Skip to content

C2C TLS port (61443) is exposed on Diego cell host, allowing requests to app w/o mTLS #651

New issue
New issue
Closed
Closed
C2C TLS port (61443) is exposed on Diego cell host, allowing requests to app w/o mTLS#651
Labels
bug
@peanball

Description

@peanball
peanball
opened on Nov 4, 2022

Enter an issue title

Don't expose Container to Container TLS port w/o mTLS on Diego Cell

Summary

Apps on Diego cells are secured by Envoy, which provides TLS termination.
The hard-coded port 61443 on the container will always provide a TLS encrypted channel, which is intended for Container to Container communication.

Our understanding is that this c2c port is made available via silk, so other containers can communicate with it. Exposing it on the host

Steps to Reproduce

  • Deploy an app via Diego with mTLS.
  • Inspect the iptables rules
    • The iptables rules will have a redirect from host-ip:61xxx -> container-ip:61443.
  • Issue a cURL call to host-ip:61xxx, without providing any mTLS certificate, or an invalid certificate. The app responds to the request because mTLS is not checked / enforced on this port.

Diego repo

The port mapping is configured in cloudfoundry/executor.

The port mapping for port 61443 was introduced in cloudfoundry/executor#58

Environment Details

This is still applicable to the latest available release

Possible Causes or Fixes (optional)

We are suggesting to selectively disable the port mapping of the C2C TLS port (container-ip:61433) to the host.

This could be done:

  • statically, as the port is already hardcoded, or
  • via feature flag / config flag to disable forwarding the c2c TLS port to the host

Additional Text Output, Screenshots, contextual information (optional)

diego-cell/79c56295-9205-4067-8a43-cb0067406c9b:/var/vcap/bosh_ssh/bosh_885ce62303aa4ae# iptables-save | grep 10.151.240.103
-A POSTROUTING -s 10.151.240.103/32 ! -d 10.128.0.0/11 ! -o silk-vtep -j MASQUERADE
-A netin--5704f3de-130a-4b4f-69 -d 10.0.201.8/32 -p tcp -m tcp --dport 61097 -j DNAT --to-destination 10.151.240.103:61001
-A netin--5704f3de-130a-4b4f-69 -d 10.0.201.8/32 -p tcp -m tcp --dport 61106 -j DNAT --to-destination 10.151.240.103:61443
-A netin--5704f3de-130a-4b4f-69 -d 10.0.201.8/32 -p tcp -m tcp --dport 61107 -j DNAT --to-destination 10.151.240.103:61002
-A INPUT -s 10.151.240.103/32 -j input--5704f3de-130a-4b4f-69
-A FORWARD -s 10.151.240.103/32 -o eth0 -j netout--5704f3de-130a-4b4f-6
-A overlay--5704f3de-130a-4b4f- -s 10.151.240.103/32 -o silk-vtep -m mark ! --mark 0x0 -j ACCEPT
-A overlay--5704f3de-130a-4b4f- -d 10.151.240.103/32 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A overlay--5704f3de-130a-4b4f- -d 10.151.240.103/32 -m mark --mark 0xffff0000 -j ACCEPT
-A overlay--5704f3de-130a-4b4f- -d 10.151.240.103/32 -j REJECT --reject-with icmp-port-unreachable

The following line should not appear after the mapping is selectively disabled:

-A netin--5704f3de-130a-4b4f-69 -d 10.0.201.8/32 -p tcp -m tcp --dport 61106 -j DNAT --to-destination 10.151.240.103:61443

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions