Swarm Mode, which is compiled in and delivered by default in dockerd and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.
System administrators may have been misled by ambiguities in the Swarm Mode documentation, which enumerates a list of ports used by the feature without appropriate context and cautionary labeling.
Swarm overlay networks use a single UDP port (by default UDP port 4789, and referred to as the VXLAN port) for VXLAN, an encapsulation technology that enables the transport of Ethernet frames over a routed or unrouted network connection. VXLAN has no built in confidentiality or authentication, and as such an open VXLAN port can be made the entry point for an injection of arbitrary Ethernet frames into a network by an adversary.
While this type of attack is relatively novel, it is actively studied and depending on the implementation and environmental factors, can allow for devastating attacks on exposed infrastructure. For this reason, the VXLAN port should be opened only on a trusted LAN (or LAN-like) environment on which all nodes that are capable of sending traffic are fully trusted with maximum privilege in the cluster. The VXLAN port must never be exposed to untrusted traffic, even in the case of an encrypted overlay network that is operated over the public Internet or other untrusted network.
VXLAN traffic originating from encrypted overlay networks are encapsulated using the IPsec Encapsulating Security Payload protocol in Transport mode. IPSec ESP does not have port numbers, and as such the port number will be unknown until the packet is decrypted by the destination node. For this reason, a perimeter firewall should never accept traffic on UDP port 4789, even when an encrypted overlay is operating over an untrusted network.
Similarly, if encrypted overlay networks are used exclusively, it is best to block all incoming unencrypted traffic on VXLAN port at each node as the port represents an unnecessary increase in surface area. As encrypted overlay networks are only supported on Linux, this is easily accomplished through use of the IPSec policy matcher.
Such a rule might look like iptables -I INPUT -m udp —-dport 4789 -m policy --dir in --pol none -j DROP.
In no case should the VXLAN port be exposed to untrusted traffic. While the needs of individual networks may vary, any deployment of Swarm Mode should keep in mind that the VXLAN port represents the ability to inject arbitrary frames into overlay networks.
Related
corhere Reporter
neersighted Coordinator
Swarm Mode, which is compiled in and delivered by default in
dockerdand is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.System administrators may have been misled by ambiguities in the Swarm Mode documentation, which enumerates a list of ports used by the feature without appropriate context and cautionary labeling.
Swarm overlay networks use a single UDP port (by default UDP port 4789, and referred to as the VXLAN port) for VXLAN, an encapsulation technology that enables the transport of Ethernet frames over a routed or unrouted network connection. VXLAN has no built in confidentiality or authentication, and as such an open VXLAN port can be made the entry point for an injection of arbitrary Ethernet frames into a network by an adversary.
While this type of attack is relatively novel, it is actively studied and depending on the implementation and environmental factors, can allow for devastating attacks on exposed infrastructure. For this reason, the VXLAN port should be opened only on a trusted LAN (or LAN-like) environment on which all nodes that are capable of sending traffic are fully trusted with maximum privilege in the cluster. The VXLAN port must never be exposed to untrusted traffic, even in the case of an encrypted overlay network that is operated over the public Internet or other untrusted network.
VXLAN traffic originating from encrypted overlay networks are encapsulated using the IPsec Encapsulating Security Payload protocol in Transport mode. IPSec ESP does not have port numbers, and as such the port number will be unknown until the packet is decrypted by the destination node. For this reason, a perimeter firewall should never accept traffic on UDP port 4789, even when an encrypted overlay is operating over an untrusted network.
Similarly, if encrypted overlay networks are used exclusively, it is best to block all incoming unencrypted traffic on VXLAN port at each node as the port represents an unnecessary increase in surface area. As encrypted overlay networks are only supported on Linux, this is easily accomplished through use of the IPSec policy matcher.
Such a rule might look like
iptables -I INPUT -m udp —-dport 4789 -m policy --dir in --pol none -j DROP.In no case should the VXLAN port be exposed to untrusted traffic. While the needs of individual networks may vary, any deployment of Swarm Mode should keep in mind that the VXLAN port represents the ability to inject arbitrary frames into overlay networks.
Related