Protecting against L2 Network Attackers

Story: 2010940 Task: 50151 Change-Id: If7ffcf0ffb81d0f7952cd92167b992550e7e191e Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
2024-08-16 19:55:17 +00:00
parent dddfd0e6b6
commit b029465b58
6 changed files with 197 additions and 0 deletions
--- a/doc/source/dist_cloud/kubernetes/migrate-an-aiosx-subcloud-to-an-aiodx-subcloud.rst
+++ b/doc/source/dist_cloud/kubernetes/migrate-an-aiosx-subcloud-to-an-aiodx-subcloud.rst
@@ -210,6 +210,34 @@ commands on the |AIO-SX| subcloud.

    Wait for the controller to reset and come back up to an operational state.

+#.  Config and enable IPsec on the controller.
+
+    .. code-block:: none
+
+        ~(keystone_admin)$ sudo ipsec-client pxecontroller
+
+    This is only needed on controller-0.
+    The command should complete successfully as following:
+
+    .. code-block:: none
+
+        ~(keystone_admin)$ sudo ipsec-client pxecontroller
+
+        2024-08-07 20:43:28.622 182204 INFO sysinv.ipsec_auth.client.client [-] Connecting to pxecontroller port 64764
+        2024-08-07 20:43:28.630 182204 INFO sysinv.ipsec_auth.client.client [-] Sending IPSec Auth request
+        2024-08-07 20:43:36.521 182204 INFO sysinv.ipsec_auth.client.client [-] Received IPSec Auth response
+        2024-08-07 20:43:36.765 182204 INFO sysinv.ipsec_auth.client.client [-] Generate RSA Private Key (PRK2).
+        2024-08-07 20:43:37.029 182204 INFO sysinv.ipsec_auth.client.client [-] Generate AES Key (AK1).
+        2024-08-07 20:43:37.029 182204 INFO sysinv.ipsec_auth.client.client [-] Generate Certificate Signing Request (CSR).
+        2024-08-07 20:43:37.033 182204 INFO sysinv.ipsec_auth.client.client [-] Encrypt CSR w/ AK1.
+        2024-08-07 20:43:37.035 182204 INFO sysinv.ipsec_auth.client.client [-] Encrypt AK1 and IV w/ PUK1
+        2024-08-07 20:43:37.038 182204 INFO sysinv.ipsec_auth.client.client [-] Hash OTS Token, eAK1 and eCSR.
+        2024-08-07 20:43:37.041 182204 INFO sysinv.ipsec_auth.client.client [-] Sending IPSec Auth CSR request
+        2024-08-07 20:43:38.541 182204 INFO sysinv.ipsec_auth.client.client [-] Received IPSec Auth CSR response
+        2024-08-07 20:43:38.544 182204 INFO sysinv.ipsec_auth.client.client [-] Generating config files and restart ipsec
+        2024-08-07 20:43:53.141 182204 INFO sysinv.ipsec_auth.client.client [-] Shutting down
+
+
 #.  Software install and configure the second controller for the subcloud.

    For instructions on installing and configuring controller-1 in an
--- a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst
+++ b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst
@@ -153,6 +153,18 @@ Vault Secret and Data Management
   configure-vault-using-the-cli
   remove-vault

+***************************
+IPsec on Management Network
+***************************
+
+.. toctree::
+   :maxdepth: 1
+
+   ipsec-overview-680c2dcfbf3b
+   ipsec-configuration-and-enabling-f70964bc49d1
+   ipsec-certificates-2c0655a2a888
+   ipsec-clis-5f38181d077f
+
 **************************************
 Encrypt Kubernetes Secret Data at Rest
 **************************************
--- a/doc/source/security/kubernetes/ipsec-certificates-2c0655a2a888.rst
+++ b/doc/source/security/kubernetes/ipsec-certificates-2c0655a2a888.rst
@@ -0,0 +1,37 @@
+.. WARNING: Add no lines of text between the label immediately following
+.. and the title.
+
+.. _ipsec-certificates-2c0655a2a888:
+
+==================
+IPSec Certificates
+==================
+
+|prod| uses x509 certificate for IPsec authentication. The following are IPsec
+related certificates.
+
+* Certificates in /etc/swanctl/x509/ directory
+    Files in this directory are the IPsec certificates for peer
+    authentication and SA establishment. They are issued by system-local-ca
+    managed by cert-manager.
+* Private keys in /etc/swanctl/private/ directory
+    Files in this directory are the corresponding private keys of the IPsec
+    certificates in /etc/swanctl/x509/ directory. Together with the
+    certificates, they are used for IPsec authentication and SA establishment.
+
+IPsec certificates are valid for 3 months by default. They are monitored and
+renewed automatically by the Platform. The IPsec certificates are renewed
+(along with the corresponding private keys) when the certificates are within
+15 days of expiration.
+
+* Certificates in /etc/swanctl/x509ca/ directory
+    Files in this directory are the root |CA| and intermediate |CA| certificates.
+    These are the CA certificates that sign the IPsec certificates. With these
+    |CA| certificates, a full certificate chain is established. They are used
+    by IPsec to authenticate peers and SA establishment.
+
+When the system's root |CA| certificate is updated (by user running
+``update_platform_certificates.yml`` for example), the certificates for IPsec,
+including IPsec certificates, corresponding private keys and CA certificates,
+will all be updated accordingly.
+
--- a/doc/source/security/kubernetes/ipsec-clis-5f38181d077f.rst
+++ b/doc/source/security/kubernetes/ipsec-clis-5f38181d077f.rst
@@ -0,0 +1,49 @@
+.. WARNING: Add no lines of text between the label immediately following
+.. and the title.
+
+.. _ipsec-clis-5f38181d077f:
+
+==========
+IPsec CLIs
+==========
+
+``swanctl`` is strongSwan's configuration, controlling and monitoring command
+line interface. It has to be run as root or by sudo.
+
+The command :command:`swanctl --help` will show all the available subcommands.
+
+.. code-block:: none
+
+    ~(keystone_admin)]$ sudo swanctl --list --help 
+
+    usage:
+    swanctl --counters         (-C)  list or reset IKE event counters
+    swanctl --initiate         (-i)  initiate a connection
+    swanctl --terminate        (-t)  terminate a connection
+    swanctl --rekey            (-R)  rekey an SA
+    swanctl --redirect         (-d)  redirect an IKE_SA
+    swanctl --uninstall        (-u)  uninstall a trap or shunt policy
+    swanctl --install          (-p)  install a trap or shunt policy
+    swanctl --list-sas         (-l)  list currently active IKE_SAs
+    swanctl --monitor-sa       (-m)  monitor for IKE_SA and CHILD_SA changes
+    swanctl --list-pols        (-P)  list currently installed policies
+    swanctl --list-authorities (-B)  list loaded authority configurations
+    swanctl --list-conns       (-L)  list loaded configurations
+    swanctl --list-certs       (-x)  list stored certificates
+    swanctl --list-pools       (-A)  list loaded pool configurations
+    swanctl --list-algs        (-g)  show loaded algorithms
+    swanctl --flush-certs      (-f)  flush cached certificates
+    swanctl --load-all         (-q)  load credentials, authorities, pools and connections
+    swanctl --load-authorities (-b)  (re-)load authority configuration
+    swanctl --load-conns       (-c)  (re-)load connection configuration
+    swanctl --load-creds       (-s)  (re-)load credentials
+    swanctl --load-pools       (-a)  (re-)load pool configuration
+    swanctl --log              (-T)  trace logging output
+    swanctl --version          (-v)  show version information
+    swanctl --stats            (-S)  show daemon stats information
+    swanctl --reload-settings  (-r)  reload daemon strongswan.conf
+    swanctl --help             (-h)  show usage information
+
+``swanctl`` CLIs can be used for checking IPsec status and verifying configurations.
+Do not make any changes to IPsec using these commands.
+
--- a/doc/source/security/kubernetes/ipsec-configuration-and-enabling-f70964bc49d1.rst
+++ b/doc/source/security/kubernetes/ipsec-configuration-and-enabling-f70964bc49d1.rst
@@ -0,0 +1,53 @@
+.. WARNING: Add no lines of text between the label immediately following
+.. and the title.
+
+.. _ipsec-configuration-and-enabling-f70964bc49d1:
+
+==========================
+Configure and Enable IPsec
+==========================
+
+IPsec is configured and enabled on management network for multi node systems
+by default during system deployment. For the first controller, it is configured
+and enabled by ansible playbook during bootstrap. For the rest of the nodes in
+the system, it is configured and enabled at first reboot during the host 
+installation.
+
+IPsec status can be verified by ``swanctl`` CLIs, refer to :ref:`ipsec-clis-5f38181d077f` section for useful commands.
+
+The most useful command to check IPsec status is: :command:`swanctl --list-sa` 
+
+This command lists the established IPsec connections and SAs (Security Associations).
+
+An example output is as following:
+
+.. code-block:: none
+
+    ~(keystone_admin)]$ sudo swanctl --list-sa
+    Password:
+    system-nodes: #162, ESTABLISHED, IKEv2, 7e224579c2034a09_i ad8a74ef1621ebcb_r*
+    local  'CN=ipsec-controller-0' @ 192.168.101.2[500]
+    remote 'CN=ipsec-controller-1' @ 192.168.101.4[500]
+    AES_CBC-128/HMAC_SHA2_256_128/PRF_AES128_XCBC/MODP_3072
+    established 1054s ago, rekeying in 1589s, reauth in 9033s
+    node: #7, reqid 2, INSTALLED, TRANSPORT, ESP:AES_GCM_16-128
+        installed 671s ago, rekeying in 2622s, expires in 3289s
+        in  c61b1765, 1107991 bytes, 10275 packets,     0s ago
+        out c38189c2, 113928 bytes,  1332 packets,   616s ago
+        local  192.168.101.2/32
+        remote 192.168.101.4/32
+    system-nodes: #161, ESTABLISHED, IKEv2, 7efa2401684f7927_i* d35349b7c7aa2b13_r
+    local  'CN=ipsec-controller-0' @ 192.168.101.3[500]
+    remote 'CN=ipsec-controller-1' @ 192.168.101.4[500]
+    AES_CBC-128/HMAC_SHA2_256_128/PRF_AES128_XCBC/MODP_3072
+    established 1254s ago, rekeying in 1825s, reauth in 8141s
+    node: #8, reqid 1, INSTALLED, TRANSPORT, ESP:AES_GCM_16-128
+        installed 656s ago, rekeying in 2771s, expires in 3304s
+        in  c8b40c6d, 3337097 bytes, 58557 packets,     0s ago
+        out cf1b0bdd, 76048257 bytes, 83565 packets,     0s ago
+        local  192.168.101.3/32
+        remote 192.168.101.4/32
+
+The above output shows two IPsec connections between the two controllers of
+a |AIO-DX| system. In multi nodes system such as standard or storage systems,
+there will be IPsec connections among all hosts.
--- a/doc/source/security/kubernetes/ipsec-overview-680c2dcfbf3b.rst
+++ b/doc/source/security/kubernetes/ipsec-overview-680c2dcfbf3b.rst
@@ -0,0 +1,18 @@
+.. WARNING: Add no lines of text between the label immediately following
+.. and the title.
+
+.. _ipsec-overview-680c2dcfbf3b:
+
+==============
+IPsec Overview
+==============
+
+IPsec is a set of communication rules or protocols for setting up secure
+connections over a network. |prod| utilizes IPsec to protect local traffic
+on the internal management network of multi-node systems.
+
+|prod| uses strongSwan as the IPsec implementation. strongSwan is an
+opensource IPsec solution located at https://strongswan.org/.
+
+For the most part, IPsec on |prod| is transparent to users.
+