Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistent handling of IPv6 blocks in Istio between ConnectivityMap query and Equivalence query #522

Closed
tanyaveksler opened this issue Jun 6, 2023 · 2 comments
Closed

Inconsistent handling of IPv6 blocks in Istio between ConnectivityMap query and Equivalence query #522

tanyaveksler opened this issue Jun 6, 2023 · 2 comments
Labels
bug Something isn't working Istio Issues related to Istio support

Comments

@tanyaveksler
Copy link
Member

See test .../tests/istio_testcases/example_policies/testcase2/testcase2-istio-scheme.yaml, the difference between istio6 and istio7 configs.
In istio6 the action is 'ALLOW', and thus the only allowed sources connected to the selected peers are those explicitly defined in the policy rules. Since IP blocks are not mentioned in the rules, they are not connected to the selected peers.
In istio7, on the other hand, the action is 'DENY'. and thus all connections to the selected peers are allowed except of those mentioned in the policy rules. Since only IPv4 blocks are mentioned in the policy, all the rest (IPv6) blocks are connected to the selected peers.
Thus, the connectivity maps of istio6 and istio7 differ by IPv6 block (this difference may be observed when setting the option excludeIPv6Range to false (by default it is true and the difference cannot be observed).
This change in the connectivity maps is observed due to the inclusion of all IPs block in peers to compare, as follows:

ref_ip_blocks = IpBlock.disjoint_ip_blocks(self.config.get_referenced_ip_blocks(exclude_ipv6),
                                                                   IpBlock.get_all_ips_block_peer_set(exclude_ipv6), exclude_ipv6)

However, in the equivalence query, peers to compare are calculated as follows (in the function disjoint_referenced_ip_blocks)

IpBlock.disjoint_ip_blocks(self.config1.get_referenced_ip_blocks(exclude_ipv6),
                                          self.config2.get_referenced_ip_blocks(exclude_ipv6), exclude_ipv6)

Thus, the EquivalenceQuery returns that istio6 and istio7 configs are equivalent, even when the excludeIPv6Range is false.

This inconsistency between ConnectivityMapQuery and EquivalenceQuery is misleading and should be resolved in either way.
@tanyaveksler tanyaveksler added bug Something isn't working Istio Issues related to Istio support labels Jun 6, 2023
@tanyaveksler
Copy link
Member Author

On the second thought, the problem is not in disjoint_referenced_ip_blocks calculation, but rather in the expected result of the equivalence query, and the fact that excludeIPv6Range flag masks the difference.

@zivnevo
Copy link
Member

zivnevo commented Aug 14, 2024

Moved to NP-Guard repo. See here

@zivnevo zivnevo closed this as not planned Won't fix, can't repro, duplicate, stale Aug 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Istio Issues related to Istio support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tanyaveksler @zivnevo