Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable mesh traffic to be secured using qsafe curves #52512

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Enable mesh traffic to be secured using qsafe curves #52512

wants to merge 1 commit into from
50 −22

Conversation

johnma14
Copy link
Contributor

@johnma14 johnma14 commented Aug 5, 2024
edited by istio-policy-bot
Loading

Enable Istio's mesh mTLS communication to be secured using quantum-safe curves supported by boringssl (X25519Kyber768Draft00) today. Extend the current capability to be able to configure the ECDH curves for the mesh mTLS traffic in ISTIO_MUTUAL mode. Based on the current implementation, we can set ecdh curves for mesh traffic where the tls mode is SIMPLE or MUTUAL (using the tlsDefaults setting in MeshConfig) but not for ISTIO_MUTUAL mode (meshMTLS does not respect ecdh curves).

Fixes: #52290

Please provide a description of this PR:

@johnma14
Enable mesh traffic to be secured using qsafe curves
c30dd63 
Enable Istio's mesh mTLS communication to be secured using quantum-safe curves supported by
boringssl (X25519Kyber768Draft00) today. Extend the current capability to be able to configure the
ECDH curves for the mesh mTLS traffic in ISTIO_MUTUAL mode. Based on the current implementation,
we can set ecdh curves for mesh traffic where the tls mode is SIMPLE or MUTUAL (using the tlsDefaults
setting in MeshConfig) but not for ISTIO_MUTUAL mode (meshMTLS does not respect ecdh curves).

Fixes: istio#52290
@johnma14 johnma14 added the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Aug 5, 2024
@johnma14 johnma14 requested review from a team as code owners August 5, 2024 13:22
@istio-testing istio-testing removed the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Aug 5, 2024
@istio-policy-bot
Copy link

😊 Welcome @johnma14! This is either your first contribution to the Istio istio repo, or it's been
a while since you've been here.

You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

@istio-testing istio-testing added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Aug 5, 2024
@istio-testing
Copy link
Collaborator

@johnma14: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
release-notes_istio c30dd63 link true /test release-notes
gencheck_istio c30dd63 link true /test gencheck
lint_istio c30dd63 link true /test lint
unit-tests-arm64_istio c30dd63 link true /test unit-tests-arm64
unit-tests_istio c30dd63 link true /test unit-tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add the ability to configure ecdh curves for mesh internal traffic
3 participants
@johnma14 @istio-policy-bot @istio-testing