Antrea Missing Encryption Vulnerability for IPv6 Traffic in Dual-Stack Clusters with IPsec Enabled

A vulnerability exists in Antrea, a Kubernetes networking solution, prior to versions 2.4.5 and 2.5.2. In clusters configured for dual-stack networking with IPsec encryption enabled, Antrea fails to encrypt IPv6 Pod traffic between Nodes. While IPv4 traffic is properly encrypted, IPv6 packets are sent in plaintext, bypassing the IPsec encryption layer. This issue affects users with dual-stack clusters and IPsec encryption enabled, but not those with single-stack IPv4 or IPv6 clusters.

Impact

The vulnerability leads to unencrypted IPv6 Pod traffic between Nodes in dual-stack clusters, exposing the traffic to potential interception or tampering.

Reproduction

In an Antrea dual-stack cluster with IPsec encryption enabled, IPv6 Pod traffic is not encrypted. This can be verified by checking the traffic between Nodes, where IPv4 will be encrypted but IPv6 will be in plaintext.

Remediation

Users should upgrade to Antrea versions 2.4.5, 2.5.2, or 2.6.0 and later. After upgrading, it's recommended to run the 'antctl check installation --run ipsec' command to verify that both IPv4 and IPv6 traffic are correctly encrypted.