Skip to content

ipsec: phase out bpf_network #33704

Closed
#44284
Closed
ipsec: phase out bpf_network#33704
#44284
Assignees
ti-mo
Labels
area/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.area/encryptionImpacts encryption support such as IPSec, WireGuard, or kTLS.feature/ipsecRelates to Cilium's IPsec featurekind/tech-debtTechnical debtpinnedThese issues are not marked stale by our issue bot.
@julianwiedmann

Description

@julianwiedmann
julianwiedmann
opened on Jul 10, 2024

Background:
IPsec has been using its own BPF program (bpf_network) on the Ingress of native network interfaces, to handle inbound IPsec traffic. This gets configured via --encrypt-interface.

But as the support for IPsec in the "normal" from-netdev program is stabilizing, we eventually want to remove the bpf_network program.

Proposal:
Deprecate the --encrypt-interface option, and fully replace the usage of bpf_network with bpf_host.

Metadata

Metadata

Assignees

Labels

area/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.area/encryptionImpacts encryption support such as IPSec, WireGuard, or kTLS.feature/ipsecRelates to Cilium's IPsec featurekind/tech-debtTechnical debtpinnedThese issues are not marked stale by our issue bot.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions