8000 [v1.17] bpf: ipsec: improve handling of source security identity in encrypted-overlay code by julianwiedmann · Pull Request #38594 · cilium/cilium · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

[v1.17] bpf: ipsec: improve handling of source security identity in encrypted-overlay code #38594

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 7, 2025
Merged

[v1.17] bpf: ipsec: improve handling of source security identity in encrypted-overlay code #38594

merged 4 commits into from
Apr 7, 2025

Conversation

julianwiedmann
Copy link
Member

Address a few areas of improvement in #37993.

@julianwiedmann
bpf: encrypt: optimize ipsec_maybe_redirect_to_encrypt()
bde26bf 
Defer the ipcache lookups until we've handled the ctx_is_overlay()
condition, and potentially already decided that the packet needs to be
encrypted.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann julianwiedmann added area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/misc This PR makes changes that have no direct user impact. feature/ipsec Relates to Cilium's IPsec feature release-blocker/1.17 This issue will prevent the release of the next version of Cilium. labels Mar 28, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot added backport/1.17 This PR represents a backport for Cilium 1.17.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. labels Mar 28, 2025
@julianwiedmann julianwiedmann force-pushed the 1.17-bpf-ipsec-secid branch 2 times, most recently from 3556401 to 874d8d7 Compare March 28, 2025 19:29
@julianwiedmann
Copy link
Member Author

/test

@julianwiedmann julianwiedmann requested a review from ldelossa March 28, 2025 19:37
@julianwiedmann julianwiedmann marked this pull request as ready for review March 28, 2025 19:37
@julianwiedmann julianwiedmann requested a review from a team as a code owner March 28, 2025 19:37
@julianwiedmann
bpf: encrypt: use mark-based source identity for overlay traffic
7864f32 
No need to perform an ipcache lookup, the overlay mark embeds the
identity of the source endpoint.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
bpf: overlay: avoid ipcache lookup for source endpoint
2126136 
We only need the source endpoint to obtain its security identity. But
to-overlay already obtains this from the tunnel_key, so we can avoid
the ipcache lookup. This also prevents any issues if the ipcache entry
for a torn-down endpoint has already been removed.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
bpf: host: ipsec: avoid ipcache lookup for source's security identity
9366b2a 
For a typical packet that exited a local pod, the from-container program
also provides the source identity through the skb->mark. And the to-netdev
program already extracts this identity - so we just need to pass this
through to the ipsec hook.

This helps on downgrade from v1.18, where bpf_lxc no longer immediately
pushes the packet towards XFRM. Here the IPSec hook in to-netdev
potentially handles a packet by an endpoint that's already torn down, and
no longer has an ipcache entry. The packet would then be associated with
WORLD_ID and leave unencrypted.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
Copy link
Member Author

/test

ldelossa
ldelossa approved these changes Apr 7, 2025
View reviewed changes
Copy link
Contributor
@ldelossa ldelossa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good to me.

@github-project-automation github-project-automation bot moved this from Proposed to Active in Release blockers Apr 7, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 7, 2025
@julianwiedmann julianwiedmann added this pull request to the merge queue Apr 7, 2025
Merged via the queue into cilium:v1.17 with commit ce4fca1 Apr 7, 2025
58 checks passed
@julianwiedmann julianwiedmann deleted the 1.17-bpf-ipsec-secid branch April 7, 2025 15:17
@github-project-automation github-project-automation bot moved this from Active to Done in Release blockers Apr 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ldelossa ldelossa ldelossa approved these changes

Assignees
No one assigned
Labels
area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. backport/1.17 This PR represents a backport for Cilium 1.17.x of a PR that was merged to main. feature/ipsec Relates to Cilium's IPsec feature kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-blocker/1.17 This issue will prevent the release of the next version of Cilium. release-note/misc This PR makes changes that have no direct user impact.
4AD1
Projects
Release blockers
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@julianwiedmann @ldelossa
0