-
Notifications
You must be signed in to change notification settings - Fork 983
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
V2 certificate format #1216
base: master
Are you sure you want to change the base?
V2 certificate format #1216
Conversation
q, | ||
cache.Get(u.l), | ||
) | ||
r(netip.AddrPortFrom(netip.AddrFrom16(rua.Addr).Unmap(), (rua.Port>>8)|((rua.Port&0xff)<<8)), buffer[:n]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use binary
to avoid endianness issues
} | ||
if *sf.networks != "" { | ||
for _, rs := range strings.Split(*sf.networks, ",") { | ||
//TODO: error on duplicates? Mainly only addr matters, having two of the same addr in the same or different prefix space is strange |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also no 4in6
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed in #1266
if err != nil { | ||
return newHelpErrorf("invalid subnet definition: %s", rs) | ||
return newHelpErrorf("invalid -unsafe-networks definition: %s", rs) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And no 4in6
return fmt.Errorf("error while signing with PKCS#11: %w", err) | ||
|
||
if version == cert.Version1 { | ||
// If we are asked to mint a v1 certificate only then we cant just ignore any v6 addresses |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We arent ignoring them
9f75b80
to
a09f39f
Compare
--------- Co-authored-by: Jack Doan <[email protected]>
Vltime: 0xffffffff, | ||
Pltime: 0xffffffff, | ||
}, | ||
//TODO: should we disable DAD (duplicate address detection) and mark this as a secured address? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolve TODO
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
at least on Linux, my unsubstantiated opinion is that nebula should not do this, but our docs should suggest appropriate sysctls and systemd-networkd settings.
|
||
//add all new addresses | ||
for i := range newAddrs { | ||
//todo do we want to stack errors and try as many ops as possible? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolve TODO
@@ -213,7 +223,8 @@ func (t *tun) removeRoutes(routes []Route) error { | |||
continue | |||
} | |||
|
|||
cmd := exec.Command("/sbin/route", "-n", "delete", "-net", r.Cidr.String(), t.cidr.Addr().String()) | |||
//todo is this right? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolve TODO
@@ -181,8 +191,8 @@ func (t *tun) removeRoutes(routes []Route) error { | |||
if !r.Install { | |||
continue | |||
} | |||
|
|||
cmd := exec.Command("/sbin/route", "-n", "delete", "-inet", r.Cidr.String(), t.cidr.Addr().String()) | |||
//todo is this right? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolve TODO
ssh.go
Outdated
@@ -785,7 +785,8 @@ func sshPrintCert(ifce *Interface, fs interface{}, a []string, w sshd.StringWrit | |||
return nil | |||
} | |||
|
|||
cert := ifce.pki.GetCertState().Certificate | |||
//TODO: This should return both certs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolve TODO
@@ -91,40 +92,60 @@ func AddRelay(l *logrus.Logger, relayHostInfo *HostInfo, hm *HostMap, vpnIp neti | |||
func (rm *relayManager) EstablishRelay(relayHostInfo *HostInfo, m *NebulaControl) (*Relay, error) { | |||
relay, ok := relayHostInfo.relayState.CompleteRelayByIdx(m.InitiatorRelayIndex, m.ResponderRelayIndex) | |||
if !ok { | |||
rm.l.WithFields(logrus.Fields{"relay": relayHostInfo.vpnIp, | |||
//TODO: we need to handle possibly logging deprecated fields as well |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolve TODO
if msg.OldRelayFromAddr > 0 || msg.OldRelayToAddr > 0 { | ||
v = cert.Version1 | ||
|
||
//TODO: yeah this is junk but maybe its less junky than the other options |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolve TODO
if v == cert.Version1 { | ||
peer := peerHostInfo.vpnAddrs[0] | ||
if !peer.Is4() { | ||
//TODO: log cant do it |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolve TODO
relay_manager.go
Outdated
@@ -310,11 +357,11 @@ func (rm *relayManager) handleCreateRelayRequest(h *HostInfo, f *Interface, m *N | |||
f.SendMessageToHostInfo(header.Control, 0, peer, msg, make([]byte, 12), make([]byte, mtu)) | |||
rm.l.WithFields(logrus.Fields{ | |||
//TODO: IPV6-WORK another lazy used to use the req object |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolve TODO
relay_manager.go
Outdated
|
||
if v == cert.Version1 { | ||
if !h.vpnAddrs[0].Is4() { | ||
//TODO: log it |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolve TODO
relay_manager.go
Outdated
@@ -360,11 +419,11 @@ func (rm *relayManager) handleCreateRelayRequest(h *HostInfo, f *Interface, m *N | |||
f.SendMessageToHostInfo(header.Control, 0, h, msg, make([]byte, 12), make([]byte, mtu)) | |||
rm.l.WithFields(logrus.Fields{ | |||
//TODO: IPV6-WORK more lazy, used to use resp object |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolve TODO
pki.go
Outdated
return p.cs.Load() | ||
} | ||
|
||
func (p *PKI) GetCAPool() *cert.CAPool { | ||
return p.caPool.Load() | ||
// TODO: We should remove this |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolve TODO
pki.go
Outdated
return p.cs.Load().GetDefaultCertificate() | ||
} | ||
|
||
// TODO: We should remove this |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolve TODO
} | ||
|
||
} else if currentState.v1Cert != nil { | ||
//TODO: we should be able to tear this down |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolve TODO
p.cs.Store(cs) | ||
p.cs.Store(newState) | ||
|
||
//TODO: newState needs a stringer that does json |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolve TODO
return nil, util.NewContextualError("v1 and v2 curve are not the same, ignoring", nil, nil) | ||
} | ||
|
||
//TODO: make sure v2 has v1s address |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolve TODO
…didn't work on the first try (#1268)
if ok { | ||
whereToPunch = newDest | ||
} else { | ||
//TODO this means the destination will have no addresses in common with the punch-ee |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolve
This is a near complete implementation of an ipv6 enabled overlay network. There are a handful of pull requests targeting this branch in addition to a number of incomplete issues within this PR.
I have tried to highlight the main trouble spots with comments on the PR and in addition here are my internal notes:
nebula-cert
is defaulting to mint bothv1
andv2
certificates and nebula config is defaulting to transmitv1
certificates if both are present. This will lead to a situation where net new adopters will be stuck using v1 certificates. Should this be the default behavior?Currently nebula wont allow you to remove a
v1
certificate on reload but this means a restart is required to complete a migration tov2
. A comment on this review highlights this, we should allow it.Currently there are a few spots (control, ssh) where we return the certificate in use but they only return 1 cert, should we leave it returning the default or force folks to consume both? How do we indicate which one is default?
Every time we encounter a certificate we need to sort the networks as well as only record the union of applicable addresses. See [cert-v2] punchy-respond on an address in common with the querying host #1261
We need to take extra care to ensure we never allow a ipv4 mapped ipv6 address. This is not currently addressed in this PR.
There may be an opportunity to improve the lighthouse protocol by directly using the
MarshalBinary
andUnmarshalBinary
functions fornetip
objects. This is more of a nit than anything but we should agree on this before merging.nebula-cert
sign
help text needs to talk about primary vpn address (or the union of effective addresses) being the first one after being sorted and what that means for tunnels.The firewall config still uses naming like
ca-sha
should we alias this toca-fingerprint
to normalize the verbiage?The firewall config still uses naming like
ip
should we alias this tonetwork
to normalize the verbiageNormalize all names for
Marshal*
andUnmarshal*
, we have someFrom*
/To*
and others withoutFrom
/To
.Should we use this moment to swap p256 keys to use their compressed form? Saves ~32 bytes.
Once this is merged the upgrade path should likely be:
pki.default_version
to1
. Everything continues to usev1
protocols.am_relay: true
hostspki.default_version
to2
. Relays can now initiatev2
tunnels, but this is an uncommon flow.pki.default_version
to2
. Lighthouses will reply tov2
hosts usingv2
protocols.pki.default_version
to2
.v1
certs from all hosts