ipsec

package
v1.19.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 3, 2026 License: Apache-2.0 Imports: 39 Imported by: 10

Documentation

Overview

Package ipsec provides the Linux datapath specific abstraction and useful helpers to manage IPSec via Linux xfrm.

Index

Constants

View Source 
const (
	IPSecDirIn types.IPSecDir = 1 << iota
	IPSecDirOut
	IPSecDirFwd

	// The request ID which signifies all Cilium managed policies and states.
	AllReqID = 0

	// DefaultReqID is the default reqid used for all IPSec rules.
	DefaultReqID = ipsec.DefaultReqID
)

Variables

View Source 
var Cell = cell.Module(
	"ipsec-agent",
	"Handles initial key setup and knows the key size",

	cell.Config(defaultUserConfig),
	cell.Provide(newIPsecAgent, newIPsecConfig),
	cell.ProvidePrivate(buildConfigFrom),
)

The IPsec agent handles key-related initialisation tasks for the ipsec subsystem.

Functions

func IPsecDefaultDropPolicy 

func IPsecDefaultDropPolicy(ipv6 bool) error

Installs a catch-all policy for outgoing traffic that has the encryption bit. The goal here is to catch any traffic that may passthrough our encryption while we are replacing XFRM policies & states. Those operations cannot always be performed atomically so we may have brief moments where there is no XFRM policy to encrypt a subset of traffic. This policy ensures we drop such traffic and don't let it flow in plain text.

We do need to match on the mark because there is also traffic flowing through XFRM that we don't want to encrypt (e.g., hostns traffic).

func NewXFRMCollector 

func NewXFRMCollector(log *slog.Logger) prometheus.Collector

func NewXfrmStateListCache added in v1.13.17 

func NewXfrmStateListCache(ttl time.Duration, enableCaching bool) *xfrmStateListCache

func ProbeXfrmStateOutputMask 

func ProbeXfrmStateOutputMask() (e error)

ProbeXfrmStateOutputMask probes the kernel to determine if it supports setting the xfrm state output mask (Linux 4.19+). It returns an error if the output mask is not supported or if an error occurred, nil otherwise.

Types

type Agent added in v1.19.0 

type Agent struct {
	// contains filtered or unexported fields
}

Upon starting, the agent will load the ipsec key, set the SPI accordingly, and update the EncryptionKey in the local node object to the SPI.

func NewTestIPsecAgent added in v1.19.0 

func NewTestIPsecAgent(tb testing.TB) *Agent

func (*Agent) AuthKeySize added in v1.19.0 

func (a *Agent) AuthKeySize() int

func (*Agent) DeleteIPsecEndpoint added in v1.19.0 

func (a *Agent) DeleteIPsecEndpoint(nodeID uint16) error

DeleteIPsecEndpoint deletes a endpoint associated with the remote IP address

func (*Agent) DeleteXFRM added in v1.19.0 

func (a *Agent) DeleteXFRM(reqID int) error

DeleteXFRM will remove XFRM policies and states by their XFRM request ID.

AllReqID can be used for `reqID` to remove all Cilium managed XFRM policies and states.

func (*Agent) DeleteXfrmPolicyOut added in v1.19.0 

func (a *Agent) DeleteXfrmPolicyOut(nodeID uint16, dst *net.IPNet) error

DeleteXfrmPolicyOut will remove XFRM OUT policies by their node ID and destination subnet.

func (*Agent) Enabled added in v1.19.0 

func (a *Agent) Enabled() bool

func (*Agent) LoadIPSecKeys added in v1.19.0 

func (a *Agent) LoadIPSecKeys(r io.Reader) (int, uint8, error)

func (*Agent) SPI added in v1.19.0 

func (a *Agent) SPI() uint8

func (*Agent) Start added in v1.19.0 

func (a *Agent) Start(cell.HookContext) error

func (*Agent) StartBackgroundJobs added in v1.19.0 

func (a *Agent) StartBackgroundJobs(handler types.NodeHandler) error

StartBackgroundJobs starts the keyfile watcher and stale key reclaimer jobs.

func (*Agent) Stop added in v1.19.0 

func (a *Agent) Stop(cell.HookContext) error

func (*Agent) UpsertIPsecEndpoint added in v1.19.0 

func (a *Agent) UpsertIPsecEndpoint(params *types.IPSecParameters) (uint8, error)

UpsertIPsecEndpoint updates the IPSec context for a new endpoint inserted in * the ipcache. Currently we support a global crypt/auth keyset that will encrypt * all traffic between endpoints. An IPSec context consists of two pieces a policy * and a state, the security policy database (SPD) and security association * database (SAD). These are implemented using the Linux kernels XFRM implementation. * * For all traffic that matches a policy, the policy tuple used is * (sip/mask, dip/mask, dev) with an optional mark field used in the Cilium implementation * to ensure only expected traffic is encrypted. The state hashtable is searched for * a matching state associated with that flow. The Linux kernel will do a series of * hash lookups to find the most specific state (xfrm_dst) possible. The hash keys searched are * the following, (daddr, saddr, reqid, encap_family), (daddr, wildcard, reqid, encap), * (mark, daddr, spi, proto, encap). Any "hits" in the hash table will subsequently * have the SPI checked to ensure it also matches. Encap is ignored in our case here * and can be used with UDP encap if wanted. * * The implications of the (inflexible!) hash key implementation is that in-order * to have a policy/state match we _must_ insert a state for each daddr. For Cilium * this translates to a state entry per node. We learn the nodes/endpoints by * listening to ipcache events. Finally, because IPSec is unidirectional a state * is needed for both ingress and egress. Denoted by the DIR on the xfrm cmd line * in the policy lookup. In the Cilium case, where we have IPSec between all * endpoints this results in two policy rules per node, one for ingress * and one for egress. * * For a concrete example consider two cluster nodes using transparent mode e.g. * without an IPSec tunnel IP. Cluster Node A has host_ip 10.156.0.1 with an * endpoint assigned to IP 10.156.2.2 and cluster Node B has host_ip 10.182.0.1 * with an endpoint using IP 10.182.3.3. Then on Node A there will be a two policy * entries and a set of State entries, * * Policy1(src=10.182.0.0/16,dst=10.156.0.1/16,dir=in,tmpl(spi=#spi,reqid=#reqid)) * Policy2(src=10.156.0.0/16,dst=10.182.0.1/16,dir=out,tmpl(spi=#spi,reqid=#reqid)) * State1(src=*,dst=10.182.0.1,spi=#spi,reqid=#reqid,...) * State2(src=*,dst=10.156.0.1,spi=#spi,reqid=#reqid,...) * * Design Note: For newer kernels a BPF xfrm interface would greatly simplify the * state space. Basic idea would be to reference a state using any key generated * from BPF program allowing for a single state per security ctx.

type Config added in v1.19.0 

type Config struct {
	UserConfig

	EncryptNode bool
}

func (Config) DNSProxyInsecureSkipTransparentModeCheckEnabled added in v1.19.0 

func (c Config) DNSProxyInsecureSkipTransparentModeCheckEnabled() bool

func (Config) Enabled added in v1.19.0 

func (c Config) Enabled() bool

func (Config) UseCiliumInternalIP added in v1.19.0 

func (c Config) UseCiliumInternalIP() bool

type UserConfig added in v1.19.0 

type UserConfig struct {
	EnableIPsec                              bool
	EnableIPsecKeyWatcher                    bool
	EnableIPsecXfrmStateCaching              bool
	UseCiliumInternalIPForIPsec              bool
	DNSProxyInsecureSkipTransparentModeCheck bool
	IPsecKeyFile                             string
	IPsecKeyRotationDuration                 time.Duration
}

func (UserConfig) Flags added in v1.19.0 

func (def UserConfig) Flags(flags *pflag.FlagSet)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.