Network Policy: Consider generating TCP RST instead of DROP

[ernado]

Proposal / RFE

Currently Cilium drops packets that don't comply to network policies.

While we can observe firewall verdict in Hubble, getting RST would be useful for east-west traffic and can ease debugging for internal applications.

Resets usually helped other IT personnel troubleshoot an issue, the app would behave better and fail immediately vs sitting there retrying and timing out

James Harr

Can be related to #13451

[panchm]

As per the request, I would like to understand in more detail.

According to the current design, It will deny the traffic by sending the TCP REJECT for the DROP case (ingressDeny)
And with the new requirement, should drop the traffic by sending the TCP RESET flag instead of TCP REJECT for traffic Deny? (ingressDeny)
Or Do we need to introduce a new option like ingressReset which sends the TCP RESET and in case ingressDeny is configured it should DROP by sending TCP REJECT?

[jamesharr]

My perspective

This is my perspective as to what would make a solid solution, I have 15+ years in Networking/Systems and has dealt with iptables, pf, cisco, paloalto, fortinet, and probably some others I'm forgetting. With that experience probably comes some baggage, so it's just one perspective:

1. DROP is still a sane default in today's environment.
2. A system-wide flag to change behavior
3. A system-wide or namespace-wide option specifying which CIDRs it's OK to send REJECT to when policy denies traffic.
4. NP/CNP rules can stay in an "allow list" mode where they only allow traffic and you don't have to somehow inter-mingle permit rules and deny rules.

As per what kind of packet is generated, I'd refer to the iptables REJECT behavior, but keep room in the API/Schema to add other behavior down the road.

Historical context

For historical context, traditional firewall vendors usually give a per-rule option as to what happens.

1. DROP the traffic with no response back to the source
2. Generate an ICMP response to the traffic, usually an icmp-port-unreachable (note that icmpv4 and icmpv6 have different numerical values for types/codes)
3. Generate a TCP-RST. This is only applicable for TCP traffic

In the latter two cases, this response gives the source of the traffic some level of awareness to the effect. Most vendors default to the first one, but it can be very useful to use options 2 or 3 for hosts that may be friendly so that the application on the remote end knows that it's getting rejected vs having to time out (fail fast vs timeout).

On the topic of TCP-RST directionality

I don't think this applies here, but do I want to mention that that PaloAlto (and other) firewalls have some options to choose the direction of the TCP-RST (client, server, or both). This is because you can drop a connection AFTER it's established but once it knows more about it. For example, after a traffic signature identifies more info about traffic. In these cases, the firewall gives more knobs to control the reject behavior. IE: If policy permits TLS running over port 443, but someone tries to use SSH over port 443. The TCP connection will initially succeed, but then be subsequently be denied once the firewall observes something other than a TLS handshake. The admin gets the option to send the TCP-RST to the client/server/both and can help with managing server state by explicitly closing a connection.

Again, I'm not sure these apply here.

References

• IANA ICMPv4 codes
• IANA ICMPv6 codes
• Palo Alto - When to use what kind of response
• Palo Alto - options in the UI
• JunOS SRX - reject behavior
• iptables REJECT behavior
• Peter Benie has a good summary of the behaviors, though I vehemently disagree with his conclusion that DROP should not normally be used. His conclusion was likely based on the environment at the time of writing.

[panchm]

Then looks like we are on the same page,

EDIT: We need to introduce a new option like ingressReset which sends the TCP RESET and in case ingressDeny is configured, it should DROP. as shown below in both cases

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "l4-rule-deny"
spec:
  endpointSelector:
    matchLabels:
      role: backend
  **ingressDeny**: ----> DROP the packet 
  - fromEndpoints:
    - matchLabels:
        role: frontend
    toPorts:
    - ports:
      - port: "80"
        protocol: TCP

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "l4-rule-deny-reset"
spec:
  endpointSelector:
    matchLabels:
      role: backend
  **ingressReset**: ----> DROP the packet by sending TCP_RESET
  - fromEndpoints:
    - matchLabels:
        role: frontend
    toPorts:
    - ports:
      - port: "80"
        protocol: TCP

Would this approach looks fine in which it adheres to the following aspects?
#17944 (comment) by @jamesharr

I would like to work on this issue would you like to assign it to me?

[jamesharr]

I think that alliance with what I I think would make sense.

There is a slightly ambiguous behavior that I think is probably acceptable. If you have two policies that apply to the same pod, but only one defines an ingressDeny, what happens?

In this case I think it makes sense to use the ingressDeny from the policy that has it defined.

For cases where different policies define conflicting ingressDeny options, I'm not sure how to handle it exactly. My initial inclination is that if there is some natural outcome (IE alphabetical evaluation with one winner) then just follow that and mention it as a one sentence line in the docs.

It's probably worth mentioning that I would like to see egressDeny as well. This is where feedback can make an application fail faster vs timeout. This might already be the case though

[panchm]

Hi,

I would like to take up this issue.

Kindly assign it to me.

Thanks,
PMahadev

[panchm]

Please assign this issue to me as I am going through this issue.

Thanks!

So far we have just discussed TCP RST but are we planning to resolve this kind of issue (fail faster vs timeout) w.r.t L7 Policies as well?

[panchm]

@pchaigno Please assign this to me

[pchaigno]

@panchm I've assigned you.

Could you describe the use case(s) for a per-policy config knob instead of a agent-wide knob? The former will be a lot more work to implement and introduces some challenges in design as outlined by @jamesharr.