Skip to content

Commit

Permalink
ipsec: Add support for using default crypto with Libreswan.
Browse files Browse the repository at this point in the history
Distributions are normally shipping with a special file with
system-wide crypto policies.  For example, on Fedora/RHEL:

  /etc/crypto-policies/back-ends/libreswan.config

This file is included by the main /etc/ipsec.conf.

Today, ovs-monitor-ipsec can't take advantage of that, because we're
always defining ike and esp algorithms for our connections.

Add '--use-default-crypto' option to ovs-monitor-ipsec.  If it is set,
the daemon will not specify any crypto policies for connections and
will use what is provided by default.  In case we're running with a
root ipsec.conf, it'll be just the defaults that Libreswan has by
itself.  In case we're running with a sub-config and the
'--root-ipsec-conf' option, connections will be using crypto options
defined in 'conn %default' somewhere in other files included from the
root ipsec.conf; in most cases that will be the system-wide crypto
policy file like the one mentioned above.

This provides system administrators better control over crypto
policies used without requiring them to adjust configuration of every
OVS tunnel.

Users can still override options per-connection by setting
"ipsec_ike/esp" tunnel configuration.

This mostly makes sense together with '--root-ipsec-conf', so only
implemented for Libreswan for now.

Acked-by: Mike Pattrick <mkp@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
  • Loading branch information
igsilya committed Dec 16, 2024
1 parent 09d7c5a commit a48b327
Show file tree
Hide file tree
Showing 3 changed files with 85 additions and 6 deletions.
4 changes: 4 additions & 0 deletions NEWS
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,10 @@ Post-v3.4.0
* New option '--root-ipsec-conf' for ovs-monitor-ipsec with Libreswan
to allow cases where '--ipsec-conf' is not the main ipsec.conf, but
included from it. The value should be the path to the main ipsec.conf.
* New option '--use-default-crypto' for ovs-monitor-ipsec with Libreswan
to make it not configure any crypto options (ike/esp) for connections.
Most useful in combination with '--root-ipsec-conf' where system-wide
crypto-policy is included from the root ipsec.conf.


v3.4.0 - 15 Aug 2024
Expand Down
14 changes: 11 additions & 3 deletions ipsec/ovs-monitor-ipsec.in
Original file line number Diff line number Diff line change
Expand Up @@ -540,6 +540,7 @@ conn prevent_unencrypted_vxlan
self.last_refresh = time.time()
self.secrets_file = None
self.use_default_conn = self.IPSEC_CONF == self.ROOT_IPSEC_CONF
self.use_default_crypto = args.use_default_crypto
vlog.dbg("Using: " + self.IPSEC)
vlog.dbg("Configuration file: " + self.IPSEC_CONF)
vlog.dbg("Root configuration file: " + self.ROOT_IPSEC_CONF)
Expand All @@ -557,7 +558,8 @@ conn prevent_unencrypted_vxlan
if self.use_default_conn:
f.write(self.CONF_DEFAULT_HEADER)
f.write(self.CONN_CONF_BASE)
f.write(self.CONN_CONF_CRYPTO)
if not self.use_default_crypto:
f.write(self.CONN_CONF_CRYPTO)
f.write("\n")
f.close()

Expand All @@ -575,7 +577,8 @@ conn prevent_unencrypted_vxlan
if self.use_default_conn:
self.conf_file.write(self.CONF_DEFAULT_HEADER)
self.conf_file.write(self.CONN_CONF_BASE)
self.conf_file.write(self.CONN_CONF_CRYPTO)
if not self.use_default_crypto:
self.conf_file.write(self.CONN_CONF_CRYPTO)
self.conf_file.write("\n")

self.secrets_file.write(FILE_HEADER)
Expand Down Expand Up @@ -637,7 +640,8 @@ conn prevent_unencrypted_vxlan

if not self.use_default_conn:
auth_section = self.CONN_CONF_BASE + auth_section
auth_section = self.CONN_CONF_CRYPTO + auth_section
if not self.use_default_crypto:
auth_section = self.CONN_CONF_CRYPTO + auth_section

if "custom_options" in tunnel.conf:
for key, value in tunnel.conf["custom_options"].items():
Expand Down Expand Up @@ -1431,6 +1435,10 @@ def main():
type=int, default=120,
help="Timeout for external commands called by the "
"ovs-monitor-ipsec daemon, e.g. ipsec --start.")
parser.add_argument("--use-default-crypto", action='store_true',
help="Use default crypto configuration, i.e. do"
" not set ike/esp/ikev2 in connections"
" (libreswan only)")

ovs.vlog.add_args(parser)
ovs.daemon.add_args(parser)
Expand Down
73 changes: 70 additions & 3 deletions tests/system-ipsec.at
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ m4_define([START_PLUTO], [
])

dnl IPSEC_ADD_NODE([namespace], [device], [address], [peer address],
dnl [custom-ipsec-conf])
dnl [custom-ipsec-conf], [extra])
dnl
dnl Creates a dummy host that acts as an IPsec endpoint. Creates host in
dnl 'namespace' and attaches a veth 'device' to 'namespace' to act as the host
Expand All @@ -33,6 +33,9 @@ dnl Starts all daemons in 'namespace' that are required for IPsec.
dnl
dnl If 'custom-ipsec-conf' is provided, then it will be used as --ipsec-conf
dnl and the ipsec.conf will be used as --root-ipsec-conf.
dnl
dnl If 'extra' is provided, passes it as an additional argument list for
dnl ovs-monitor-ipsec.
m4_define([IPSEC_ADD_NODE],
[ADD_NAMESPACES($1)
dnl Disable DAD. We know we wont get duplicates on this underlay network.
Expand Down Expand Up @@ -79,6 +82,7 @@ m4_define([IPSEC_ADD_NODE],
--ipsec-secrets=$ovs_base/$1/secrets \
--log-file=$ovs_base/$1/ovs-monitor-ipsec.log \
--ipsec-ctl=$ovs_base/$1/pluto.ctl \
m4_if([$6], [], [], [$6]) \
--no-restart-ike-daemon --detach ], [0], [], [stderr])
on_exit "kill `cat $ovs_base/$1/ovs-monitor-ipsec.pid`"

Expand All @@ -88,9 +92,9 @@ m4_define([IPSEC_ADD_NODE],
-- set-controller br-ipsec punix:$ovs_base/br-ipsec.$1.mgmt])]
)
m4_define([IPSEC_ADD_NODE_LEFT],
[IPSEC_ADD_NODE(left, p0, $1, $2, [$3])])
[IPSEC_ADD_NODE(left, p0, $1, $2, [$3], [$4])])
m4_define([IPSEC_ADD_NODE_RIGHT],
[IPSEC_ADD_NODE(right, p1, $1, $2, [$3])])
[IPSEC_ADD_NODE(right, p1, $1, $2, [$3], [$4])])

dnl OVS_VSCTL([namespace], [sub-command])
dnl
Expand Down Expand Up @@ -459,6 +463,69 @@ AT_CHECK([grep -c -E "(ike|ikev2|esp)=" $ovs_base/right/custom.conf], [0], [6
OVS_TRAFFIC_VSWITCHD_STOP()
AT_CLEANUP

AT_SETUP([IPsec -- Libreswan (ipv4, geneve, default crypto)])
AT_KEYWORDS([ipsec libreswan ipv4 geneve psk default crypto])
dnl Note: Geneve test may not work on older kernels due to CVE-2020-25645
dnl https://bugzilla.redhat.com/show_bug.cgi?id=1883988

CHECK_LIBRESWAN()
OVS_TRAFFIC_VSWITCHD_START()
IPSEC_SETUP_UNDERLAY()

dnl Set up hosts.
IPSEC_ADD_NODE_LEFT(10.1.1.1, 10.1.1.2, [], [--use-default-crypto])
IPSEC_ADD_NODE_RIGHT(10.1.1.2, 10.1.1.1, [], [--use-default-crypto])

dnl Set up IPsec tunnel on 'left' host.
IPSEC_ADD_TUNNEL_LEFT([geneve],
[options:remote_ip=10.1.1.2 options:psk=swordfish])

dnl Set up IPsec tunnel on 'right' host.
IPSEC_ADD_TUNNEL_RIGHT([geneve],
[options:remote_ip=10.1.1.1 options:psk=swordfish])
CHECK_ESP_TRAFFIC

dnl Check that ipsec.conf doesn't include ike or esp configuration.
AT_CHECK([grep -q "conn %default" $ovs_base/left/ipsec.conf])
AT_CHECK([grep -q -E "(ike|ikev2|esp)=" $ovs_base/left/ipsec.conf], [1])
AT_CHECK([grep -q "conn %default" $ovs_base/right/ipsec.conf])
AT_CHECK([grep -q -E "(ike|ikev2|esp)=" $ovs_base/right/ipsec.conf], [1])

OVS_TRAFFIC_VSWITCHD_STOP()
AT_CLEANUP

AT_SETUP([IPsec -- Libreswan (ipv4, geneve, custom conf, default crypto)])
AT_KEYWORDS([ipsec libreswan ipv4 geneve psk custom conf default crypto])
dnl Note: Geneve test may not work on older kernels due to CVE-2020-25645
dnl https://bugzilla.redhat.com/show_bug.cgi?id=1883988

CHECK_LIBRESWAN()
OVS_TRAFFIC_VSWITCHD_START()
IPSEC_SETUP_UNDERLAY()

dnl Set up hosts.
IPSEC_ADD_NODE_LEFT(10.1.1.1, 10.1.1.2, [custom.conf], [--use-default-crypto])
IPSEC_ADD_NODE_RIGHT(10.1.1.2, 10.1.1.1, [custom.conf], [--use-default-crypto])

dnl Set up IPsec tunnel on 'left' host.
IPSEC_ADD_TUNNEL_LEFT([geneve],
[options:remote_ip=10.1.1.2 options:psk=swordfish])

dnl Set up IPsec tunnel on 'right' host.
IPSEC_ADD_TUNNEL_RIGHT([geneve],
[options:remote_ip=10.1.1.1 options:psk=swordfish])
CHECK_ESP_TRAFFIC

dnl Check that custom.conf doesn't include default section, and also doesn't
dnl have ike or esp configuration.
AT_CHECK([grep -q "conn %default" $ovs_base/left/custom.conf], [1])
AT_CHECK([grep -q -E "(ike|ikev2|esp)=" $ovs_base/left/custom.conf], [1])
AT_CHECK([grep -q "conn %default" $ovs_base/right/custom.conf], [1])
AT_CHECK([grep -q -E "(ike|ikev2|esp)=" $ovs_base/right/custom.conf], [1])

OVS_TRAFFIC_VSWITCHD_STOP()
AT_CLEANUP

AT_SETUP([IPsec -- Libreswan NxN geneve tunnels + reconciliation])
AT_KEYWORDS([ipsec libreswan scale reconciliation])
dnl Note: Geneve test may not work on older kernels due to CVE-2020-25645
Expand Down

0 comments on commit a48b327

Please sign in to comment.