wireguard: connectivity issues with ipv6-only clusters

[giorio94]

Is there an existing issue for this?

• I have searched the existing issues

What happened?

While running the connectivity tests on an IPv6-only cluster with wireguard encryption, I've noticed different failures which affect pod to pod communication. For instance:

❌ 1/1 tests failed (2/4 actions), 30 tests skipped, 9 scenarios skipped:
Test [no-policies]:
  ❌ no-policies/pod-to-pod/curl-1: cilium-test/client-7b78db77d5-2cpmk (fd00:10:242:1::a9b2) -> cilium-test/echo-other-node-78f77b57f8-qnpq7 (fd00:10:242::786a:8080)
  ❌ no-policies/pod-to-pod/curl-3: cilium-test/client2-78f748dd67-w6dhk (fd00:10:242:1::69e4) -> cilium-test/echo-other-node-78f77b57f8-qnpq7 (fd00:10:242::786a:8080)

The issue relates with fragmentation, as confirmed by executing a ping with increasing packet size (ping -s 1360 works, while ping -s 1361 fails and triggers fragmentation, although it shouldn't). Pod interfaces have MTU set (through the default route) to 1420, cilium_wg0 has MTU 1420, while the host interface has MTU 1500.

More specifically, the problem is triggered by the padding added by wireguard to align the packet to 16 bytes [1], which though, should be limited by the MTU to prevent the occurrence of fragmentation. Still, this does not happen, since
here [2] the MTU is detected based on the wrong device (eth0 rather than cilium_wg0). This happens since dev is correctly set to cilium_wg0 [3] after bpf_redirect is performed by Cilium, while skb_dst(skb)->dev does not seem to get updated.

[1]: https://lxr.missinglinkelectronics.com/linux+v5.19/drivers/net/wireguard/send.c#L141
[2]: https://lxr.missinglinkelectronics.com/linux+v5.19/drivers/net/wireguard/device.c#L171
[3]: https://lxr.missinglinkelectronics.com/linux+v5.19/net/core/filter.c#L2110

Cilium Version

Recent version on master

Kernel Version

Linux 6.1.0-3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.8-1 (2023-01-29) x86_64 GNU/Linux

Kubernetes Version

Client Version: v1.26.1
Kustomize Version: v4.5.7
Server Version: v1.25.3

Sysdump

No response

Relevant log output

No response

Anything else?

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[github-actions]

This issue has been automatically marked as stale because it has not
had recent activity. It will be closed if no further activity occurs.

[M4t7e]

I also see a lot of fragmented packets in my setup. The infrastructure I am using (Hetzner) is only providing 1450 MTU for the internal network interface, because of their OpenStack VXLAN (which needs 50 bytes overhead) based environment. The internal network interface eth1 is automatically configured with the available 1450 MTU, but the wireguard interface cilium_wg0 seems to use the default 1420.

I tested different packet sizes and it turned out, that a MTU of 1376 would work. Everything higher would lead to IP fragmentation of the wireguard packets. Inside of the tunnel, of course, you see nothing from it.

eth1: 1450 MTU
cilium_wg0: 1420 MTU

That works (no IP fragmentation):
size=1376 && ping -c 1 -M do -s $(($size-28)) 10.0.132.179

That unfortunately leads to IP fragmentation:
size=1377 && ping -c 1 -M do -s $(($size-28)) 10.0.132.179
...
size=1420 && ping -c 1 -M do -s $(($size-28)) 10.0.132.179

That fails as expected (exceeds the cilium_wg0 MTU):
size=1421 && ping -c 1 -M do -s $(($size-28)) 10.0.132.179

Info: The -28 are for 20 Bytes IPv4 Header + 8 Bytes ICMP Header

If IPv6 was used all values can be decreased by another 20 Bytes because of the 20 bytes longer IPv6 header.

[M4t7e]

In case you want to detect fragmented packets, this is the filter I use: tcpdump -i eth1 -f "ip[6:2] & 0x3fff != 0x0000"

[netops2devops]

As of now due to #17240 running Cilium in a pure IPv6 environment is not possible unless you are using routingMode: native

[smagnani96]

I haven't run the full test suite locally, and I wouldn't be surprised if something is still missing, but:

1. With 645adf9, the WireGuard device should be able to react to underlying device MTU changes, and adjust its own MTU accordingly. @M4t7e please let me know if you're still facing the issue. I tried locally on a kind cluster, lowering all nodes'eth0 MTUs, and the cilium_wg0 is adjusting accordingly.
2. What I find non-intuitive, for which I'll open a PR in a while, is that even in IPv6-only cluster you need to specify --helm-set=underlayProtocol=ipv6, otherwise we mistakenly compute the MTU considering an IPv4 underlay. See here and here. Not specifying the correct underlay causes MTU miscalculation (1500 - 80wireguard - 50vxlan, instead of 1500 - 80wireguard - 70vxlanOverV6), and therefore problems due to fragmentation. @netops2devops please let me know if that was your case.