Upgrade to Pro — share decks privately, control downloads, hide ads and more …

When is a Secure Connection not encrypted? And ...

Liz Rice
November 17, 2023

When is a Secure Connection not encrypted? And other stories

Many organizations use a Service Mesh to secure traffic between apps. This may use Mutual TLS, with a proxy terminating connections on behalf of apps. mTLS starts with a handshake to authenticate endpoint identities, and exchange certificates for subsequent traffic encryption. When encryption is needed but app authentication is not, approaches like WireGuard or IPSec may be more suitable. What about scenarios where authentication is important but encryption adds too much latency? With demos to make concepts concrete, let’s dive into Cilium's approach to authentication and encryption, and the differences between mTLS and in-kernel alternatives.

- Explore the mTLS handshake step-by-step
- Contrast with transparent encryption using node identities
- Understand where encryption takes place in different models
- Discuss options for encrypting L7 protocols other than HTTP

With a clear picture of how authentication and encryption work, you’ll be better able to assess which approach best meets your needs.

Liz Rice

November 17, 2023
Tweet

More Decks by Liz Rice

Other Decks in Technology

Transcript

  1. When is a secure connection not encrypted? And other stories

    Liz Rice | @lizrice Chief Open Source Officer, Isovalent Emeritus Chair, CNCF Technical Oversight Committee | CNCF & OpenUK boards
  2. @lizrice Hello, I’m Liz Hi! I’m your bank Great! Here’s

    $500 Authentication = establishing identity
  3. @lizrice SYN ACK Encrypted data Establishing TCP Handshake Client Hello

    Server Hello X.509 Server symmetric session key symmetric session key TLS handshake
  4. @lizrice SYN ACK Encrypted data Establishing TCP Handshake Client Hello

    Server Hello X.509 Server X.509 Client symmetric session key symmetric session key mTLS handshake
  5. @lizrice SYN ACK Encrypted data Establishing TCP Handshake Client Hello

    Server Hello X.509 Server X.509 Client symmetric session key symmetric session key mTLS handshake upgrades a TCP connection to be authenticated and encrypted
  6. @lizrice WireGuard / IPsec WireGuard is a registered trademark of

    Jason A. Donenfeld “You add a WireGuard interface, configure it with your private key and your peers' public keys, and then you send packets across it.” Widely considered more secure but uses non-FIPS-compliant cryptography protocols Automated key rotation WireGuard Sets up and maintains tunnels between endpoints Can be FIPS-compliant IPsec Typically used for VPNs, tunnelling encrypted IP traffic encapsulated in UDP packets
  7. @lizrice Droid conversation $ k get pods -o wide NAME

    READY STATUS RESTARTS AGE IP NODE c-3po 1/1 Running 0 3d17h 10.244.2.2 kind-worker2 r2-d2 1/1 Running 0 2d 10.244.1.16 kind-worker $ k exec -it c-3po -- curl r2-d2 beep! beep-bee-beep! beepeebeep!!
  8. @lizrice Examine traffic flowing on eth0 port No encryption root@kind-worker:/#

    tcpdump -i eth0 -A | grep beep tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes beep! beep-bee-beep! beepeebeep!! With WireGuard enabled $ cilium upgrade --reuse-values --set encryption.enabled=true --set encryption.type=wireguard root@kind-worker:/# tcpdump -i eth0 -A | grep beep tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
  9. @lizrice Network policy restricts traffic apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata:

    name: "droid" namespace: farfaraway spec: description: "Droid communication policy" endpointSelector: matchLabels: class: droid ingress: - fromEndpoints: - matchLabels: org: rebel-alliance
  10. @lizrice Cilium identity is derived from Kubernetes lables kubectl get

    ciliumidentities --show-labels NAME NAMESPACE AGE LABELS 2252 farfaraway 2d19h app=r2-d2,class=droid,io.cilium.k8s.policy.cluster=default, io.cilium.k8s.policy.serviceaccount=default, io.kubernetes.pod.namespace=farfaraway,org=rebel-alliance 32496 farfaraway 2d23h app.kubernetes.io/name=tiefighter,class=tiefighter, io.cilium.k8s.policy.cluster=default, io.cilium.k8s.policy.serviceaccount=default, io.kubernetes.pod.namespace=farfaraway,org=empire 60812 farfaraway 2d19h app.kubernetes.io/name=c-3po, class=droid,io.cilium.k8s.policy.cluster=default, io.cilium.k8s.policy.serviceaccount=default, io.kubernetes.pod.namespace=farfaraway,org=rebel-alliance
  11. @lizrice Is this traffic allowed? - fromEndpoints: - matchLabels: org:

    rebel-alliance Traffic from 1.1.1.1 corresponds to Cilium ID 1234 1.1.1.1
  12. @lizrice Identity / address spoofing - fromEndpoints: - matchLabels: org:

    rebel-alliance Traffic from 1.1.1.1 corresponds to Cilium ID 1234
  13. @lizrice Network policy restricts traffic apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata:

    name: "droid" namespace: farfaraway spec: description: "Droid communication policy" endpointSelector: matchLabels: class: droid ingress: - fromEndpoints: - matchLabels: org: rebel-alliance authentication: mode: "required"
  14. @lizrice Is this traffic authenticated? - fromEndpoints: - matchLabels: org:

    rebel-alliance authentication: mode: "required" Traffic from 1.1.1.1 corresponds to Cilium ID 1234 1.1.1.1 should be on Node 10.0.0.1 1.1.1.1 10.0.0.1 10.0.0.2
  15. @lizrice Is this traffic authenticated? 1.1.1.1 1.1.1.1 10.0.0.1 10.0.0.2 -

    fromEndpoints: - matchLabels: org: rebel-alliance authentication: mode: "required" Traffic from 1.1.1.1 corresponds to Cilium ID 1234 1.1.1.1 should be on Node 10.0.0.1
  16. @lizrice SYN ACK Establishing TCP mTLS Handshake Client Hello Server

    Hello X.509 C-3PO X.509 R2-D2 Cilium agents use same handshake as mTLS Both endpoints are authenticated now Passes ingress network policy authentication check for R2-D2 <-> C-3PO Get R2-D2 X.509 Get C-3PO X.509
  17. @lizrice Cilium Operator registers each identity with SPIRE kubectl exec

    -n cilium-spire spire-server-0 -c spire-server -- /opt/spire/bin/spire-server entry show -selector cilium:mutual-auth Found 10 entries Entry ID : 8e1cc610-69b0-474d-aa89-32fc2003fe81 SPIFFE ID : spiffe://spiffe.cilium/identity/2252 Parent ID : spiffe://spiffe.cilium/cilium-operator Revision : 0 X509-SVID TTL : default JWT-SVID TTL : default Selector : cilium:mutual-auth … Transparent certificate management
  18. @lizrice Authenticated connection Nov 7 13:54:13.518: farfaraway/c-3po:44494 (ID:52452) -> farfaraway/r2-d2:80

    (ID:18777) policy-verdict:L3-Only INGRESS ALLOWED (TCP Flags: SYN; Auth: SPIRE)