NETOBSERV-2471: TLS usage tracking #815
Conversation
|
Skipping CI for Draft Pull Request. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@jotak: This pull request references NETOBSERV-2471 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.21.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
- Start implementing TLS, by reading the TLS header when present - Extract SSL version (not done yet for the handshake message) - Report the TLS version in output records
|
@jotak: This pull request references NETOBSERV-2471 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.21.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@jotak: This pull request references NETOBSERV-2471 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.21.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@jotak: This pull request references NETOBSERV-2471 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.21.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@jotak: This pull request references NETOBSERV-2471 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.21.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
| if (enable_dns_tracking) { | ||
| dns_errno = track_dns_packet(skb, &pkt); | ||
| } | ||
| track_tls_version(skb, &pkt); |
There was a problem hiding this comment.
don't think its better if we have feature config for tracker like we do with all other features ? instead of enabling it by default ?
There was a problem hiding this comment.
yes I'll do that (although I would like to have it enabled by default if it doesn't show visible impact on perfs)
| if (pkt->ssl_version < aggregate_flow->ssl_version) { | ||
| aggregate_flow->ssl_version = pkt->ssl_version; | ||
| } | ||
| aggregate_flow->misc_flags |= MISC_FLAGS_SSL_MISMATCH; |
There was a problem hiding this comment.
is it better to have mismatch counter instead of flag ?
There was a problem hiding this comment.
the flag allows us to correlate precisely with a particular flow, and report that up to the UI
|
|
||
| // Extract TLS info | ||
| static inline void track_tls_version(struct __sk_buff *skb, pkt_info *pkt) { | ||
| if (pkt->id->transport_protocol == IPPROTO_TCP) { |
There was a problem hiding this comment.
do u think this work for STCP protocol too ?, not sure what is the story for DTLS ?
There was a problem hiding this comment.
I haven't digged into other protocols.. might be something to do if someone asks for it, but I believe TCP covers most of the expectations
| struct tcphdr *tcp = (struct tcphdr *)pkt->l4_hdr; | ||
| if (!tcp || ((void *)tcp + sizeof(*tcp) > data_end)) { | ||
| return; | ||
| } |
There was a problem hiding this comment.
does the verifier needs the above check given how late we call this tracker all headers should have been sane already ?
There was a problem hiding this comment.
Yes I had a verifier error without those checks
| }; | ||
|
|
||
| // Extract TLS info | ||
| static inline void track_tls_version(struct __sk_buff *skb, pkt_info *pkt) { |
There was a problem hiding this comment.
might be good idea to add return code and track failure at the caller since there many conditions check in this function and if things doesn't work it will be hard to debug.
might be good adding BPF_PRINTK() on failing checks ?
|
|
||
| switch (rec.content_type) { | ||
| case CONTENT_TYPE_HANDSHAKE: { | ||
| pkt->ssl_version = ((u16)rec.major) << 8 | rec.minor; |
There was a problem hiding this comment.
why setting it here if u really want handshake ssl version ?
There was a problem hiding this comment.
that's a fallback for the case where handshake header couldn't be read ... But I'm going to change that, actually perhaps we don't want the client-hello version at all, it doesn't tell what's actually going to be used
| case CONTENT_TYPE_ALERT: | ||
| case CONTENT_TYPE_APP_DATA: | ||
| pkt->ssl_version = ((u16)rec.major) << 8 | rec.minor; | ||
| break; |
There was a problem hiding this comment.
do u think adding SSL record type to the follow will be adding value to end user ?
There was a problem hiding this comment.
you mean adding it to the flow, like, as a bitfield? hmm why not ..
| #define CONTENT_TYPE_CHANGE_CIPHER 0x14 | ||
| #define CONTENT_TYPE_ALERT 0x15 | ||
| #define CONTENT_TYPE_HANDSHAKE 0x16 | ||
| #define CONTENT_TYPE_APP_DATA 0x17 |
There was a problem hiding this comment.
based on this gist it seems there also heartbeat
https://gist.github.com/coin8086/1cd0411447066a5a02be6a3e493479e2
There was a problem hiding this comment.
maybe something for the feature could be measuring the handshake latency ?
There was a problem hiding this comment.
But that would require a new map like we do for DNS, it's probably more impact on performance? If so, it should probably be a separate feature
| return; | ||
| } | ||
|
|
||
| switch (rec.content_type) { |
There was a problem hiding this comment.
This logic assume there is always tls record after tcp header this is not safe assumption we could have dns header here or any other header ??
There was a problem hiding this comment.
right, I should harden that a bit more; I've found unexpected TLSVersion during my tests probably because of that.
jotak
added
the
ok-to-test
|
New images: These will expire after two weeks. To deploy this build, run from the operator repo, assuming the operator is running: USER=netobserv VERSION=16db482 make set-agent-image |
|
@jotak: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
3 participants
Dependencies