Skip to content

Internal envoy header sanitization Β #53402

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Internal envoy header sanitization #53402
Assignees
jaellio
Labels
area/securitykind/enhancement
@jaellio

Description

@jaellio
jaellio
opened on Oct 2, 2024

(This is used to request new product features, please visit https://github.com/istio/istio/discussions for questions on using Istio)

Describe the feature request

As identified in GHSA-ffhv-fvxq-r6mf, Envoy previously considered all private IPs as internal by default. If an address was "internal", the x-envoy header would not be sanitized on inbound or outbound. This vulnerability unintentionally enabled implicit trust of private IPs allowing external clients to configure envoy headers if the requests passed through an ingress gateway. Internally (sidecar to sidecar requests originating in the mesh), internal envoy headers are stripped as long as the useRemoteAddress is false and the XFF header is unset. However, from Envoy's perspective the set of trusted IP addresses by default is still the set of all private IPs.

To better align with the zero-trust model, Istio should configure Envoy to untrust all IP addresses by default when determining whether internal Envoy headers should be sanitized on inbound/outbound. Users should be able to opt sidecars into trusted mode where internal Envoy headers are not sanitized on outbound. Additionally, Istio should provide a mechanism for users to configure the set of trusted IP address, the internalAddressConfig. Currently, a mechanism via the Istio API does not exist to granularly configure a pod or mesh-wide internalAddressConfig. Through the proxyConfig a user can enable and disable implicit trust of all private IPs.

@jforce

TODO:

  • Add release note for Istio 1.26 explaining the default envoy behavior change and document how to disable explicit_internal_address_config to revert to previous behavior. Link to documentation on how to enable ENABLE_HCM_INTERNAL_NETWORKS to set the internal address config.
  • Add documentation on configuring mesh networks with respect to ENABLE_HCM_INTERNAL_NETWORKS

Affected product area (please put an X in all that apply)

[ ] Ambient
[ ] Docs
[ ] Dual Stack
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[x] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

Metadata

Assignees

Labels

area/securitykind/enhancement

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions