Upgrade to Pro — share decks privately, control downloads, hide ads and more …

When is a Secure Connection not encrypted? And ...

Liz Rice
November 17, 2023
Technology
1
63

When is a Secure Connection not encrypted? And other stories

Many organizations use a Service Mesh to secure traffic between apps. This may use Mutual TLS, with a proxy terminating connections on behalf of apps. mTLS starts with a handshake to authenticate endpoint identities, and exchange certificates for subsequent traffic encryption. When encryption is needed but app authentication is not, approaches like WireGuard or IPSec may be more suitable. What about scenarios where authentication is important but encryption adds too much latency? With demos to make concepts concrete, let’s dive into Cilium's approach to authentication and encryption, and the differences between mTLS and in-kernel alternatives.

- Explore the mTLS handshake step-by-step
- Contrast with transparent encryption using node identities
- Understand where encryption takes place in different models
- Discuss options for encrypting L7 protocols other than HTTP

With a clear picture of how authentication and encryption work, you’ll be better able to assess which approach best meets your needs.

Liz Rice

November 17, 2023
Tweet

More Decks by Liz Rice

See All by Liz Rice
Unleashing the kernel with eBPF
lizrice
0
130
eBPF's Abilities and Limitations: The Truth
lizrice
0
240
Simplifying multi-cloud and multi-cluster Kubernetes deployments with Cilium
lizrice
0
140
Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond
lizrice
1
570
How Many Proxies Do You Need
lizrice
1
120
eBPF for Security Observability
lizrice
0
1.2k
Beginner's Guide to eBPF Programming for Networking
lizrice
1
2.2k
Contributing to Open Source - what's in it for my business?
lizrice
0
43
Cloud Native eBPF Superpowers
lizrice
0
240

Other Decks in Technology

See All in Technology
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
6
640
Can We Measure Developer Productivity?
ewolff
1
150
Amazon Personalizeの レコメンドシステム構築、実際何するの? 〜大体10分で具体的なイメージをつかむ〜
kniino
1
100
OCI Security サービス 概要
oracle4engineer
PRO
0
6.5k
【若手エンジニア応援LT会】ソフトウェアを学んできた私がインフラエンジニアを目指した理由
kazushi_ohata
0
150
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
380
SREによる隣接領域への越境とその先の信頼性
shonansurvivors
2
520
The Role of Developer Relations in AI Product Success.
giftojabu1
0
120
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.7k
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
110

Featured

See All Featured
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Building Your Own Lightsaber
phodgson
103
6.1k
The World Runs on Bad Software
bkeepers
PRO
65
11k
It's Worth the Effort
3n
183
27k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
Designing for humans not robots
tammielis
250
25k
Making Projects Easy
brettharned
115
5.9k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k

Transcript

  1. When is a secure connection not encrypted? And other stories

    Liz Rice | @lizrice Chief Open Source Officer, Isovalent Emeritus Chair, CNCF Technical Oversight Committee | CNCF & OpenUK boards

  2. @lizrice What do we mean by “secure connection”? 🤔💸

  3. @lizrice Hello, I’m Liz Hi! I’m your bank Great! Here’s

    $500 Authentication = establishing identity

  4. @lizrice Hello, I’m Liz Hi! I’m your bank Great! Here’s

    $500 Encryption

  5. @lizrice TLS and Mutual TLS

  6. @lizrice SYN ACK Encrypted data Establishing TCP Handshake Client Hello

    Server Hello X.509 Server symmetric session key symmetric session key TLS handshake

  7. @lizrice SYN ACK Encrypted data Establishing TCP Handshake Client Hello

    Server Hello X.509 Server X.509 Client symmetric session key symmetric session key mTLS handshake

  8. @lizrice SYN ACK Encrypted data Establishing TCP Handshake Client Hello

    Server Hello X.509 Server X.509 Client symmetric session key symmetric session key mTLS handshake upgrades a TCP connection to be authenticated and encrypted

  9. @lizrice Transparent encryption

  10. @lizrice Transparent encryption between nodes 10.0.0.1 key pair 10.0.0.2 key

    pair 10.0.0.1 10.0.0.2

  11. @lizrice WireGuard / IPsec WireGuard is a registered trademark of

    Jason A. Donenfeld “You add a WireGuard interface, configure it with your private key and your peers' public keys, and then you send packets across it.” Widely considered more secure but uses non-FIPS-compliant cryptography protocols Automated key rotation WireGuard Sets up and maintains tunnels between endpoints Can be FIPS-compliant IPsec Typically used for VPNs, tunnelling encrypted IP traffic encapsulated in UDP packets

  12. @lizrice Photo by Mulyadi on Unsplash

  13. @lizrice Droid conversation $ k get pods -o wide NAME

    READY STATUS RESTARTS AGE IP NODE c-3po 1/1 Running 0 3d17h 10.244.2.2 kind-worker2 r2-d2 1/1 Running 0 2d 10.244.1.16 kind-worker $ k exec -it c-3po -- curl r2-d2 beep! beep-bee-beep! beepeebeep!!

  14. @lizrice Examine traffic flowing on eth0 port No encryption root@kind-worker:/#

    tcpdump -i eth0 -A | grep beep tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes beep! beep-bee-beep! beepeebeep!! With WireGuard enabled $ cilium upgrade --reuse-values --set encryption.enabled=true --set encryption.type=wireguard root@kind-worker:/# tcpdump -i eth0 -A | grep beep tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

  15. @lizrice Restrict traffic with Cilium Network Policy

  16. @lizrice Network policy restricts traffic apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata:

    name: "droid" namespace: farfaraway spec: description: "Droid communication policy" endpointSelector: matchLabels: class: droid ingress: - fromEndpoints: - matchLabels: org: rebel-alliance

  17. @lizrice Cilium identity is derived from Kubernetes lables kubectl get

    ciliumidentities --show-labels NAME NAMESPACE AGE LABELS 2252 farfaraway 2d19h app=r2-d2,class=droid,io.cilium.k8s.policy.cluster=default, io.cilium.k8s.policy.serviceaccount=default, io.kubernetes.pod.namespace=farfaraway,org=rebel-alliance 32496 farfaraway 2d23h app.kubernetes.io/name=tiefighter,class=tiefighter, io.cilium.k8s.policy.cluster=default, io.cilium.k8s.policy.serviceaccount=default, io.kubernetes.pod.namespace=farfaraway,org=empire 60812 farfaraway 2d19h app.kubernetes.io/name=c-3po, class=droid,io.cilium.k8s.policy.cluster=default, io.cilium.k8s.policy.serviceaccount=default, io.kubernetes.pod.namespace=farfaraway,org=rebel-alliance

  18. @lizrice Is this traffic allowed? - fromEndpoints: - matchLabels: org:

    rebel-alliance Traffic from 1.1.1.1 corresponds to Cilium ID 1234 1.1.1.1

  19. @lizrice Photo by Josh Tere on Unsplash Rebel alliance?

  20. @lizrice Identity / address spoofing - fromEndpoints: - matchLabels: org:

    rebel-alliance Traffic from 1.1.1.1 corresponds to Cilium ID 1234

  21. @lizrice Let’s come back to Network Policy

  22. @lizrice Network policy restricts traffic apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata:

    name: "droid" namespace: farfaraway spec: description: "Droid communication policy" endpointSelector: matchLabels: class: droid ingress: - fromEndpoints: - matchLabels: org: rebel-alliance authentication: mode: "required"

  23. @lizrice Is this traffic authenticated? - fromEndpoints: - matchLabels: org:

    rebel-alliance authentication: mode: "required" Traffic from 1.1.1.1 corresponds to Cilium ID 1234 1.1.1.1 should be on Node 10.0.0.1 1.1.1.1 10.0.0.1 10.0.0.2

  24. @lizrice Is this traffic authenticated? 1.1.1.1 1.1.1.1 10.0.0.1 10.0.0.2 -

    fromEndpoints: - matchLabels: org: rebel-alliance authentication: mode: "required" Traffic from 1.1.1.1 corresponds to Cilium ID 1234 1.1.1.1 should be on Node 10.0.0.1

  25. @lizrice SYN ACK Establishing TCP mTLS Handshake Client Hello Server

    Hello X.509 C-3PO X.509 R2-D2 Cilium agents use same handshake as mTLS Both endpoints are authenticated now Passes ingress network policy authentication check for R2-D2 <-> C-3PO Get R2-D2 X.509 Get C-3PO X.509

  26. @lizrice Cilium + SPIRE - transparent certificate mangement

  27. @lizrice Cilium Operator registers each identity with SPIRE kubectl exec

    -n cilium-spire spire-server-0 -c spire-server -- /opt/spire/bin/spire-server entry show -selector cilium:mutual-auth Found 10 entries Entry ID : 8e1cc610-69b0-474d-aa89-32fc2003fe81 SPIFFE ID : spiffe://spiffe.cilium/identity/2252 Parent ID : spiffe://spiffe.cilium/cilium-operator Revision : 0 X509-SVID TTL : default JWT-SVID TTL : default Selector : cilium:mutual-auth … Transparent certificate management

  28. @lizrice Authenticated connection Nov 7 13:54:13.518: farfaraway/c-3po:44494 (ID:52452) -> farfaraway/r2-d2:80

    (ID:18777) policy-verdict:L3-Only INGRESS ALLOWED (TCP Flags: SYN; Auth: SPIRE)

  29. @lizrice Cilium next-gen mutual authentication

  30. @lizrice After handshake, the traffic doesn’t have to be TCP

  31. @lizrice Authenticated connections don’t have to be encrypted

  32. @lizrice

  33. Thank you cilium/cilium @ciliumproject cilium.io Download from isovalent.com