Feature Request: NodeAttestor based on IP address

spiffe / spire

The SPIFFE Runtime Environment

https://spiffe.io

Apache License 2.0

1.78k stars 468 forks source link

Feature Request: NodeAttestor based on IP address #3052

Closed lucaserafini-dev closed 2 years ago

lucaserafini-dev commented 2 years ago

Hi SPIRE Community, I'm trying to use your project in a non-cloud environment. As per my understanding, currently the only way to make SPIRE Agent authenticate with SPIRE Server is to share a secret between Agent machine and Server machine (token, certificate, whatever...)

If we create a NodeAttestor based on IP address, the agent will be automatically authenticated through parameters which can be verified by reading the IP field in the request of the SPIRE Agent

What do you think about it? Let me know if you need more details

azdagron commented 2 years ago

Hi @lucaserafini-dev, thank you for opening this issue.

In general, relying on a network location (e.g. IP address) to positively identify an agent or workload is fundamentally against the principles of Zero Trust Networking.

There are instances where we have considered taking a feature that would use IP Addresses to scope what agents were allowed to attest (#1273) but this would be more of a safety check, rather than a primary means of identification.

lucaserafini-dev commented 2 years ago

Hi @azdagron, thanks for the reply. Can I ask you which principle is being violated?

I think there is no way to steal an IP without compromising company's entire network. As a plus, if we use IP address to identify agents we can solve Secret Zero problem

I'll give you an example of what I thought:

SPIRE Server side we configure a set of allowed IPs for the NetworkAttestor (entire subnets like 10.*, or only IPs like 10.10.10.10, 10.10.11.11)
SPIRE Server side we configure workloads for agents. Something like parentId: spiffe://example.org/agent/10.10.10.10 spiffeId: spiffe//example.org/workload/whatever selector whatever...
SPIRE Agent side we will attest with the SPIRE Server and retrieve our identity (for example spiffe://example.org/agent/10.10.10.10). After that we can only ask for SVIDs that have been configured for us.

azdagron commented 2 years ago

The concept of zero trust networking is that you cannot wholly trust your network. For example, ARP poisoning is still a viable means to confuse the network as to who owns an IP address. This kind of node attestation could conceivable allow for lateral movement by an attacker who compromises one host in the network. Generally speaking, the IP address isn't reliable for strong attestation.

That being said, if your risk assessment is different and you feel more confident in your particular deployment environment, you can of course write your own NodeAttestor plugin.

azdagron commented 2 years ago

I'll go ahead and close this for now. Please let me know if you'd like further discussion.