NETOBSERV-2471: TLS usage tracking

[jotak]

• Start implementing TLS, by reading the TLS header when present
• Extract SSL version
• Report the TLS version in output records

Dependencies

• Operator: NETOBSERV-2471: TLS fields network-observability-operator#2124
• FLP: NETOBSERV-2471: TLS usage tracking (bump agent) flowlogs-pipeline#1119

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@jotak: This pull request references NETOBSERV-2471 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.21.0" version, but no target version was set.

Details

In response to this:

(wip status = pretty much done, except for handshake version (see code comment), maybe needs an experimental feature gate; correctness to be verified, as I'm getting less TLS flows than expected - am I missing something?)

use tls.VersionName

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@jotak: This pull request references NETOBSERV-2471 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.21.0" version, but no target version was set.

Details

In response to this:

• Start implementing TLS, by reading the TLS header when present
• Extract SSL version (not done yet for the handshake message)
• Report the TLS version in output records

TODO: handshake message: version is stored a couple of bits further

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@jotak: This pull request references NETOBSERV-2471 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.21.0" version, but no target version was set.

Details

In response to this:

• Start implementing TLS, by reading the TLS header when present
• Extract SSL version (not done yet for the handshake message)
• Report the TLS version in output records

TODO: handshake message: version is stored a couple of bits further

Dependencies

• FLP: NETOBSERV-2471: TLS usage tracking (bump agent) flowlogs-pipeline#1119

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@jotak: This pull request references NETOBSERV-2471 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.21.0" version, but no target version was set.

Details

In response to this:

• Start implementing TLS, by reading the TLS header when present
• Extract SSL version
• Report the TLS version in output records

Dependencies

• FLP: NETOBSERV-2471: TLS usage tracking (bump agent) flowlogs-pipeline#1119

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@jotak: This pull request references NETOBSERV-2471 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.21.0" version, but no target version was set.

Details

In response to this:

• Start implementing TLS, by reading the TLS header when present
• Extract SSL version
• Report the TLS version in output records

Dependencies

• Operator: NETOBSERV-2471: TLS fields network-observability-operator#2124
• FLP: NETOBSERV-2471: TLS usage tracking (bump agent) flowlogs-pipeline#1119

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[msherif1234]

don't think its better if we have feature config for tracker like we do with all other features ? instead of enabling it by default ?

[jotak]

yes I'll do that (although I would like to have it enabled by default if it doesn't show visible impact on perfs)

[msherif1234]

is it better to have mismatch counter instead of flag ?

[jotak]

the flag allows us to correlate precisely with a particular flow, and report that up to the UI

[msherif1234]

do u think this work for STCP protocol too ?, not sure what is the story for DTLS ?

[jotak]

I haven't digged into other protocols.. might be something to do if someone asks for it, but I believe TCP covers most of the expectations

[msherif1234]

does the verifier needs the above check given how late we call this tracker all headers should have been sane already ?

[jotak]

Yes I had a verifier error without those checks

[msherif1234]

might be good idea to add return code and track failure at the caller since there many conditions check in this function and if things doesn't work it will be hard to debug.
might be good adding BPF_PRINTK() on failing checks ?

[msherif1234]

why setting it here if u really want handshake ssl version ?

[jotak]

that's a fallback for the case where handshake header couldn't be read ... But I'm going to change that, actually perhaps we don't want the client-hello version at all, it doesn't tell what's actually going to be used

[msherif1234]

do u think adding SSL record type to the follow will be adding value to end user ?

[jotak]

you mean adding it to the flow, like, as a bitfield? hmm why not ..

[msherif1234]

Nice work!!, I left some comments/suggestions, nothing major small enhancements . Also pls share some screenshots for this new feature

[msherif1234]

This logic assume there is always tls record after tcp header this is not safe assumption we could have dns header here or any other header ??

[jotak]

right, I should harden that a bit more; I've found unexpected TLSVersion during my tests probably because of that.

[github-actions]

New images:
quay.io/netobserv/ebpf-bytecode:16db482
quay.io/netobserv/netobserv-ebpf-agent:16db482

These will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=16db482 make set-agent-image

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jpinsonneau for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• DOWNSTREAM_OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@jotak: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/qe-e2e-tests	84ed5b6	link	false	/test qe-e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[rhmdnd]

Something else that would be nice to pull out of the extensions is the key share. This would tell users if the server is using classical or hybrid key exchange algorithms, which is useful for finding out which applications are PQC-ready (e.g., looking for X25519 + Kyber768).

We might need to do something like:

if (ext_hdr.type == 0x002b) {
    // Supported Versions: single version expected
    u16 version;
    if (bpf_skb_load_bytes(skb, offset + ext_offset, &version, sizeof(version)) < 0) {
        return TLSTRACKER_UNKNOWN;
    }
    tls->version = bpf_ntohs(version);
} 
else if (ext_hdr.type == 0x0033) {
    // Key Share Extension (TLS 1.3)
    // The Server Hello Key Share contains:
    // Group (2 bytes) + Key Exchange Length (2 bytes) + Key Exchange Data
    u16 selected_group;
    if (bpf_skb_load_bytes(skb, offset + ext_offset, &selected_group, sizeof(selected_group)) < 0) {
        // not sure what would be best to return here?
        return KEYSHARE_UNKNOWN;
    }
    tls->key_share_group = bpf_ntohs(selected_group);
}

The tls_info would need to be updated to relay that information though.

Thoughts?

[jotak]

yep, definitely, if that's useful to figure out PQC-readiness, it's something that we want here
I'll add it, thanks for the hint!