Protecting against L2 Network Attackers

Story: 2010940
Task: 50151

Change-Id: If7ffcf0ffb81d0f7952cd92167b992550e7e191e
Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
This commit is contained in:
Suzana Fernandes 2024-08-16 19:55:17 +00:00 committed by Juanita-Balaraj
parent dddfd0e6b6
commit b029465b58
6 changed files with 197 additions and 0 deletions

View File

@ -210,6 +210,34 @@ commands on the |AIO-SX| subcloud.
Wait for the controller to reset and come back up to an operational state. Wait for the controller to reset and come back up to an operational state.
#. Config and enable IPsec on the controller.
.. code-block:: none
~(keystone_admin)$ sudo ipsec-client pxecontroller
This is only needed on controller-0.
The command should complete successfully as following:
.. code-block:: none
~(keystone_admin)$ sudo ipsec-client pxecontroller
2024-08-07 20:43:28.622 182204 INFO sysinv.ipsec_auth.client.client [-] Connecting to pxecontroller port 64764
2024-08-07 20:43:28.630 182204 INFO sysinv.ipsec_auth.client.client [-] Sending IPSec Auth request
2024-08-07 20:43:36.521 182204 INFO sysinv.ipsec_auth.client.client [-] Received IPSec Auth response
2024-08-07 20:43:36.765 182204 INFO sysinv.ipsec_auth.client.client [-] Generate RSA Private Key (PRK2).
2024-08-07 20:43:37.029 182204 INFO sysinv.ipsec_auth.client.client [-] Generate AES Key (AK1).
2024-08-07 20:43:37.029 182204 INFO sysinv.ipsec_auth.client.client [-] Generate Certificate Signing Request (CSR).
2024-08-07 20:43:37.033 182204 INFO sysinv.ipsec_auth.client.client [-] Encrypt CSR w/ AK1.
2024-08-07 20:43:37.035 182204 INFO sysinv.ipsec_auth.client.client [-] Encrypt AK1 and IV w/ PUK1
2024-08-07 20:43:37.038 182204 INFO sysinv.ipsec_auth.client.client [-] Hash OTS Token, eAK1 and eCSR.
2024-08-07 20:43:37.041 182204 INFO sysinv.ipsec_auth.client.client [-] Sending IPSec Auth CSR request
2024-08-07 20:43:38.541 182204 INFO sysinv.ipsec_auth.client.client [-] Received IPSec Auth CSR response
2024-08-07 20:43:38.544 182204 INFO sysinv.ipsec_auth.client.client [-] Generating config files and restart ipsec
2024-08-07 20:43:53.141 182204 INFO sysinv.ipsec_auth.client.client [-] Shutting down
#. Software install and configure the second controller for the subcloud. #. Software install and configure the second controller for the subcloud.
For instructions on installing and configuring controller-1 in an For instructions on installing and configuring controller-1 in an

View File

@ -153,6 +153,18 @@ Vault Secret and Data Management
configure-vault-using-the-cli configure-vault-using-the-cli
remove-vault remove-vault
***************************
IPsec on Management Network
***************************
.. toctree::
:maxdepth: 1
ipsec-overview-680c2dcfbf3b
ipsec-configuration-and-enabling-f70964bc49d1
ipsec-certificates-2c0655a2a888
ipsec-clis-5f38181d077f
************************************** **************************************
Encrypt Kubernetes Secret Data at Rest Encrypt Kubernetes Secret Data at Rest
************************************** **************************************

View File

@ -0,0 +1,37 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _ipsec-certificates-2c0655a2a888:
==================
IPSec Certificates
==================
|prod| uses x509 certificate for IPsec authentication. The following are IPsec
related certificates.
* Certificates in /etc/swanctl/x509/ directory
Files in this directory are the IPsec certificates for peer
authentication and SA establishment. They are issued by system-local-ca
managed by cert-manager.
* Private keys in /etc/swanctl/private/ directory
Files in this directory are the corresponding private keys of the IPsec
certificates in /etc/swanctl/x509/ directory. Together with the
certificates, they are used for IPsec authentication and SA establishment.
IPsec certificates are valid for 3 months by default. They are monitored and
renewed automatically by the Platform. The IPsec certificates are renewed
(along with the corresponding private keys) when the certificates are within
15 days of expiration.
* Certificates in /etc/swanctl/x509ca/ directory
Files in this directory are the root |CA| and intermediate |CA| certificates.
These are the CA certificates that sign the IPsec certificates. With these
|CA| certificates, a full certificate chain is established. They are used
by IPsec to authenticate peers and SA establishment.
When the system's root |CA| certificate is updated (by user running
``update_platform_certificates.yml`` for example), the certificates for IPsec,
including IPsec certificates, corresponding private keys and CA certificates,
will all be updated accordingly.

View File

@ -0,0 +1,49 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _ipsec-clis-5f38181d077f:
==========
IPsec CLIs
==========
``swanctl`` is strongSwan's configuration, controlling and monitoring command
line interface. It has to be run as root or by sudo.
The command :command:`swanctl --help` will show all the available subcommands.
.. code-block:: none
~(keystone_admin)]$ sudo swanctl --list --help
usage:
swanctl --counters (-C) list or reset IKE event counters
swanctl --initiate (-i) initiate a connection
swanctl --terminate (-t) terminate a connection
swanctl --rekey (-R) rekey an SA
swanctl --redirect (-d) redirect an IKE_SA
swanctl --uninstall (-u) uninstall a trap or shunt policy
swanctl --install (-p) install a trap or shunt policy
swanctl --list-sas (-l) list currently active IKE_SAs
swanctl --monitor-sa (-m) monitor for IKE_SA and CHILD_SA changes
swanctl --list-pols (-P) list currently installed policies
swanctl --list-authorities (-B) list loaded authority configurations
swanctl --list-conns (-L) list loaded configurations
swanctl --list-certs (-x) list stored certificates
swanctl --list-pools (-A) list loaded pool configurations
swanctl --list-algs (-g) show loaded algorithms
swanctl --flush-certs (-f) flush cached certificates
swanctl --load-all (-q) load credentials, authorities, pools and connections
swanctl --load-authorities (-b) (re-)load authority configuration
swanctl --load-conns (-c) (re-)load connection configuration
swanctl --load-creds (-s) (re-)load credentials
swanctl --load-pools (-a) (re-)load pool configuration
swanctl --log (-T) trace logging output
swanctl --version (-v) show version information
swanctl --stats (-S) show daemon stats information
swanctl --reload-settings (-r) reload daemon strongswan.conf
swanctl --help (-h) show usage information
``swanctl`` CLIs can be used for checking IPsec status and verifying configurations.
Do not make any changes to IPsec using these commands.

View File

@ -0,0 +1,53 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _ipsec-configuration-and-enabling-f70964bc49d1:
==========================
Configure and Enable IPsec
==========================
IPsec is configured and enabled on management network for multi node systems
by default during system deployment. For the first controller, it is configured
and enabled by ansible playbook during bootstrap. For the rest of the nodes in
the system, it is configured and enabled at first reboot during the host
installation.
IPsec status can be verified by ``swanctl`` CLIs, refer to :ref:`ipsec-clis-5f38181d077f` section for useful commands.
The most useful command to check IPsec status is: :command:`swanctl --list-sa`
This command lists the established IPsec connections and SAs (Security Associations).
An example output is as following:
.. code-block:: none
~(keystone_admin)]$ sudo swanctl --list-sa
Password:
system-nodes: #162, ESTABLISHED, IKEv2, 7e224579c2034a09_i ad8a74ef1621ebcb_r*
local 'CN=ipsec-controller-0' @ 192.168.101.2[500]
remote 'CN=ipsec-controller-1' @ 192.168.101.4[500]
AES_CBC-128/HMAC_SHA2_256_128/PRF_AES128_XCBC/MODP_3072
established 1054s ago, rekeying in 1589s, reauth in 9033s
node: #7, reqid 2, INSTALLED, TRANSPORT, ESP:AES_GCM_16-128
installed 671s ago, rekeying in 2622s, expires in 3289s
in c61b1765, 1107991 bytes, 10275 packets, 0s ago
out c38189c2, 113928 bytes, 1332 packets, 616s ago
local 192.168.101.2/32
remote 192.168.101.4/32
system-nodes: #161, ESTABLISHED, IKEv2, 7efa2401684f7927_i* d35349b7c7aa2b13_r
local 'CN=ipsec-controller-0' @ 192.168.101.3[500]
remote 'CN=ipsec-controller-1' @ 192.168.101.4[500]
AES_CBC-128/HMAC_SHA2_256_128/PRF_AES128_XCBC/MODP_3072
established 1254s ago, rekeying in 1825s, reauth in 8141s
node: #8, reqid 1, INSTALLED, TRANSPORT, ESP:AES_GCM_16-128
installed 656s ago, rekeying in 2771s, expires in 3304s
in c8b40c6d, 3337097 bytes, 58557 packets, 0s ago
out cf1b0bdd, 76048257 bytes, 83565 packets, 0s ago
local 192.168.101.3/32
remote 192.168.101.4/32
The above output shows two IPsec connections between the two controllers of
a |AIO-DX| system. In multi nodes system such as standard or storage systems,
there will be IPsec connections among all hosts.

View File

@ -0,0 +1,18 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _ipsec-overview-680c2dcfbf3b:
==============
IPsec Overview
==============
IPsec is a set of communication rules or protocols for setting up secure
connections over a network. |prod| utilizes IPsec to protect local traffic
on the internal management network of multi-node systems.
|prod| uses strongSwan as the IPsec implementation. strongSwan is an
opensource IPsec solution located at https://strongswan.org/.
For the most part, IPsec on |prod| is transparent to users.