我的书签
添加书签
移除书签IPsec configuration with VPP
Big picture
Enable IPsec encryption for the traffic flowing between the nodes.
Value
IPsec is the fastest option to encrypt the traffic between nodes. It enables blanket application traffic encryption with very little performance impact.
Before you begin…
To enable IPsec encryption, you will need a Kubernetes cluster with:
- the VPP dataplane configured
- IP-in-IP encapsulation configured between the nodes
How to
Create the IKEv2 PSK
Create a Kubernetes secret that contains the PSK used for the IKEv2 exchange between the nodes. You can use the following command to create a random PSK. It will generate a unique random key. You may also replace the part after psk= with a key of your choice.
kubectl -n calico-vpp-dataplane create secret generic calicovpp-ipsec-secret \--from-literal=psk="$(dd if=/dev/urandom bs=1 count=36 2>/dev/null | base64)"
Configure the VPP dataplane
To enable IPsec, you first need to enable the ipsec feature in the calico-vpp-config ConfigMap.
You can do so with the following kubectl command:
kubectl -n calico-vpp-dataplane patch configmap calico-vpp-config --patch "data:CALICOVPP_FEATURE_GATES: |-{\"ipsecEnabled\": true}"
You then need to configure the calico-vpp agent to pass it the key we previously created.
kubectl -n calico-vpp-dataplane patch daemonset calico-vpp-node --patch "spec:template:spec:containers:- name: agentenv:- name: CALICOVPP_IPSEC_IKEV2_PSKvalueFrom:secretKeyRef:name: calicovpp-ipsec-secretkey: psk"
Once IPsec is enabled, all the traffic that uses IP-in-IP encapsulation in the cluster will be automatically encrypted.
Next steps
Verify encryption
To verify that the traffic is encrypted, open a VPP debug CLI session to check the configuration with calivppctl
calivppctl vppctl my-k8s-node-1# Alternatively this translates to the following CLIkubectl -n calico-vpp-dataplane exec calico-vpp-node-XXXX -c vpp -- vppctl
Then at the vpp# prompt, you can run the following commands:
show ikev2 profilewill list the configured IKEv2 profiles, there should be one per other node in your cluster
As an example on a three-node cluster
vpp# show ikev2 profileprofile pr_172_19_0_5_to_172_19_0_3auth-method shared-key-mic auth data somekeysomekeysomekeysomekeylocal id-type ip4-addr data 172.19.0.5remote id-type ip4-addr data 172.19.0.3protected tunnel ipip0responder host-eth0 172.19.0.3ike-crypto-alg aes-cbc 256 ike-integ-alg sha1-96 ike-dh modp-2048esp-crypto-alg aes-gcm-16 256 esp-integ-alg nonelifetime 0 jitter 0 handover 0 maxdata 0profile pr_172_19_0_5_to_172_19_0_6auth-method shared-key-mic auth data somekeysomekeysomekeysomekeylocal id-type ip4-addr data 172.19.0.5remote id-type ip4-addr data 172.19.0.6protected tunnel ipip1lifetime 0 jitter 0 handover 0 maxdata 0profile pr_172_19_0_5_to_172_19_0_4auth-method shared-key-mic auth data somekeysomekeysomekeysomekeylocal id-type ip4-addr data 172.19.0.5remote id-type ip4-addr data 172.19.0.4protected tunnel ipip2responder host-eth0 172.19.0.4ike-crypto-alg aes-cbc 256 ike-integ-alg sha1-96 ike-dh modp-2048esp-crypto-alg aes-gcm-16 256 esp-integ-alg nonelifetime 0 jitter 0 handover 0 maxdata 0
show ipip tunnelwill list the interfaces configured in VPP.
vpp# show ipip tunnel[0] instance 0 src 172.19.0.5 dst 172.19.0.3 table-ID 0 sw-if-idx 9 flags [none] dscp CS0[1] instance 1 src 172.19.0.5 dst 172.19.0.6 table-ID 0 sw-if-idx 10 flags [none] dscp CS0[2] instance 2 src 172.19.0.5 dst 172.19.0.4 table-ID 0 sw-if-idx 11 flags [none] dscp CS0
show interfacewill show all the interfaces present in VPP with their corresponding states. This includes the ipip interfaces (which correspond to the IPsec tunnels) which should be up.
vpp# show interface...ipip0 9 up 9000/0/0/0ipip1 10 up 9000/0/0/0 rx packets 1496rx bytes 387772tx packets 1687tx bytes 662236ip4 1496ipip2 11 up 9000/0/0/0
show ipsec protectshows the SAs being configured on each ipip tunnel. There should be two SAs by ipip tunnel.
vpp# show ipsec protectipip0 flags:[none]output-sa:[0] sa 2147483648 (0x80000000) spi 2056367583 (0x7a91addf) protocol:esp flags:[esn anti-replay aead ctr ]input-sa:[1] sa 3221225472 (0xc0000000) spi 1916941699 (0x72423583) protocol:esp flags:[esn anti-replay inbound aead ctr ]ipip2 flags:[none]output-sa:[2] sa 2147487744 (0x80001000) spi 1305186871 (0x4dcb9237) protocol:esp flags:[esn anti-replay aead ctr ]input-sa:[3] sa 3221229568 (0xc0001000) spi 1107274174 (0x41ffa9be) protocol:esp flags:[esn anti-replay inbound aead ctr ]ipip1 flags:[none]output-sa:[4] sa 2147491840 (0x80002000) spi 3581762498 (0xd57d5bc2) protocol:esp flags:[esn anti-replay aead ctr ]input-sa:[5] sa 3221233664 (0xc0002000) spi 3002607689 (0xb2f82849) protocol:esp flags:[esn anti-replay inbound aead ctr ]
- You can see the full list of Security Associations (SAs) with
show ipsec sa.
vpp# show ipsec sa[0] sa 2147483648 (0x80000000) spi 2056367583 (0x7a91addf) protocol:esp flags:[esn anti-replay aead ctr ][1] sa 3221225472 (0xc0000000) spi 1916941699 (0x72423583) protocol:esp flags:[esn anti-replay inbound aead ctr ][2] sa 2147487744 (0x80001000) spi 1305186871 (0x4dcb9237) protocol:esp flags:[esn anti-replay aead ctr ][3] sa 3221229568 (0xc0001000) spi 1107274174 (0x41ffa9be) protocol:esp flags:[esn anti-replay inbound aead ctr ][4] sa 2147491840 (0x80002000) spi 3581762498 (0xd57d5bc2) protocol:esp flags:[esn anti-replay aead ctr ][5] sa 3221233664 (0xc0002000) spi 3002607689 (0xb2f82849) protocol:esp flags:[esn anti-replay inbound aead ctr ]
You can also capture the traffic flowing between the nodes to verify that it is encrypted.
