davidhadas
commented
3 months ago vxlan seem to have limitations affecting what we can and cannot do.
- It listens always on all interfaces (0.0.0.0:
) - It sends only to the port number it listens on
When combined, this means we are required to use a second NS to capture the vxlan traffic locally and send it over Secure Comms
Additionaly, we need to better control what traffic reaches the vxlan underlay. Having vxlan underlay listening on all interfaces as in 0.0.0.0:
is a security issue which we need to close. This is also solved when we add a NS...
For reference see
- https://www.linuxquestions.org/questions/linux-networking-3/vxlan-controlling-ports-4175736852/
- https://www.linuxquestions.org/questions/linux-networking-3/vxlan-open-udp-socket-on-0-0-0-0-even-when-local-address-is-set-4175736853/
This is the current test environment for vxlan, slightly modified for our needs:
Here is the test environment that we seem to need for running vxlan on secure comms - note the extra NS on each PP and at the WN.
A similar change will be needed in cloud-api-adaptor when we implement vxlan on top of SecureComms.
Todate, the vxlan traffic from peer pods to the cluster is not encrypted.
With the introduction of Secure Comms for Peer Pods(PP), it is possible to open tunnels between the PP and Worker Node (WN) to allow forwarding communication between utilizing the security mechanism already established by SSH.
That is, any communication transferred via a Secure Comms tunnel is secured without the need to introduce additional certificates, key pairs or shared keys.
It is therefore desired to add support for transporting the vxlan traffic via a Secure Comms tunnel.