Skip to content

[v1.17] ipsec: handle tunnelled ipv6 in v1.17 leak detection#38843

Merged
ldelossa merged 2 commits intov1.17from
ldelossa/ipsec-hook-tunnelled-ipv6
Apr 21, 2025
Merged

[v1.17] ipsec: handle tunnelled ipv6 in v1.17 leak detection#38843
ldelossa merged 2 commits intov1.17from
ldelossa/ipsec-hook-tunnelled-ipv6

Conversation

@ldelossa
Copy link
Copy Markdown
Contributor

@ldelossa ldelossa commented Apr 9, 2025

In 38bfeca code was backported to v1.17 to ensure no leaked packets would slip through when upgrading/downgrading from v1.17 to v1.18.

The leak detection mechanism failed to include checking for encapsulated IPv6 packets.

Update the leak detection bits to parse out the inner MAC header, determine the IP version, and check the inner IP protocol accordingly.

This will now ensure leaked tunnelled IPv6 traffic is encapsulated during v1.17<->v1.18 upgrade/downgrade.

ipsec: include ipv6 in v1.18 upgrade leak detection

@ldelossa ldelossa requested a review from a team as a code owner April 9, 2025 16:39
@maintainer-s-little-helper maintainer-s-little-helper bot added backport/1.17 This PR represents a backport for Cilium 1.17.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. labels Apr 9, 2025
@ldelossa ldelossa force-pushed the ldelossa/ipsec-hook-tunnelled-ipv6 branch from 3746154 to 9c8fc06 Compare April 9, 2025 16:43
@ldelossa ldelossa mentioned this pull request Apr 9, 2025
Merged
@nathanjsweet nathanjsweet added the dont-merge/wait-until-release Freeze window for current release is blocking non-bugfix PRs label Apr 9, 2025
@ldelossa ldelossa added release-note/bug This PR fixes an issue in a previous release of Cilium. feature/ipsec Relates to Cilium's IPsec feature area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. labels Apr 9, 2025
@ldelossa ldelossa force-pushed the ldelossa/ipsec-hook-tunnelled-ipv6 branch from 9c8fc06 to d7d9f40 Compare April 9, 2025 16:54
@ldelossa
Copy link
Copy Markdown
Contributor Author

ldelossa commented Apr 9, 2025

/test

@qmonnet qmonnet changed the title ipsec: handle tunnelled ipv6 in v1.17 leak detection [v1.17] ipsec: handle tunnelled ipv6 in v1.17 leak detection Apr 10, 2025
julianwiedmann
julianwiedmann reviewed Apr 11, 2025
View reviewed changes
@ldelossa ldelossa marked this pull request as draft April 11, 2025 11:35
@ldelossa ldelossa force-pushed the ldelossa/ipsec-hook-tunnelled-ipv6 branch 3 times, most recently from 75095d2 to 9123221 Compare April 11, 2025 22:39
@ldelossa ldelossa mentioned this pull request Apr 16, 2025
Merged
@joestringer joestringer removed the dont-merge/wait-until-release Freeze window for current release is blocking non-bugfix PRs label Apr 18, 2025
@ldelossa ldelossa force-pushed the ldelossa/ipsec-hook-tunnelled-ipv6 branch from 9123221 to e0cc492 Compare April 21, 2025 01:24
@julianwiedmann julianwiedmann self-requested a review April 21, 2025 12:28
ldelossa added 2 commits April 21, 2025 10:26
@ldelossa
ipsec: add additional ipsec and vxlan helpers
6e2c3cc 
Add additional helpers for vxlan encapsulated packets in the context of
IPsec.

This will be used for upgrade/downgrade leak detection between v1.17 and
v1.18.

Signed-off-by: Louis DeLosSantos <[email protected]>
@ldelossa
ipsec: handle tunnelled ipv6 in v1.17 leak detection
b824305 
In 38bfeca code was backported to
v1.17 to ensure no leaked packets would slip through when
upgrading/downgrading from v1.17 to v1.18.

The leak detection mechanism failed to include checking for encapsulated
IPv6 packets.

Update the leak detection bits to parse out the inner MAC header,
determine the IP version, and check the inner IP protocol accordingly.

This will now ensure leaked tunnelled IPv6 traffic is encapsulated
during v1.17<->v1.18 upgrade/downgrade.

Signed-off-by: Louis DeLosSantos <[email protected]>
@ldelossa ldelossa force-pushed the ldelossa/ipsec-hook-tunnelled-ipv6 branch from e0cc492 to b824305 Compare April 21, 2025 14:26
@ldelossa ldelossa marked this pull request as ready for review April 21, 2025 14:27
julianwiedmann
julianwiedmann approved these changes Apr 21, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@julianwiedmann julianwiedmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thank you!

@ldelossa
Copy link
Copy Markdown
Contributor Author

ldelossa commented Apr 21, 2025

/test

@ldelossa ldelossa added this pull request to the merge queue Apr 21, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 21, 2025
Merged via the queue into v1.17 with commit 2df9197 Apr 21, 2025
291 checks passed
@ldelossa ldelossa deleted the ldelossa/ipsec-hook-tunnelled-ipv6 branch April 21, 2025 15:56
@julianwiedmann
Copy link
Copy Markdown
Member

julianwiedmann commented May 9, 2025

@ldelossa does this actually qualify as release-note/bug? Until we've released v1.18 and folks downgrade back to v1.17, this shouldn't affect anyone - right? And there we'll expect them to downgrade to latest patch version, which will have this fix.

If you agree, please flip to release-note/misc :)

@ldelossa
Copy link
Copy Markdown
Contributor Author

ldelossa commented May 10, 2025

@julianwiedmann yup, I think that reasoning makes sense. I'll change.

@ldelossa ldelossa added release-note/misc This PR makes changes that have no direct user impact. and removed release-note/bug This PR fixes an issue in a previous release of Cilium. labels May 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@julianwiedmann julianwiedmann julianwiedmann approved these changes

Assignees

No one assigned

Labels

area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. backport/1.17 This PR represents a backport for Cilium 1.17.x of a PR that was merged to main. feature/ipsec Relates to Cilium's IPsec feature kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ldelossa @julianwiedmann @nathanjsweet @joestringer @msune