Slide 1

Slide 1 text

When is a secure connection not encrypted? And other stories Liz Rice | @lizrice Chief Open Source Officer, Isovalent Emeritus Chair, CNCF Technical Oversight Committee | CNCF & OpenUK boards

Slide 2

Slide 2 text

@lizrice What do we mean by “secure connection”? 🤔💸

Slide 3

Slide 3 text

@lizrice Hello, I’m Liz Hi! I’m your bank Great! Here’s $500 Authentication = establishing identity

Slide 4

Slide 4 text

@lizrice Hello, I’m Liz Hi! I’m your bank Great! Here’s $500 Encryption

Slide 5

Slide 5 text

@lizrice TLS and Mutual TLS

Slide 6

Slide 6 text

@lizrice SYN ACK Encrypted data Establishing TCP Handshake Client Hello Server Hello X.509 Server symmetric session key symmetric session key TLS handshake

Slide 7

Slide 7 text

@lizrice SYN ACK Encrypted data Establishing TCP Handshake Client Hello Server Hello X.509 Server X.509 Client symmetric session key symmetric session key mTLS handshake

Slide 8

Slide 8 text

@lizrice SYN ACK Encrypted data Establishing TCP Handshake Client Hello Server Hello X.509 Server X.509 Client symmetric session key symmetric session key mTLS handshake upgrades a TCP connection to be authenticated and encrypted

Slide 9

Slide 9 text

@lizrice Transparent encryption

Slide 10

Slide 10 text

@lizrice Transparent encryption between nodes 10.0.0.1 key pair 10.0.0.2 key pair 10.0.0.1 10.0.0.2

Slide 11

Slide 11 text

@lizrice WireGuard / IPsec WireGuard is a registered trademark of Jason A. Donenfeld “You add a WireGuard interface, configure it with your private key and your peers' public keys, and then you send packets across it.” Widely considered more secure but uses non-FIPS-compliant cryptography protocols Automated key rotation WireGuard Sets up and maintains tunnels between endpoints Can be FIPS-compliant IPsec Typically used for VPNs, tunnelling encrypted IP traffic encapsulated in UDP packets

Slide 12

Slide 12 text

@lizrice Photo by Mulyadi on Unsplash

Slide 13

Slide 13 text

@lizrice Droid conversation $ k get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE c-3po 1/1 Running 0 3d17h 10.244.2.2 kind-worker2 r2-d2 1/1 Running 0 2d 10.244.1.16 kind-worker $ k exec -it c-3po -- curl r2-d2 beep! beep-bee-beep! beepeebeep!!

Slide 14

Slide 14 text

@lizrice Examine traffic flowing on eth0 port No encryption root@kind-worker:/# tcpdump -i eth0 -A | grep beep tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes beep! beep-bee-beep! beepeebeep!! With WireGuard enabled $ cilium upgrade --reuse-values --set encryption.enabled=true --set encryption.type=wireguard root@kind-worker:/# tcpdump -i eth0 -A | grep beep tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

Slide 15

Slide 15 text

@lizrice Restrict traffic with Cilium Network Policy

Slide 16

Slide 16 text

@lizrice Network policy restricts traffic apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: "droid" namespace: farfaraway spec: description: "Droid communication policy" endpointSelector: matchLabels: class: droid ingress: - fromEndpoints: - matchLabels: org: rebel-alliance

Slide 17

Slide 17 text

@lizrice Cilium identity is derived from Kubernetes lables kubectl get ciliumidentities --show-labels NAME NAMESPACE AGE LABELS 2252 farfaraway 2d19h app=r2-d2,class=droid,io.cilium.k8s.policy.cluster=default, io.cilium.k8s.policy.serviceaccount=default, io.kubernetes.pod.namespace=farfaraway,org=rebel-alliance 32496 farfaraway 2d23h app.kubernetes.io/name=tiefighter,class=tiefighter, io.cilium.k8s.policy.cluster=default, io.cilium.k8s.policy.serviceaccount=default, io.kubernetes.pod.namespace=farfaraway,org=empire 60812 farfaraway 2d19h app.kubernetes.io/name=c-3po, class=droid,io.cilium.k8s.policy.cluster=default, io.cilium.k8s.policy.serviceaccount=default, io.kubernetes.pod.namespace=farfaraway,org=rebel-alliance

Slide 18

Slide 18 text

@lizrice Is this traffic allowed? - fromEndpoints: - matchLabels: org: rebel-alliance Traffic from 1.1.1.1 corresponds to Cilium ID 1234 1.1.1.1

Slide 19

Slide 19 text

@lizrice Photo by Josh Tere on Unsplash Rebel alliance?

Slide 20

Slide 20 text

@lizrice Identity / address spoofing - fromEndpoints: - matchLabels: org: rebel-alliance Traffic from 1.1.1.1 corresponds to Cilium ID 1234

Slide 21

Slide 21 text

@lizrice Let’s come back to Network Policy

Slide 22

Slide 22 text

@lizrice Network policy restricts traffic apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: "droid" namespace: farfaraway spec: description: "Droid communication policy" endpointSelector: matchLabels: class: droid ingress: - fromEndpoints: - matchLabels: org: rebel-alliance authentication: mode: "required"

Slide 23

Slide 23 text

@lizrice Is this traffic authenticated? - fromEndpoints: - matchLabels: org: rebel-alliance authentication: mode: "required" Traffic from 1.1.1.1 corresponds to Cilium ID 1234 1.1.1.1 should be on Node 10.0.0.1 1.1.1.1 10.0.0.1 10.0.0.2

Slide 24

Slide 24 text

@lizrice Is this traffic authenticated? 1.1.1.1 1.1.1.1 10.0.0.1 10.0.0.2 - fromEndpoints: - matchLabels: org: rebel-alliance authentication: mode: "required" Traffic from 1.1.1.1 corresponds to Cilium ID 1234 1.1.1.1 should be on Node 10.0.0.1

Slide 25

Slide 25 text

@lizrice SYN ACK Establishing TCP mTLS Handshake Client Hello Server Hello X.509 C-3PO X.509 R2-D2 Cilium agents use same handshake as mTLS Both endpoints are authenticated now Passes ingress network policy authentication check for R2-D2 <-> C-3PO Get R2-D2 X.509 Get C-3PO X.509

Slide 26

Slide 26 text

@lizrice Cilium + SPIRE - transparent certificate mangement

Slide 27

Slide 27 text

@lizrice Cilium Operator registers each identity with SPIRE kubectl exec -n cilium-spire spire-server-0 -c spire-server -- /opt/spire/bin/spire-server entry show -selector cilium:mutual-auth Found 10 entries Entry ID : 8e1cc610-69b0-474d-aa89-32fc2003fe81 SPIFFE ID : spiffe://spiffe.cilium/identity/2252 Parent ID : spiffe://spiffe.cilium/cilium-operator Revision : 0 X509-SVID TTL : default JWT-SVID TTL : default Selector : cilium:mutual-auth … Transparent certificate management

Slide 28

Slide 28 text

@lizrice Authenticated connection Nov 7 13:54:13.518: farfaraway/c-3po:44494 (ID:52452) -> farfaraway/r2-d2:80 (ID:18777) policy-verdict:L3-Only INGRESS ALLOWED (TCP Flags: SYN; Auth: SPIRE)

Slide 29

Slide 29 text

@lizrice Cilium next-gen mutual authentication

Slide 30

Slide 30 text

@lizrice After handshake, the traffic doesn’t have to be TCP

Slide 31

Slide 31 text

@lizrice Authenticated connections don’t have to be encrypted

Slide 32

Slide 32 text

@lizrice

Slide 33

Slide 33 text

Thank you cilium/cilium @ciliumproject cilium.io Download from isovalent.com