Upgrade to Pro — share decks privately, control downloads, hide ads and more …

When is a Secure Connection not encrypted? And ...

Liz Rice
November 17, 2023
Technology
1
60

When is a Secure Connection not encrypted? And other stories

Many organizations use a Service Mesh to secure traffic between apps. This may use Mutual TLS, with a proxy terminating connections on behalf of apps. mTLS starts with a handshake to authenticate endpoint identities, and exchange certificates for subsequent traffic encryption. When encryption is needed but app authentication is not, approaches like WireGuard or IPSec may be more suitable. What about scenarios where authentication is important but encryption adds too much latency? With demos to make concepts concrete, let’s dive into Cilium's approach to authentication and encryption, and the differences between mTLS and in-kernel alternatives.

- Explore the mTLS handshake step-by-step
- Contrast with transparent encryption using node identities
- Understand where encryption takes place in different models
- Discuss options for encrypting L7 protocols other than HTTP

With a clear picture of how authentication and encryption work, you’ll be better able to assess which approach best meets your needs.

Liz Rice

November 17, 2023
Tweet

More Decks by Liz Rice

See All by Liz Rice
Unleashing the kernel with eBPF
lizrice
0
130
eBPF's Abilities and Limitations: The Truth
lizrice
0
220
Simplifying multi-cloud and multi-cluster Kubernetes deployments with Cilium
lizrice
0
130
Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond
lizrice
1
560
How Many Proxies Do You Need
lizrice
1
120
eBPF for Security Observability
lizrice
0
1.2k
Beginner's Guide to eBPF Programming for Networking
lizrice
1
2.2k
Contributing to Open Source - what's in it for my business?
lizrice
0
42
Cloud Native eBPF Superpowers
lizrice
0
240

Other Decks in Technology

See All in Technology
Java x Spring Boot Warm up
kazu_kichi_67
2
490
[AWS JAPAN 生成AIハッカソン] Dialog の紹介
yoshimi0227
0
150
なんで、私がAWS Heroに!? 〜社外の広い世界に一歩踏み出そう〜
minorun365
PRO
6
1.1k
いまならこう作りたい AWSコンテナ[本格]入門ハンズオン 〜2024年版 ハンズオンの構想〜
horsewin
9
2.1k
Fargateを使った研修の話
takesection
0
110
AWSコンテナ本出版から3年経った今、もし改めて執筆し直すなら / If I revise our container book
iselegant
15
3.9k
分布で見る効果検証入門 / ai-distributional-effect
cyberagentdevelopers
PRO
4
690
AIを駆使したゲーム開発戦略: 新設AI組織の取り組み / sge-ai-strategy
cyberagentdevelopers
PRO
1
130
【若手エンジニア応援LT会】AWS Security Hubの活用に苦労した話
kazushi_ohata
0
160
プロダクトチームへのSystem Risk Records導入・運用事例の紹介/Introduction and Case Studies on Implementing and Operating System Risk Records for Product Teams
taddy_919
1
170
AWS CDKでデータリストアの運用、どのように設計する?~Aurora・EFSの実践事例を紹介~/aws-cdk-data-restore-aurora-efs
mhrtech
4
640
10分でわかるfreeeのQA
freee
1
3.4k

Featured

See All Featured
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Teambox: Starting and Learning
jrom
132
8.7k
Typedesign – Prime Four
hannesfritz
39
2.4k
How to Ace a Technical Interview
jacobian
275
23k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
167
49k
KATA
mclloyd
29
13k
Building Applications with DynamoDB
mza
90
6.1k
Ruby is Unlike a Banana
tanoku
96
11k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
228
52k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
92
16k
A designer walks into a library…
pauljervisheath
202
24k

Transcript

  1. When is a secure connection not encrypted? And other stories

    Liz Rice | @lizrice Chief Open Source Officer, Isovalent Emeritus Chair, CNCF Technical Oversight Committee | CNCF & OpenUK boards

  2. @lizrice What do we mean by “secure connection”? 🤔💸

  3. @lizrice Hello, I’m Liz Hi! I’m your bank Great! Here’s

    $500 Authentication = establishing identity

  4. @lizrice Hello, I’m Liz Hi! I’m your bank Great! Here’s

    $500 Encryption

  5. @lizrice TLS and Mutual TLS

  6. @lizrice SYN ACK Encrypted data Establishing TCP Handshake Client Hello

    Server Hello X.509 Server symmetric session key symmetric session key TLS handshake

  7. @lizrice SYN ACK Encrypted data Establishing TCP Handshake Client Hello

    Server Hello X.509 Server X.509 Client symmetric session key symmetric session key mTLS handshake

  8. @lizrice SYN ACK Encrypted data Establishing TCP Handshake Client Hello

    Server Hello X.509 Server X.509 Client symmetric session key symmetric session key mTLS handshake upgrades a TCP connection to be authenticated and encrypted

  9. @lizrice Transparent encryption

  10. @lizrice Transparent encryption between nodes 10.0.0.1 key pair 10.0.0.2 key

    pair 10.0.0.1 10.0.0.2

  11. @lizrice WireGuard / IPsec WireGuard is a registered trademark of

    Jason A. Donenfeld “You add a WireGuard interface, configure it with your private key and your peers' public keys, and then you send packets across it.” Widely considered more secure but uses non-FIPS-compliant cryptography protocols Automated key rotation WireGuard Sets up and maintains tunnels between endpoints Can be FIPS-compliant IPsec Typically used for VPNs, tunnelling encrypted IP traffic encapsulated in UDP packets

  12. @lizrice Photo by Mulyadi on Unsplash

  13. @lizrice Droid conversation $ k get pods -o wide NAME

    READY STATUS RESTARTS AGE IP NODE c-3po 1/1 Running 0 3d17h 10.244.2.2 kind-worker2 r2-d2 1/1 Running 0 2d 10.244.1.16 kind-worker $ k exec -it c-3po -- curl r2-d2 beep! beep-bee-beep! beepeebeep!!

  14. @lizrice Examine traffic flowing on eth0 port No encryption root@kind-worker:/#

    tcpdump -i eth0 -A | grep beep tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes beep! beep-bee-beep! beepeebeep!! With WireGuard enabled $ cilium upgrade --reuse-values --set encryption.enabled=true --set encryption.type=wireguard root@kind-worker:/# tcpdump -i eth0 -A | grep beep tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

  15. @lizrice Restrict traffic with Cilium Network Policy

  16. @lizrice Network policy restricts traffic apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata:

    name: "droid" namespace: farfaraway spec: description: "Droid communication policy" endpointSelector: matchLabels: class: droid ingress: - fromEndpoints: - matchLabels: org: rebel-alliance

  17. @lizrice Cilium identity is derived from Kubernetes lables kubectl get

    ciliumidentities --show-labels NAME NAMESPACE AGE LABELS 2252 farfaraway 2d19h app=r2-d2,class=droid,io.cilium.k8s.policy.cluster=default, io.cilium.k8s.policy.serviceaccount=default, io.kubernetes.pod.namespace=farfaraway,org=rebel-alliance 32496 farfaraway 2d23h app.kubernetes.io/name=tiefighter,class=tiefighter, io.cilium.k8s.policy.cluster=default, io.cilium.k8s.policy.serviceaccount=default, io.kubernetes.pod.namespace=farfaraway,org=empire 60812 farfaraway 2d19h app.kubernetes.io/name=c-3po, class=droid,io.cilium.k8s.policy.cluster=default, io.cilium.k8s.policy.serviceaccount=default, io.kubernetes.pod.namespace=farfaraway,org=rebel-alliance

  18. @lizrice Is this traffic allowed? - fromEndpoints: - matchLabels: org:

    rebel-alliance Traffic from 1.1.1.1 corresponds to Cilium ID 1234 1.1.1.1

  19. @lizrice Photo by Josh Tere on Unsplash Rebel alliance?

  20. @lizrice Identity / address spoofing - fromEndpoints: - matchLabels: org:

    rebel-alliance Traffic from 1.1.1.1 corresponds to Cilium ID 1234

  21. @lizrice Let’s come back to Network Policy

  22. @lizrice Network policy restricts traffic apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata:

    name: "droid" namespace: farfaraway spec: description: "Droid communication policy" endpointSelector: matchLabels: class: droid ingress: - fromEndpoints: - matchLabels: org: rebel-alliance authentication: mode: "required"

  23. @lizrice Is this traffic authenticated? - fromEndpoints: - matchLabels: org:

    rebel-alliance authentication: mode: "required" Traffic from 1.1.1.1 corresponds to Cilium ID 1234 1.1.1.1 should be on Node 10.0.0.1 1.1.1.1 10.0.0.1 10.0.0.2

  24. @lizrice Is this traffic authenticated? 1.1.1.1 1.1.1.1 10.0.0.1 10.0.0.2 -

    fromEndpoints: - matchLabels: org: rebel-alliance authentication: mode: "required" Traffic from 1.1.1.1 corresponds to Cilium ID 1234 1.1.1.1 should be on Node 10.0.0.1

  25. @lizrice SYN ACK Establishing TCP mTLS Handshake Client Hello Server

    Hello X.509 C-3PO X.509 R2-D2 Cilium agents use same handshake as mTLS Both endpoints are authenticated now Passes ingress network policy authentication check for R2-D2 <-> C-3PO Get R2-D2 X.509 Get C-3PO X.509

  26. @lizrice Cilium + SPIRE - transparent certificate mangement

  27. @lizrice Cilium Operator registers each identity with SPIRE kubectl exec

    -n cilium-spire spire-server-0 -c spire-server -- /opt/spire/bin/spire-server entry show -selector cilium:mutual-auth Found 10 entries Entry ID : 8e1cc610-69b0-474d-aa89-32fc2003fe81 SPIFFE ID : spiffe://spiffe.cilium/identity/2252 Parent ID : spiffe://spiffe.cilium/cilium-operator Revision : 0 X509-SVID TTL : default JWT-SVID TTL : default Selector : cilium:mutual-auth … Transparent certificate management

  28. @lizrice Authenticated connection Nov 7 13:54:13.518: farfaraway/c-3po:44494 (ID:52452) -> farfaraway/r2-d2:80

    (ID:18777) policy-verdict:L3-Only INGRESS ALLOWED (TCP Flags: SYN; Auth: SPIRE)

  29. @lizrice Cilium next-gen mutual authentication

  30. @lizrice After handshake, the traffic doesn’t have to be TCP

  31. @lizrice Authenticated connections don’t have to be encrypted

  32. @lizrice

  33. Thank you cilium/cilium @ciliumproject cilium.io Download from isovalent.com