233 jschwinger233 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Regarding the ipsecKeyFromString function, this PR takes care of keys like 3 rfc4106(gcm(aes)) 3c7ae6f6c0e9a09255fce39440df90619514709e 128. However, cilium can also accept a key with other formats.
I think these have been in your plan, just a reminder. 👍

@viktor-kurchenko
Copy link
Contributor Author

Thanks! Regarding the ipsecKeyFromString function, this PR takes care of keys like 3 rfc4106(gcm(aes)) 3c7ae6f6c0e9a09255fce39440df90619514709e 128. However, cilium can also accept a key with other formats. I think these have been in your plan, just a reminder. 👍

I've added other key format support.
Thank you very much @jschwinger233 !

jschwinger233
jschwinger233 approved these changes Jan 31, 2024
View reviewed changes
Copy link
Member

@jschwinger233 jschwinger233 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice! Thanks Victor! A follow-up could be to support encryption algorithm change, such as from gcm(aes) to cbc(aes).

@viktor-kurchenko
encrypt rotate-key command implementation.
d63a4bc 
Signed-off-by: viktor-kurchenko <[email protected]>

 Please enter the commit message for your changes. Lines starting

Signed-off-by: viktor-kurchenko <[email protected]>
@viktor-kurchenko
IPsec key id renamed to spi.
5695bad 
SPI suffix added to support SPI with `+` sign.
Tests added.

Signed-off-by: viktor-kurchenko <[email protected]>
@viktor-kurchenko viktor-kurchenko force-pushed the pr/vk/encryption/rotate-key branch from c8061d9 to 2a6ff2d Compare February 1, 2024 06:47
asauber
asauber requested changes Feb 1, 2024
View reviewed changes
Copy link
Member

@asauber asauber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the secret format with five fields,

3 hmac(sha256) e6b4bab427cd37bb64b39cd66a8476a62963174b78bc544fb525f4c2f548342b cbc(aes) 0f12337d9ee75095ff21402dc98476f5f9107261073b70bb37747237d2691d3e

the first field is the SPI, the second field is the authentication algorithm, the third field is the authentication key, the fourth field is the symmetric encryption mode, and the fifth field is the symmetric encryption key.

For symmetric encryption mode cbc(aes) means AES using the Cipher Block Chaining mode. There are many other valid algorithm choices and modes, such as ctr(aes), Counter Mode, or xctr(aes), an optimized implementation of Counter Mode. Other ciphers besides AES are also possible, although not available with typical kernel configs.

The reason that GCM has fewer parameters is that it's a mode of encryption that performs a hash and encipherment simultaneously.

All this is to say that your struct should not call the latter parameters cbcAlgo, and cbcRandom, these are the cipherMode and encryptionKey

@viktor-kurchenko
Copy link
Contributor Author

viktor-kurchenko commented Feb 1, 2024
edited
Loading

In the secret format with five fields,

3 hmac(sha256) e6b4bab427cd37bb64b39cd66a8476a62963174b78bc544fb525f4c2f548342b cbc(aes) 0f12337d9ee75095ff21402dc98476f5f9107261073b70bb37747237d2691d3e

the first field is the SPI, the second field is the authentication algorithm, the third field is the authentication key, the fourth field is the symmetric encryption mode, and the fifth field is the symmetric encryption key.

For symmetric encryption mode cbc(aes) means AES using the Cipher Block Chaining mode. There are many other valid algorithm choices and modes, such as ctr(aes), Counter Mode, or xctr(aes), an optimized implementation of Counter Mode. Other ciphers besides AES are also possible, although not available with typical kernel configs.

The reason that GCM has fewer parameters is that it's a mode of encryption that performs a hash and encipherment simultaneously.

All this is to say that your struct should not call the latter parameters cbcAlgo, and cbcRandom, these are the cipherMode and encryptionKey

Thank you for the explanation @asauber.
So, the structure should look like:

type ipsecKey struct {
	spi       int
	spiSuffix bool
	algo      string
	random    string
	size      int
	cipherMode   string
	encryptionKey string
}

correct?

@asauber
Copy link
Member

asauber commented Feb 1, 2024

My recommendation would be:

type ipsecKey struct {
	spi          int
	spiSuffix    bool
	algo         string  // Purposefully ambiguous here because of modes like GCM
	key          string
	size         int
	cipherMode   string
	cipherKey    string
}

@viktor-kurchenko viktor-kurchenko force-pushed the pr/vk/encryption/rotate-key branch from 2a6ff2d to ec0b6cb Compare February 2, 2024 07:26
@viktor-kurchenko
Copy link
Contributor Author

My recommendation would be:

type ipsecKey struct {
	spi          int
	spiSuffix    bool
	algo         string  // Purposefully ambiguous here because of modes like GCM
	key          string
	size         int
	cipherMode   string
	cipherKey    string
}

Fixed, thank you!

asauber
asauber requested changes Feb 6, 2024
View reviewed changes
encrypt/ipsec_rotate_key.go Outdated
return key, nil
}

func cbcKeyFromSlice(parts []string) (ipsecKey, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function name (and other instances of "cbc") should be changed to cipherKeyFromSlice or similar.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

encrypt/ipsec_rotate_key.go Outdated
}

var (
ipsecKeyRegex = regexp.MustCompile(`^([[:digit:]]+\+?)[[:space:]](\S+)[[:space:]]([[:alnum:]]+)[[:space:]]([[:digit:]]+)$`)
Copy link
Member

@asauber asauber Feb 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Many security issues (CVEs) are the result of imprecise parsing, with Regex often being implicated.

The related threat model here is that an attacker can somehow control the ipsec key Kubernetes secret, which may make such hardening out of scope, although it is something that should be considered.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, do you think we should avoid using regexp and parse it like a CSV string instead?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My gut feeling is that this is more precise than a simple field split, and is fine for now given the threat model.

@viktor-kurchenko viktor-kurchenko force-pushed the pr/vk/encryption/rotate-key branch from ec0b6cb to f8e6d45 Compare February 6, 2024 10:00
asauber
asauber approved these changes Feb 6, 2024
View reviewed changes
encrypt/ipsec_rotate_key.go Outdated
return newKey, nil
}

func generateRandom(size int) (string, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because this size is the length of a hex string, and not a number of bytes, this function is better named generateRandomHex. Otherwise, it's unclear that the size is a number of nybbles.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, renamed. Thank you!

@viktor-kurchenko
Cipher IPsec key support added.
1d161f6 
Signed-off-by: viktor-kurchenko <[email protected]>
@viktor-kurchenko
Status struct renamed to Encrypt.
c60d49c 
Signed-off-by: viktor-kurchenko <[email protected]>
@viktor-kurchenko viktor-kurchenko force-pushed the pr/vk/encryption/rotate-key branch from f8e6d45 to c60d49c Compare February 6, 2024 10:56
@viktor-kurchenko viktor-kurchenko added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 6, 2024
@tklauser tklauser merged commit 17bb086 into main Feb 6, 2024
13 checks passed
@tklauser tklauser deleted the pr/vk/encryption/rotate-key branch February 6, 2024 14:13
aanm referenced this pull request in aanm/cilium Mar 7, 2024
@gerritforge-ltd
Create change
ed9fe4a 
GitHub Pull Request: #623

chore(deps): update dependency cilium/cilium-cli to v0.15.23 (v1.15)

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [cilium/cilium-cli](https://togithub.com/cilium/cilium-cli) |  | patch | `v0.15.22` -> `v0.15.23` |
| [cilium/cilium-cli](https://togithub.com/cilium/cilium-cli) | action | patch | `v0.15.22` -> `v0.15.23` |

---

### Release Notes

<details>
<summary>cilium/cilium-cli (cilium/cilium-cli)</summary>

### [`v0.15.23`](https://togithub.com/cilium/cilium-cli/releases/tag/v0.15.23)

[Compare Source](https://togithub.com/cilium/cilium-cli/compare/v0.15.22...v0.15.23)

#### What's Changed

-   gateway: Upgrade API version by [@&cilium#8203;sayboras](https://togithub.com/sayboras) in [https://github.com/cilium/cilium-cli/pull/2285](https://togithub.com/cilium/cilium-cli/pull/2285)
-   chore(deps): update dependency kubernetes-sigs/kind to v0.21.0 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2284](https://togithub.com/cilium/cilium-cli/pull/2284)
-   IPsec key rotation command. by [@&cilium#8203;viktor-kurchenko](https://togithub.com/viktor-kurchenko) in [https://github.com/cilium/cilium-cli/pull/2266](https://togithub.com/cilium/cilium-cli/pull/2266)
-   IPsec key status command implementation. by [@&cilium#8203;viktor-kurchenko](https://togithub.com/viktor-kurchenko) in [https://github.com/cilium/cilium-cli/pull/2287](https://togithub.com/cilium/cilium-cli/pull/2287)
-   AWS OIDC instead of access key. by [@&cilium#8203;viktor-kurchenko](https://togithub.com/viktor-kurchenko) in [https://github.com/cilium/cilium-cli/pull/2297](https://togithub.com/cilium/cilium-cli/pull/2297)
-   Remove no longer necessary step from the external workloads installation script generation process by [@&cilium#8203;giorio94](https://togithub.com/giorio94) in [https://github.com/cilium/cilium-cli/pull/2275](https://togithub.com/cilium/cilium-cli/pull/2275)
-   Enable no-errors-in-logs check by default, and extend it to all Cilium components by [@&cilium#8203;giorio94](https://togithub.com/giorio94) in [https://github.com/cilium/cilium-cli/pull/2184](https://togithub.com/cilium/cilium-cli/pull/2184)
-   chore(deps): update golangci/golangci-lint-action action to v4 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2295](https://togithub.com/cilium/cilium-cli/pull/2295)
-   chore(deps): update helm/kind-action action to v1.9.0 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2296](https://togithub.com/cilium/cilium-cli/pull/2296)
-   chore(deps): update golang docker tag to v1.22.0 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2289](https://togithub.com/cilium/cilium-cli/pull/2289)
-   fix(deps): update module golang.org/x/mod to v0.15.0 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2294](https://togithub.com/cilium/cilium-cli/pull/2294)
-   chore(deps): update go to v1.22.0 (minor) by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2293](https://togithub.com/cilium/cilium-cli/pull/2293)
-   chore(deps): update all github action dependencies (patch) by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2286](https://togithub.com/cilium/cilium-cli/pull/2286)
-   chore(deps): update golangci/golangci-lint docker tag to v1.56.1 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2290](https://togithub.com/cilium/cilium-cli/pull/2290)
-   IPsec key rotation with algorithm change support. by [@&cilium#8203;viktor-kurchenko](https://togithub.com/viktor-kurchenko) in [https://github.com/cilium/cilium-cli/pull/2291](https://togithub.com/cilium/cilium-cli/pull/2291)
-   chore: Amend connectivity tests for OpenShift by [@&cilium#8203;fgiloux](https://togithub.com/fgiloux) in [https://github.com/cilium/cilium-cli/pull/2303](https://togithub.com/cilium/cilium-cli/pull/2303)
-   Increase timeouts in AKS and GKE GHA workflows by [@&cilium#8203;giorio94](https://togithub.com/giorio94) in [https://github.com/cilium/cilium-cli/pull/2307](https://togithub.com/cilium/cilium-cli/pull/2307)
-   gha: increase GKE disk size in external workloads workflow to 15GB by [@&cilium#8203;giorio94](https://togithub.com/giorio94) in [https://github.com/cilium/cilium-cli/pull/2301](https://togithub.com/cilium/cilium-cli/pull/2301)
-   Prepare for v0.15.23 release by [@&cilium#8203;michi-covalent](https://togithub.com/michi-covalent) in [https://github.com/cilium/cilium-cli/pull/2302](https://togithub.com/cilium/cilium-cli/pull/2302)

#### New Contributors

-   [@&cilium#8203;fgiloux](https://togithub.com/fgiloux) made their first contribution in [https://github.com/cilium/cilium-cli/pull/2303](https://togithub.com/cilium/cilium-cli/pull/2303)

**Full Changelog**: cilium/cilium-cli@v0.15.22...v0.15.23

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/aanm/cilium).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMjAuMiIsInVwZGF0ZWRJblZlciI6IjM3LjIyMC4yIiwidGFyZ2V0QnJhbmNoIjoidjEuMTUifQ==-->


Patch-set: 1
Change-id: I515325620aa4905df61d31323487f6936237e3a5
Subject: chore(deps): update dependency cilium/cilium-cli to v0.15.23
Branch: refs/heads/v1.15
Status: new
Topic: 
Commit: 7c37f7d
Tag: autogenerated:gerrit:newPatchSet
Groups: 7c37f7d
Private: false
Work-in-progress: false
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asauber asauber asauber approved these changes

@jschwinger233 jschwinger233 jschwinger233 approved these changes

Assignees
No one assigned
Labels
ready-to-merge This PR has passed all tests and received consensus from code owners to merge.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@viktor-kurchenko @asauber @jschwinger233 @tklauser