sdk Authorize chain element security issue

Authorize chain element security issue

Open NikitaSkrynnik opened this issue 2 years ago • 0 comments

Current Behavior

When forwarder dies NSC tries to reconnect to NSE with path that contains old forwarder segment. Authorize chain element lets new forwarder change only path segment of the previous forwarder. Other path segments remain the same.

Expected Behavior

When forwarder dies Authorize chain element closes the connection between NSC and NSE and doesn't let new forwarder change only one path segment. Then NSC tries to connect to NSE with completely new path.

Failure Information (for bugs)

Path before old forwarder death:

"path": {
    "index": 3,
    "path_segments": [
      {
        "name": "nsc-kernel-67cb58994c-mpjvd",
        "id": "nsc-kernel-67cb58994c-mpjvd-0",
        "token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzcGlmZmU6Ly9leGFtcGxlLm9yZy9ucy9ucy1sb2NhbC1mb3J3YXJkZXItZGVhdGgvcG9kL25zYy1rZXJuZWwtNjdjYjU4OTk0Yy1tcGp2ZCIsImF1ZCI6WyJzcGlmZmU6Ly9leGFtcGxlLm9yZy9ucy9uc20tc3lzdGVtL3BvZC9uc21nci1wcjZzZCJdLCJleHAiOjE2NjczMDE1NTN9.51zOvvPMgMvzCN39vpc6RU6yxyxIC_sKUQ5XUBkkS9pD1KOr-HHjondAdOJSYz8XXNtG3-i9fL7lpADv5AOuOg",
        "expires": {
          "seconds": 1667301553,
          "nanos": 881879716
        }
      },
      {
        "name": "nsmgr-pr6sd",
        "id": "75f011e6-32fd-4121-97d7-f621dde6f02e",
        "token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzcGlmZmU6Ly9leGFtcGxlLm9yZy9ucy9uc20tc3lzdGVtL3BvZC9uc21nci1wcjZzZCIsImF1ZCI6WyJzcGlmZmU6Ly9leGFtcGxlLm9yZy9ucy9uc20tc3lzdGVtL3BvZC9mb3J3YXJkZXItdnBwLXhibTU5Il0sImV4cCI6MTY2NzMwMTU1NH0.vTSJYBF8C-FoDeqwEs8D-po2VGfYmBzNZ98xZ0YPETvXCVefRDmYrCkcaRNIk_w-t27iu0nn6iY7FJjKOSPYJw",
        "expires": {
          "seconds": 1667301554,
          "nanos": 524881
        }
      },
      {
        "name": "forwarder-vpp-xbm59",
        "id": "dbdb3fba-df83-44e8-926b-c9ea6c13472b",
        "token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzcGlmZmU6Ly9leGFtcGxlLm9yZy9ucy9uc20tc3lzdGVtL3BvZC9mb3J3YXJkZXItdnBwLXhibTU5IiwiYXVkIjpbInNwaWZmZTovL2V4YW1wbGUub3JnL25zL25zLWxvY2FsLWZvcndhcmRlci1kZWF0aC9wb2QvbnNlLWtlcm5lbC1jNWM1OTlkNGQtZnA5MmgiXSwiZXhwIjoxNjY3MzAxNTU0fQ.kdSl7-u-L0FiErJh0MLgEGzjutxioydonrB8B58ghG9doX4JGk2e1yOkzh1cWMuY76Xmcpc889qUiVJdX_kqog",
        "expires": {
          "seconds": 1667301554,
          "nanos": 84305949
        }
      },
      {
        "name": "nse-kernel-c5c599d4d-fp92h",
        "id": "1df3760f-593d-4a5b-b194-9989fa00bbc0",
        "token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzcGlmZmU6Ly9leGFtcGxlLm9yZy9ucy9ucy1sb2NhbC1mb3J3YXJkZXItZGVhdGgvcG9kL25zZS1rZXJuZWwtYzVjNTk5ZDRkLWZwOTJoIiwiYXVkIjpbInNwaWZmZTovL2V4YW1wbGUub3JnL25zL25zbS1zeXN0ZW0vcG9kL2ZvcndhcmRlci12cHAteGJtNTkiXSwiZXhwIjoxNjY3MzAxNTU0fQ.1nSKT2FdqivSQlxx1KcppBBOfIDKiyZDY1z0WrOAA5P86IwHi5yIQMT84-CQUHUhMQ3ySgXjIpMMa0Wk-Bh0fw",
        "expires": {
          "seconds": 1667301554,
          "nanos": 88710488
        }
      }
    ]
  }

Path after forwarder death:

"path": {
    "index": 3,
    "path_segments": [
      {
        "name": "nsc-kernel-67cb58994c-mpjvd",
        "id": "nsc-kernel-67cb58994c-mpjvd-0",
        "token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzcGlmZmU6Ly9leGFtcGxlLm9yZy9ucy9ucy1sb2NhbC1mb3J3YXJkZXItZGVhdGgvcG9kL25zYy1rZXJuZWwtNjdjYjU4OTk0Yy1tcGp2ZCIsImF1ZCI6WyJzcGlmZmU6Ly9leGFtcGxlLm9yZy9ucy9uc20tc3lzdGVtL3BvZC9uc21nci1wcjZzZCJdLCJleHAiOjE2NjczMDE2Njl9.Qp6E8LQm5KlFGq3ATJlCuawq6cI90wKJd8z0Zx2alUv92O8lZHFi4dCxDKg12b0ffcsYU3D7uPFZad1WhHtkMg",
        "expires": {
          "seconds": 1667301669,
          "nanos": 940732576
        }
      },
      {
        "name": "nsmgr-pr6sd",
        "id": "75f011e6-32fd-4121-97d7-f621dde6f02e",
        "token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzcGlmZmU6Ly9leGFtcGxlLm9yZy9ucy9uc20tc3lzdGVtL3BvZC9uc21nci1wcjZzZCIsImF1ZCI6WyJzcGlmZmU6Ly9leGFtcGxlLm9yZy9ucy9uc20tc3lzdGVtL3BvZC9mb3J3YXJkZXItdnBwLThndHdmIl0sImV4cCI6MTY2NzMwMTY3MH0.AiLDmf4074lwsqNC43kId6AsqbXAoWq2DveTUtF-vSERrdYVOI3TvLca6dY9TwzYCn9FPqJ35jNog4dXMjibxQ",
        "expires": {
          "seconds": 1667301670,
          "nanos": 658572458
        }
      },
     {
        "name": "forwarder-vpp-8gtwf",
        "id": "ac0cbf24-6a73-4c2e-a514-8a02c598b36c",
        "token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzcGlmZmU6Ly9leGFtcGxlLm9yZy9ucy9uc20tc3lzdGVtL3BvZC9mb3J3YXJkZXItdnBwLThndHdmIiwiYXVkIjpbInNwaWZmZTovL2V4YW1wbGUub3JnL25zL25zLWxvY2FsLWZvcndhcmRlci1kZWF0aC9wb2QvbnNlLWtlcm5lbC1jNWM1OTlkNGQtZnA5MmgiXSwiZXhwIjoxNjY3MzAxNjcwfQ.bwxMZetYIIf1tXGIELo57mW_Vq9U4guLzFWhz6xet7QA3elsQ9VoUf4iJ8wLEglOCHKeknBqzbavcfWwms5SlQ",
        "expires": {
          "seconds": 1667301670,
          "nanos": 977213496
        },
        "metrics": {
          "client_drops": "0",
          "client_rx_bytes": "0",
          "client_rx_packets": "0",
          "client_tx_bytes": "0",
          "client_tx_packets": "0",
          "server_drops": "0",
          "server_rx_bytes": "0",
          "server_rx_packets": "0",
          "server_tx_bytes": "0",
          "server_tx_packets": "0"
        }
      },
      {
        "name": "nse-kernel-c5c599d4d-fp92h",
        "id": "1df3760f-593d-4a5b-b194-9989fa00bbc0",
        "token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzcGlmZmU6Ly9leGFtcGxlLm9yZy9ucy9ucy1sb2NhbC1mb3J3YXJkZXItZGVhdGgvcG9kL25zZS1rZXJuZWwtYzVjNTk5ZDRkLWZwOTJoIiwiYXVkIjpbInNwaWZmZTovL2V4YW1wbGUub3JnL25zL25zbS1zeXN0ZW0vcG9kL2ZvcndhcmRlci12cHAtOGd0d2YiXSwiZXhwIjoxNjY3MzAxNjcwfQ.Ph697oMD3nfExaD8tN6krn2SJNo7fVFFW4Z3OBewaquEXcP1goizalpG4z-0aRPZpGMwk75VLzPKRaO9rAXW_Q",
        "expires": {
          "seconds": 1667301670,
          "nanos": 978366153
        }
      }
    ]
  }

Steps to Reproduce

Run kernel2kernel test
Check path in logs after NSC connected to NSE
Kill forwarder pod
Check path in logs after NSC reconnected to NSE

Nov 07 '22 17:11 NikitaSkrynnik

sdk sdk copied to clipboard

Authorize chain element security issue

Current Behavior

Expected Behavior

Failure Information (for bugs)

Steps to Reproduce

sdk
sdk copied to clipboard