search

SovereignCloudStack / issues

This repository is used for issues that are cross-repository or not bound to a specific repository.
https://github.com/orgs/SovereignCloudStack/projects/6
2 stars 1 forks source link

E2E Encryption between user services #531

Open fdobrovolny opened 7 months ago

fdobrovolny commented 7 months ago

In the current state, we want:

As an SCS Developer, I want to explore options for developing an E2E encryption for VMs, Magnum workloads, and container layers.

Part of this task is also to set requirements and user stories related to this functionality.

Definition of Ready:

Definition of Done:

fdobrovolny commented 7 months ago

This has been presented on the IaaS call:

### Encryption between user workloads (@fdobrovolny)

- 10 minutes
- Do we already have experience in doing this?
- We want to create a plugin into Neutron using eBPF to secure the traffic automatically between virtual machines :bee: 
    - there might be cases where traffic is not routed the encrypted way
- We should have a look into upstream to achieve some collaboration on that topic
- SecuStack has experience in encrypting traffic
    - using special SmartNICs which does the encryption, because those are dedicated hardware, not tied to Openstack
    - alternative approach in software (macsec) exists, incomplete
- How does the attacker model looks like?
    - basically the user doesn't have encrypted traffic between workloads
    - someone gaining software access on the compute node the attacker probably has also access to the private key and can decrypt the whole traffic
    - AI @fdobrovolny: create specific attacker models until next meeting
- AI VP04: Check Geneve/VXLAN encryption in OVN
           Encrypting OVN tunnels with IPsec 
           rfc8926 ->  6.1.1. Inter-Data Center Traffic

Out of this, a new task arose to prepare a specific threat modeling - https://github.com/SovereignCloudStack/issues/issues/532

fdobrovolny commented 7 months ago
fdobrovolny commented 6 months ago

Status update:

Threat modeling has been finished #532. I will write upstream to gain some additional feedback.

Based on the presentation of #532 and feedback in the IaaS team, we have started work on:

fdobrovolny commented 6 months ago

Status update:

We discussed task #536 with the team and @bitkeks and given time constraints and viability we selected using VXLANs with IPSec tunnels as the solution we want to move forward with this.

As the next steps we elected to create a PoC in the testbed (#591)

As there was no feedback from upstream I closed task #532.

I will detail our findings and reasoning more in #536 before closing it.

In addition, we seek to present our proposal on the next neutron/kolla vPTG to gather additional feedback.

Once a PoC is created and additional questions raised in #536 is raised we would like to aim at getting an ADR and then start work on this topic.

fdobrovolny commented 2 months ago

Epic update:

There has been a little bit of work done on the #675 and inside PR https://github.com/SovereignCloudStack/standards/pull/655. @OgarOgarovic will take over from me. For now it is really early draft and it's not worthy to spend time with reading or reviewing it so far.

There also has been work done on the PoC, mainly in two PRs https://github.com/SovereignCloudStack/kolla-ansible/pull/4/files and https://github.com/fdobrovolny/kolla/pull/1 (This is on my private account as because of the DCO check it is impossible to update the organization fork in https://github.com/SovereignCloudStack/kolla-ansible). The proof of concept introduces ansible roles and new kolla docker image responsible for setup of ovs-ipsec and generation of certificates for each machine. This was the solution based on the feedback from vPTG. As ovs-ipsec is not made to be run inside a docker container there has been some major hurdles in that regard, it's still not pretty but it works and I'm successfully able to ping a different VM via ipsec tunnel. @OgarOgarovic will take over from me.