Issue #3425

Encryption happens in only one direction for bi-directional traffic.

Added by Nagendra E S 3 months ago.

Affected version:


Servers run Ubuntu 18.04 and Linux 4.15.0-29-generic

Two servers connected over network hosting VMs on each server. Host(hypervisor) OS is having custom datapath. This datapath sends packets that have to be encrypted to a "crypt0" interface which interfaces with linux kernel IP stack. There is another interface "decrypt0" interface which is used to receive packets decrypted by kernel back to the custom datapath.

Problem Description:
ping is originating on VM1 on Server-1 ( The ping packets are encapsulated over VxLan (UDP) by custom datapath with src-ip and dst-ip, and sent to crypt0 interface. The kernel encrypts and sends to other server Server-2 ( using the linux ip stack forwarding tables. On Server-2, decryption happens and packets are sent to VM2 on Server-2 after removing VxLan header in custom datapath.

Now, the ping replies from VM2 on Server-2 are going to the linux kernel stack via the custom datapath and crypt0 interface. However, the packets are not getting encrypted and forwarded as plain-text on to the network physical interface.

To summarise, packets originating from Server-1 are getting encrypted but packets originating from Server-2 are not getting encrypted and going as plain-text.

Decryption happens properly on Server-2 (for packets received from Server-1).

Now, if ping is done from VM2, still the encryption doesn't happen on Server-2 but the ping response from Server-1 is encrypted.

server_1.tar (30 KB) server_1.tar Server-1 Nagendra E S, 24.04.2020 15:03
server_2.tar (30 KB) server_2.tar Server-2 Nagendra E S, 24.04.2020 15:03

Also available in: Atom PDF