Describe the bug
It was observed in case of IPv6 only clusters, that the nameserver address of a POD might overlap with the IPv6 subnets the IPAM in Meridio hands out to Proxies.
Proxies consider such subnets as IP pools to allocate IPs for NSM connections between TAPA-Proxy and Proxy-LB. Thus traffic to DNS might be hijacked and sent out on these NSM interfaces in these PODs.
The symptom could be that certain targets do not handle traffic. (Usually the collocated proxy fails to establish a TCP connection to NSP through gRPC. But reconnect to IPAM/NSP could also fail in TAPA/LB-FE/Proxy.)
Currently a hardcoded IPv6 Unique Local Address range is used by the IPAM, which can not be modified.
But the issue also affects IPv4 as similar address range collision might happen.
Note: routing to nameserver relies on the POD's default route
To Reproduce
Steps to reproduce the behavior:
You can try to manually inject a DNS config for proxy PODs with the nameserver address that is contained by the hardcoded IPAM ranges.
Expected behavior
DNS traffic must not be hijacked by NSM interfaces.
Describe the bug It was observed in case of IPv6 only clusters, that the nameserver address of a POD might overlap with the IPv6 subnets the IPAM in Meridio hands out to Proxies. Proxies consider such subnets as IP pools to allocate IPs for NSM connections between TAPA-Proxy and Proxy-LB. Thus traffic to DNS might be hijacked and sent out on these NSM interfaces in these PODs.
The symptom could be that certain targets do not handle traffic. (Usually the collocated proxy fails to establish a TCP connection to NSP through gRPC. But reconnect to IPAM/NSP could also fail in TAPA/LB-FE/Proxy.)
Currently a hardcoded IPv6 Unique Local Address range is used by the IPAM, which can not be modified. But the issue also affects IPv4 as similar address range collision might happen.
Note: routing to nameserver relies on the POD's default route
To Reproduce Steps to reproduce the behavior: You can try to manually inject a DNS config for proxy PODs with the nameserver address that is contained by the hardcoded IPAM ranges.
Expected behavior DNS traffic must not be hijacked by NSM interfaces.