Upgrade to Pro — share decks privately, control downloads, hide ads and more …

When is a Secure Connection not encrypted? And other stories

Liz Rice
November 17, 2023
Technology
1
17

When is a Secure Connection not encrypted? And other stories

Many organizations use a Service Mesh to secure traffic between apps. This may use Mutual TLS, with a proxy terminating connections on behalf of apps. mTLS starts with a handshake to authenticate endpoint identities, and exchange certificates for subsequent traffic encryption. When encryption is needed but app authentication is not, approaches like WireGuard or IPSec may be more suitable. What about scenarios where authentication is important but encryption adds too much latency? With demos to make concepts concrete, let’s dive into Cilium's approach to authentication and encryption, and the differences between mTLS and in-kernel alternatives.

- Explore the mTLS handshake step-by-step
- Contrast with transparent encryption using node identities
- Understand where encryption takes place in different models
- Discuss options for encrypting L7 protocols other than HTTP

With a clear picture of how authentication and encryption work, you’ll be better able to assess which approach best meets your needs.

Liz Rice

November 17, 2023
Tweet

More Decks by Liz Rice

See All by Liz Rice
Unleashing the kernel with eBPF
lizrice
0
12
eBPF's Abilities and Limitations: The Truth
lizrice
0
30
Simplifying multi-cloud and multi-cluster Kubernetes deployments with Cilium
lizrice
0
13
Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond
lizrice
1
460
How Many Proxies Do You Need
lizrice
1
100
eBPF for Security Observability
lizrice
0
1k
Beginner's Guide to eBPF Programming for Networking
lizrice
1
2k
Contributing to Open Source - what's in it for my business?
lizrice
0
35
Cloud Native eBPF Superpowers
lizrice
0
220

Other Decks in Technology

See All in Technology
Janus
bkuhlmann
1
490
ChatGPT for IT Service Management (IT Pro)
dahatake
7
1.6k
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
2.1k
エンジニア候補者向け資料2024.04.24.pdf
macloud
0
3.3k
複雑な構成要素を持つUIとの向き合い方 〜新・支出グラフでの実例〜 / B43 TECH TALK
nakamuuu
0
140
チームでロジカルシンキングに改めて向き合っている話 〜学習環境と実践⽅法〜
sansantech
PRO
3
2.8k
On Your Data を超えていく!
hirotomotaguchi
2
700
ChatworkのSRE部って実は 半分くらいPlatform Engineering部かもしれない
saramune
0
160
リテール金融(キャッシュレス・ネット銀行・ネット証券)の競争環境と経済圏
8maki
0
1.3k
サーバー間 GraphQL と webmock-graphql の話 / server-to-server graphql and webmock-graphql
qsona
2
190
APIファーストなプロダクトマネジメントの実践 〜SaaSus Platformでの例〜 / "Practicing API-First Product Management - An Example with SaaSus Platform
oztick139
0
110
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
340

Featured

See All Featured
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
How GitHub (no longer) Works
holman
304
140k
The MySQL Ecosystem @ GitHub 2015
samlambert
243
12k
Rebuilding a faster, lazier Slack
samanthasiow
73
8.2k
Git: the NoSQL Database
bkeepers
PRO
422
63k
Creatively Recalculating Your Daily Design Routine
revolveconf
210
11k
How STYLIGHT went responsive
nonsquared
92
4.8k
The Mythical Team-Month
searls
216
42k
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
GraphQLの誤解/rethinking-graphql
sonatard
50
9.2k
Ruby is Unlike a Banana
tanoku
96
10k
Visualization
eitanlees
136
14k

Transcript

  1. When is a secure connection not encrypted? And other stories

    Liz Rice | @lizrice Chief Open Source Officer, Isovalent Emeritus Chair, CNCF Technical Oversight Committee | CNCF & OpenUK boards

  2. @lizrice What do we mean by “secure connection”? 🤔💸

  3. @lizrice Hello, I’m Liz Hi! I’m your bank Great! Here’s

    $500 Authentication = establishing identity

  4. @lizrice Hello, I’m Liz Hi! I’m your bank Great! Here’s

    $500 Encryption

  5. @lizrice TLS and Mutual TLS

  6. @lizrice SYN ACK Encrypted data Establishing TCP Handshake Client Hello

    Server Hello X.509 Server symmetric session key symmetric session key TLS handshake

  7. @lizrice SYN ACK Encrypted data Establishing TCP Handshake Client Hello

    Server Hello X.509 Server X.509 Client symmetric session key symmetric session key mTLS handshake

  8. @lizrice SYN ACK Encrypted data Establishing TCP Handshake Client Hello

    Server Hello X.509 Server X.509 Client symmetric session key symmetric session key mTLS handshake upgrades a TCP connection to be authenticated and encrypted

  9. @lizrice Transparent encryption

  10. @lizrice Transparent encryption between nodes 10.0.0.1 key pair 10.0.0.2 key

    pair 10.0.0.1 10.0.0.2

  11. @lizrice WireGuard / IPsec WireGuard is a registered trademark of

    Jason A. Donenfeld “You add a WireGuard interface, configure it with your private key and your peers' public keys, and then you send packets across it.” Widely considered more secure but uses non-FIPS-compliant cryptography protocols Automated key rotation WireGuard Sets up and maintains tunnels between endpoints Can be FIPS-compliant IPsec Typically used for VPNs, tunnelling encrypted IP traffic encapsulated in UDP packets

  12. @lizrice Photo by Mulyadi on Unsplash

  13. @lizrice Droid conversation $ k get pods -o wide NAME

    READY STATUS RESTARTS AGE IP NODE c-3po 1/1 Running 0 3d17h 10.244.2.2 kind-worker2 r2-d2 1/1 Running 0 2d 10.244.1.16 kind-worker $ k exec -it c-3po -- curl r2-d2 beep! beep-bee-beep! beepeebeep!!

  14. @lizrice Examine traffic flowing on eth0 port No encryption root@kind-worker:/#

    tcpdump -i eth0 -A | grep beep tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes beep! beep-bee-beep! beepeebeep!! With WireGuard enabled $ cilium upgrade --reuse-values --set encryption.enabled=true --set encryption.type=wireguard root@kind-worker:/# tcpdump -i eth0 -A | grep beep tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

  15. @lizrice Restrict traffic with Cilium Network Policy

  16. @lizrice Network policy restricts traffic apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata:

    name: "droid" namespace: farfaraway spec: description: "Droid communication policy" endpointSelector: matchLabels: class: droid ingress: - fromEndpoints: - matchLabels: org: rebel-alliance

  17. @lizrice Cilium identity is derived from Kubernetes lables kubectl get

    ciliumidentities --show-labels NAME NAMESPACE AGE LABELS 2252 farfaraway 2d19h app=r2-d2,class=droid,io.cilium.k8s.policy.cluster=default, io.cilium.k8s.policy.serviceaccount=default, io.kubernetes.pod.namespace=farfaraway,org=rebel-alliance 32496 farfaraway 2d23h app.kubernetes.io/name=tiefighter,class=tiefighter, io.cilium.k8s.policy.cluster=default, io.cilium.k8s.policy.serviceaccount=default, io.kubernetes.pod.namespace=farfaraway,org=empire 60812 farfaraway 2d19h app.kubernetes.io/name=c-3po, class=droid,io.cilium.k8s.policy.cluster=default, io.cilium.k8s.policy.serviceaccount=default, io.kubernetes.pod.namespace=farfaraway,org=rebel-alliance

  18. @lizrice Is this traffic allowed? - fromEndpoints: - matchLabels: org:

    rebel-alliance Traffic from 1.1.1.1 corresponds to Cilium ID 1234 1.1.1.1

  19. @lizrice Photo by Josh Tere on Unsplash Rebel alliance?

  20. @lizrice Identity / address spoofing - fromEndpoints: - matchLabels: org:

    rebel-alliance Traffic from 1.1.1.1 corresponds to Cilium ID 1234

  21. @lizrice Let’s come back to Network Policy

  22. @lizrice Network policy restricts traffic apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata:

    name: "droid" namespace: farfaraway spec: description: "Droid communication policy" endpointSelector: matchLabels: class: droid ingress: - fromEndpoints: - matchLabels: org: rebel-alliance authentication: mode: "required"

  23. @lizrice Is this traffic authenticated? - fromEndpoints: - matchLabels: org:

    rebel-alliance authentication: mode: "required" Traffic from 1.1.1.1 corresponds to Cilium ID 1234 1.1.1.1 should be on Node 10.0.0.1 1.1.1.1 10.0.0.1 10.0.0.2

  24. @lizrice Is this traffic authenticated? 1.1.1.1 1.1.1.1 10.0.0.1 10.0.0.2 -

    fromEndpoints: - matchLabels: org: rebel-alliance authentication: mode: "required" Traffic from 1.1.1.1 corresponds to Cilium ID 1234 1.1.1.1 should be on Node 10.0.0.1

  25. @lizrice SYN ACK Establishing TCP mTLS Handshake Client Hello Server

    Hello X.509 C-3PO X.509 R2-D2 Cilium agents use same handshake as mTLS Both endpoints are authenticated now Passes ingress network policy authentication check for R2-D2 <-> C-3PO Get R2-D2 X.509 Get C-3PO X.509

  26. @lizrice Cilium + SPIRE - transparent certificate mangement

  27. @lizrice Cilium Operator registers each identity with SPIRE kubectl exec

    -n cilium-spire spire-server-0 -c spire-server -- /opt/spire/bin/spire-server entry show -selector cilium:mutual-auth Found 10 entries Entry ID : 8e1cc610-69b0-474d-aa89-32fc2003fe81 SPIFFE ID : spiffe://spiffe.cilium/identity/2252 Parent ID : spiffe://spiffe.cilium/cilium-operator Revision : 0 X509-SVID TTL : default JWT-SVID TTL : default Selector : cilium:mutual-auth … Transparent certificate management

  28. @lizrice Authenticated connection Nov 7 13:54:13.518: farfaraway/c-3po:44494 (ID:52452) -> farfaraway/r2-d2:80

    (ID:18777) policy-verdict:L3-Only INGRESS ALLOWED (TCP Flags: SYN; Auth: SPIRE)

  29. @lizrice Cilium next-gen mutual authentication

  30. @lizrice After handshake, the traffic doesn’t have to be TCP

  31. @lizrice Authenticated connections don’t have to be encrypted

  32. @lizrice

  33. Thank you cilium/cilium @ciliumproject cilium.io Download from isovalent.com