Monitoring IPSec encryption and decryption using Network Observability

2025, Jul 07    
Author(s):
Mohamed S. Mahmoud
Mohamed S. Mahmoud's Avatar

Mohamed S. Mahmoud

Monitoring IPsec Encryption and Decryption with eBPF

IPsec (Internet Protocol Security) is a widely used protocol suite that secures communication at the IP layer through authentication and encryption. While powerful, IPsec can be opaque—making it difficult to inspect or debug encrypted traffic, especially at the kernel level.

With eBPF (Extended Berkeley Packet Filter) and its dynamic tracing capabilities via kprobes and kretprobes, we can instrument IPsec-related kernel functions without modifying kernel source code or rebooting the system.

In this blog post, we'll show how to leverage eBPF to observe IPsec encryption and decryption processes in the Linux kernel.


Understanding IPsec Traffic

OpenShift uses Libreswan to handle IPsec encryption and decryption. The diagram below illustrates how an IPsec packet appears before and after encryption:

IPsec Packet Flow


1. Tracing IPsec Encryption

IPsec encryption transforms plaintext data into ciphertext to protect it from unauthorized access.

To monitor this process with eBPF:

  • Set a kprobe on the xfrm_output function to trace when encryption is initiated.
  • Set a kretprobe on the same function to capture its return value and extract flow metadata, allowing us to determine whether encryption was successful.

2. Tracing IPsec Decryption

IPsec decryption converts ciphertext back into plaintext.

To monitor decryption:

  • Set a kprobe on the xfrm_input function to trace when decryption is triggered.
  • Use a kretprobe on xfrm_input to capture the return code and associated flow information, helping determine success or failure.

The following diagram shows how IPsec packets is processed at ebpf layers and how the netobserv flow been created and updated to reflect ipsec packet processing status

IPsec eBPF packet processing


Network Observability Enrichment

With eBPF instrumentation, NetObserv enriches flow records with two fields related to IPsec operations:

  • ipsec_encrypted_ret: Contains the kernel return code from the encryption/decryption function.
  • ipsec_encrypted: A boolean indicator (1 = success, 0 = failure) representing whether encryption or decryption was completed successfully.

IPsec Insights

The NetObserv user interface offers detailed visibility into IPsec operations through enriched flow records:

IPsec Flows in UI

Additionally, the traffic overview section provides insights into the percentage of IPsec traffic, along with per-node statistics for IPsec flow rates.

IPsec Flows Overview


Enabling IPsec Monitoring

To activate IPsec tracing, update the FlowCollector configuration as follows:

apiVersion: flows.netobserv.io/v1beta2
kind: FlowCollector
metadata:
  name: cluster
spec:
  agent:
    type: EBPF
    ebpf:
      features:
        - IPSec

Availability

The IPsec feature is available in NetObserv release 1.9.

Conclusion

Network Observability with eBPF provides a powerful way to monitor IPsec encryption and decryption operations in the Linux kernel. By using kprobe and kretprobe, we can dynamically insert probes into IPsec-related kernel functions without modifying kernel source code or requiring system reboots.

Feedback

We hope you liked this article ! NetObserv is an open source project available on github. Feel free to share your ideas, use cases or ask the community for help.