Proto commits in slackhq/nebula

These 16 commits are when the Protocol Buffers files have changed:

Commit:f36db37
Author:Wade Simmons

Merge remote-tracking branch 'origin/master' into multiport

Commit:d97ed57
Author:Nate Brown
Committer:GitHub

V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>

The documentation is generated from this commit.

Commit:f2c3242
Author:Nate Brown
Committer:Nate Brown

Support for ipv6 in the overlay with v2 certificates --------- Co-authored-by: Jack Doan <jackdoan@rivian.com>

The documentation is generated from this commit.

Commit:08ac653
Author:Nate Brown
Committer:GitHub

Cert interface (#1212)

Commit:0e593ad
Author:Wade Simmons

Merge branch 'master' into multiport

Commit:48eb638
Author:Nate Brown
Committer:GitHub

Have lighthouses ack updates to reduce test packet traffic (#851)

Commit:e0185c4
Author:Wade Simmons
Committer:GitHub

Support NIST curve P256 (#769) * Support NIST curve P256 This change adds support for NIST curve P256. When you use `nebula-cert ca` or `nebula-cert keygen`, you can specify `-curve P256` to enable it. The curve to use is based on the curve defined in your CA certificate. Internally, we use ECDSA P256 to sign certificates, and ECDH P256 to do Noise handshakes. P256 is not supported natively in Noise Protocol, so we define `DHP256` in the `noiseutil` package to implement support for it. You cannot have a mixed network of Curve25519 and P256 certificates, since the Noise protocol will only attempt to parse using the Curve defined in the host's certificate. * verify the curves match in VerifyPrivateKey This would have failed anyways once we tried to actually use the bytes in the private key, but its better to detect the issue up front with a better error message. * add cert.Curve argument to Sign method * fix mismerge * use crypto/ecdh This is the preferred method for doing ECDH functions now, and also has a boringcrypto specific codepath. * remove other ecdh uses of crypto/elliptic use crypto/ecdh instead

Commit:28ecfcb
Author:Wade Simmons

Merge remote-tracking branch 'origin/master' into multiport

Commit:a56a97e
Author:John Maguire
Committer:GitHub

Add ability to encrypt CA private key at rest (#386) Fixes #8. `nebula-cert ca` now supports encrypting the CA's private key with a passphrase. Pass `-encrypt` in order to be prompted for a passphrase. Encryption is performed using AES-256-GCM and Argon2id for KDF. KDF parameters default to RFC recommendations, but can be overridden via CLI flags `-argon-memory`, `-argon-parallelism`, and `-argon-iterations`.

Commit:326fc87
Author:Wade Simmons
Committer:Wade Simmons

Support multiple UDP source ports (multiport) The goal of this work is to send packets between two hosts using more than one 5-tuple. When running on networks like AWS where the underlying network driver and overlay fabric makes routing, load balancing, and failover decisions based on the flow hash, this enables more than one flow between pairs of hosts. Multiport spreads outgoing UDP packets across multiple UDP send ports, which allows nebula to work around any issues on the underlay network. Some example issues this could work around: - UDP rate limits on a per flow basis. - Partial underlay network failure in which some flows work and some don't Agreement is done during the handshake to decide if multiport mode will be used for a given tunnel (one side must have tx_enabled set, the other side must have rx_enabled set) NOTE: you cannot use multiport on a host if you are relying on UDP hole punching to get through a NAT or firewall. NOTE: Linux only (uses raw sockets to send). Also currently only works with IPv4 underlay network remotes. This is implemented by opening a raw socket and sending packets with a source port that is based on a hash of the overlay source/destiation port. For ICMP and Nebula metadata packets, we use a random source port. Example configuration: multiport: # This host support sending via multiple UDP ports. tx_enabled: false # This host supports receiving packets sent from multiple UDP ports. rx_enabled: false # How many UDP ports to use when sending. The lowest source port will be # listen.port and go up to (but not including) listen.port + tx_ports. tx_ports: 100 # NOTE: All of your hosts must be running a version of Nebula that supports # multiport if you want to enable this feature. Older versions of Nebula # will be confused by these multiport handshakes. # # If handshakes are not getting a response, attempt to transmit handshakes # using random UDP source ports (to get around partial underlay network # failures). tx_handshake: false # How many unresponded handshakes we should send before we attempt to # send multiport handshakes. tx_handshake_delay: 2

Commit:85ec807
Author:Wade Simmons
Committer:GitHub

reserve NebulaHandshakeDetails fields for multiport (#674) We are currently testing changes for multiport (related to #497) that use fields 6 and 7 in the protobuf. Reserved these fields so that when we eventually open the PR we are backwards compatible with any future changes.

Commit:1a7c575
Author:brad-defined
Committer:GitHub

Relay (#678) Co-authored-by: Wade Simmons <wsimmons@slack-corp.com>

Commit:64d8e5a
Author:Nathan Brown
Committer:GitHub

More LH cleanup (#429)

Commit:75f7bda
Author:Nathan Brown
Committer:GitHub

Lighthouse performance pass (#418)

Commit:7073d20
Author:Nathan Brown
Committer:GitHub

IPv6 support for outside (udp) (#369)

Commit:f22b4b5
Author:Slack Security Team

Public Release