From b029465b584874eb28db2c8ccd08c69ebd69fd85 Mon Sep 17 00:00:00 2001 From: Suzana Fernandes Date: Fri, 16 Aug 2024 19:55:17 +0000 Subject: [PATCH] Protecting against L2 Network Attackers Story: 2010940 Task: 50151 Change-Id: If7ffcf0ffb81d0f7952cd92167b992550e7e191e Signed-off-by: Suzana Fernandes --- ...an-aiosx-subcloud-to-an-aiodx-subcloud.rst | 28 ++++++++++ .../index-security-kub-81153c1254c3.rst | 12 +++++ .../ipsec-certificates-2c0655a2a888.rst | 37 +++++++++++++ .../kubernetes/ipsec-clis-5f38181d077f.rst | 49 +++++++++++++++++ ...onfiguration-and-enabling-f70964bc49d1.rst | 53 +++++++++++++++++++ .../ipsec-overview-680c2dcfbf3b.rst | 18 +++++++ 6 files changed, 197 insertions(+) create mode 100644 doc/source/security/kubernetes/ipsec-certificates-2c0655a2a888.rst create mode 100644 doc/source/security/kubernetes/ipsec-clis-5f38181d077f.rst create mode 100644 doc/source/security/kubernetes/ipsec-configuration-and-enabling-f70964bc49d1.rst create mode 100644 doc/source/security/kubernetes/ipsec-overview-680c2dcfbf3b.rst diff --git a/doc/source/dist_cloud/kubernetes/migrate-an-aiosx-subcloud-to-an-aiodx-subcloud.rst b/doc/source/dist_cloud/kubernetes/migrate-an-aiosx-subcloud-to-an-aiodx-subcloud.rst index bb6f8e611..b52a7f17a 100644 --- a/doc/source/dist_cloud/kubernetes/migrate-an-aiosx-subcloud-to-an-aiodx-subcloud.rst +++ b/doc/source/dist_cloud/kubernetes/migrate-an-aiosx-subcloud-to-an-aiodx-subcloud.rst @@ -210,6 +210,34 @@ commands on the |AIO-SX| subcloud. Wait for the controller to reset and come back up to an operational state. +#. Config and enable IPsec on the controller. + + .. code-block:: none + + ~(keystone_admin)$ sudo ipsec-client pxecontroller + + This is only needed on controller-0. + The command should complete successfully as following: + + .. code-block:: none + + ~(keystone_admin)$ sudo ipsec-client pxecontroller + + 2024-08-07 20:43:28.622 182204 INFO sysinv.ipsec_auth.client.client [-] Connecting to pxecontroller port 64764 + 2024-08-07 20:43:28.630 182204 INFO sysinv.ipsec_auth.client.client [-] Sending IPSec Auth request + 2024-08-07 20:43:36.521 182204 INFO sysinv.ipsec_auth.client.client [-] Received IPSec Auth response + 2024-08-07 20:43:36.765 182204 INFO sysinv.ipsec_auth.client.client [-] Generate RSA Private Key (PRK2). + 2024-08-07 20:43:37.029 182204 INFO sysinv.ipsec_auth.client.client [-] Generate AES Key (AK1). + 2024-08-07 20:43:37.029 182204 INFO sysinv.ipsec_auth.client.client [-] Generate Certificate Signing Request (CSR). + 2024-08-07 20:43:37.033 182204 INFO sysinv.ipsec_auth.client.client [-] Encrypt CSR w/ AK1. + 2024-08-07 20:43:37.035 182204 INFO sysinv.ipsec_auth.client.client [-] Encrypt AK1 and IV w/ PUK1 + 2024-08-07 20:43:37.038 182204 INFO sysinv.ipsec_auth.client.client [-] Hash OTS Token, eAK1 and eCSR. + 2024-08-07 20:43:37.041 182204 INFO sysinv.ipsec_auth.client.client [-] Sending IPSec Auth CSR request + 2024-08-07 20:43:38.541 182204 INFO sysinv.ipsec_auth.client.client [-] Received IPSec Auth CSR response + 2024-08-07 20:43:38.544 182204 INFO sysinv.ipsec_auth.client.client [-] Generating config files and restart ipsec + 2024-08-07 20:43:53.141 182204 INFO sysinv.ipsec_auth.client.client [-] Shutting down + + #. Software install and configure the second controller for the subcloud. For instructions on installing and configuring controller-1 in an diff --git a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst index f45572e62..cacd8a067 100644 --- a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst +++ b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst @@ -153,6 +153,18 @@ Vault Secret and Data Management configure-vault-using-the-cli remove-vault +*************************** +IPsec on Management Network +*************************** + +.. toctree:: + :maxdepth: 1 + + ipsec-overview-680c2dcfbf3b + ipsec-configuration-and-enabling-f70964bc49d1 + ipsec-certificates-2c0655a2a888 + ipsec-clis-5f38181d077f + ************************************** Encrypt Kubernetes Secret Data at Rest ************************************** diff --git a/doc/source/security/kubernetes/ipsec-certificates-2c0655a2a888.rst b/doc/source/security/kubernetes/ipsec-certificates-2c0655a2a888.rst new file mode 100644 index 000000000..e73dc4ef1 --- /dev/null +++ b/doc/source/security/kubernetes/ipsec-certificates-2c0655a2a888.rst @@ -0,0 +1,37 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _ipsec-certificates-2c0655a2a888: + +================== +IPSec Certificates +================== + +|prod| uses x509 certificate for IPsec authentication. The following are IPsec +related certificates. + +* Certificates in /etc/swanctl/x509/ directory + Files in this directory are the IPsec certificates for peer + authentication and SA establishment. They are issued by system-local-ca + managed by cert-manager. +* Private keys in /etc/swanctl/private/ directory + Files in this directory are the corresponding private keys of the IPsec + certificates in /etc/swanctl/x509/ directory. Together with the + certificates, they are used for IPsec authentication and SA establishment. + +IPsec certificates are valid for 3 months by default. They are monitored and +renewed automatically by the Platform. The IPsec certificates are renewed +(along with the corresponding private keys) when the certificates are within +15 days of expiration. + +* Certificates in /etc/swanctl/x509ca/ directory + Files in this directory are the root |CA| and intermediate |CA| certificates. + These are the CA certificates that sign the IPsec certificates. With these + |CA| certificates, a full certificate chain is established. They are used + by IPsec to authenticate peers and SA establishment. + +When the system's root |CA| certificate is updated (by user running +``update_platform_certificates.yml`` for example), the certificates for IPsec, +including IPsec certificates, corresponding private keys and CA certificates, +will all be updated accordingly. + diff --git a/doc/source/security/kubernetes/ipsec-clis-5f38181d077f.rst b/doc/source/security/kubernetes/ipsec-clis-5f38181d077f.rst new file mode 100644 index 000000000..8d0540d23 --- /dev/null +++ b/doc/source/security/kubernetes/ipsec-clis-5f38181d077f.rst @@ -0,0 +1,49 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _ipsec-clis-5f38181d077f: + +========== +IPsec CLIs +========== + +``swanctl`` is strongSwan's configuration, controlling and monitoring command +line interface. It has to be run as root or by sudo. + +The command :command:`swanctl --help` will show all the available subcommands. + +.. code-block:: none + + ~(keystone_admin)]$ sudo swanctl --list --help + + usage: + swanctl --counters (-C) list or reset IKE event counters + swanctl --initiate (-i) initiate a connection + swanctl --terminate (-t) terminate a connection + swanctl --rekey (-R) rekey an SA + swanctl --redirect (-d) redirect an IKE_SA + swanctl --uninstall (-u) uninstall a trap or shunt policy + swanctl --install (-p) install a trap or shunt policy + swanctl --list-sas (-l) list currently active IKE_SAs + swanctl --monitor-sa (-m) monitor for IKE_SA and CHILD_SA changes + swanctl --list-pols (-P) list currently installed policies + swanctl --list-authorities (-B) list loaded authority configurations + swanctl --list-conns (-L) list loaded configurations + swanctl --list-certs (-x) list stored certificates + swanctl --list-pools (-A) list loaded pool configurations + swanctl --list-algs (-g) show loaded algorithms + swanctl --flush-certs (-f) flush cached certificates + swanctl --load-all (-q) load credentials, authorities, pools and connections + swanctl --load-authorities (-b) (re-)load authority configuration + swanctl --load-conns (-c) (re-)load connection configuration + swanctl --load-creds (-s) (re-)load credentials + swanctl --load-pools (-a) (re-)load pool configuration + swanctl --log (-T) trace logging output + swanctl --version (-v) show version information + swanctl --stats (-S) show daemon stats information + swanctl --reload-settings (-r) reload daemon strongswan.conf + swanctl --help (-h) show usage information + +``swanctl`` CLIs can be used for checking IPsec status and verifying configurations. +Do not make any changes to IPsec using these commands. + diff --git a/doc/source/security/kubernetes/ipsec-configuration-and-enabling-f70964bc49d1.rst b/doc/source/security/kubernetes/ipsec-configuration-and-enabling-f70964bc49d1.rst new file mode 100644 index 000000000..62d64a579 --- /dev/null +++ b/doc/source/security/kubernetes/ipsec-configuration-and-enabling-f70964bc49d1.rst @@ -0,0 +1,53 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _ipsec-configuration-and-enabling-f70964bc49d1: + +========================== +Configure and Enable IPsec +========================== + +IPsec is configured and enabled on management network for multi node systems +by default during system deployment. For the first controller, it is configured +and enabled by ansible playbook during bootstrap. For the rest of the nodes in +the system, it is configured and enabled at first reboot during the host +installation. + +IPsec status can be verified by ``swanctl`` CLIs, refer to :ref:`ipsec-clis-5f38181d077f` section for useful commands. + +The most useful command to check IPsec status is: :command:`swanctl --list-sa` + +This command lists the established IPsec connections and SAs (Security Associations). + +An example output is as following: + +.. code-block:: none + + ~(keystone_admin)]$ sudo swanctl --list-sa + Password: + system-nodes: #162, ESTABLISHED, IKEv2, 7e224579c2034a09_i ad8a74ef1621ebcb_r* + local 'CN=ipsec-controller-0' @ 192.168.101.2[500] + remote 'CN=ipsec-controller-1' @ 192.168.101.4[500] + AES_CBC-128/HMAC_SHA2_256_128/PRF_AES128_XCBC/MODP_3072 + established 1054s ago, rekeying in 1589s, reauth in 9033s + node: #7, reqid 2, INSTALLED, TRANSPORT, ESP:AES_GCM_16-128 + installed 671s ago, rekeying in 2622s, expires in 3289s + in c61b1765, 1107991 bytes, 10275 packets, 0s ago + out c38189c2, 113928 bytes, 1332 packets, 616s ago + local 192.168.101.2/32 + remote 192.168.101.4/32 + system-nodes: #161, ESTABLISHED, IKEv2, 7efa2401684f7927_i* d35349b7c7aa2b13_r + local 'CN=ipsec-controller-0' @ 192.168.101.3[500] + remote 'CN=ipsec-controller-1' @ 192.168.101.4[500] + AES_CBC-128/HMAC_SHA2_256_128/PRF_AES128_XCBC/MODP_3072 + established 1254s ago, rekeying in 1825s, reauth in 8141s + node: #8, reqid 1, INSTALLED, TRANSPORT, ESP:AES_GCM_16-128 + installed 656s ago, rekeying in 2771s, expires in 3304s + in c8b40c6d, 3337097 bytes, 58557 packets, 0s ago + out cf1b0bdd, 76048257 bytes, 83565 packets, 0s ago + local 192.168.101.3/32 + remote 192.168.101.4/32 + +The above output shows two IPsec connections between the two controllers of +a |AIO-DX| system. In multi nodes system such as standard or storage systems, +there will be IPsec connections among all hosts. \ No newline at end of file diff --git a/doc/source/security/kubernetes/ipsec-overview-680c2dcfbf3b.rst b/doc/source/security/kubernetes/ipsec-overview-680c2dcfbf3b.rst new file mode 100644 index 000000000..969aa2b5d --- /dev/null +++ b/doc/source/security/kubernetes/ipsec-overview-680c2dcfbf3b.rst @@ -0,0 +1,18 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _ipsec-overview-680c2dcfbf3b: + +============== +IPsec Overview +============== + +IPsec is a set of communication rules or protocols for setting up secure +connections over a network. |prod| utilizes IPsec to protect local traffic +on the internal management network of multi-node systems. + +|prod| uses strongSwan as the IPsec implementation. strongSwan is an +opensource IPsec solution located at https://strongswan.org/. + +For the most part, IPsec on |prod| is transparent to users. +