How can I detect duplicate Nebula IPs?

[theblop]

I recently had a problem that took me a while to debug: I mistakenly configured 2 nebula certs with the same IP and this (unsurprisingly) resulted in random connection problems to applications running on these servers.

Is there a way to detect if the same IP is configured on more than one node from inside the mesh?
Maybe a nebula network summary view from the command line?

[rucciva]

Hi, not a direct solution, but what do you think of using terraform with custom provider for managing your entire cluster certificates? A terraform module is also available for quick setup. The module will throw error if duplicate IPs is detected in the input variable. Examples of input variables are here

[theblop]

The module will throw error if duplicate IPs is detected in the input variable. Examples of input variables are here

Thank you for pointing me towards this new terraform module! I already have a script to generate certs that checks for duplicate IPs but the terraform module will be much better than my script.

It doesn't really solve my problem though, in my case someone also recently cloned a VM that already contained a cert to test something... So ideally I'd like to check for duplicates with our monitoring/alerting tool.

[futurecad]

The module will throw error if duplicate IPs is detected in the input variable. Examples of input variables are here

Thank you for pointing me towards this new terraform module! I already have a script to generate certs that checks for duplicate IPs but the terraform module will be much better than my script.

It doesn't really solve my problem though, in my case someone also recently cloned a VM that already contained a cert to test something... So ideally I'd like to check for duplicates with our monitoring/alerting tool.

Has this issue been resolved?

[theblop]

The module will throw error if duplicate IPs is detected in the input variable. Examples of input variables are here

Thank you for pointing me towards this new terraform module! I already have a script to generate certs that checks for duplicate IPs but the terraform module will be much better than my script.
It doesn't really solve my problem though, in my case someone also recently cloned a VM that already contained a cert to test something... So ideally I'd like to check for duplicates with our monitoring/alerting tool.

Has this issue been resolved?

No, there is nothing preventing 2 nodes connecting with the same certificate.

I understand now that it's probably impossible to fix... How could a lighthouse detect that a client is reusing the same cert as a previous one? The only thing that would be different would be the client public IP, but that can just be the old client changing its IP...

It's similar to the duplicate IPs problem in a LAN, but there is no ARP broadcast in the nebula layer :)

[johnmaguire]

Converting this to a discussion, as it's not a bug, and there's no clear way to do this, for the reasons @theblop laid out.

I was thinking one way you might achieve this is to have the Lighthouse track fingerprints associated with Nebula IPs - if you see flapping between two fingerprints, that could indicate duplicate Nebula IPs. However, it doesn't help with the "cloned VM" problem @theblop described.

Another technique I've seen used before is to store a rolling counter on clients, and have them send it to the server when connecting. If the server ever sees a lower value than has been reported previously, it's likely that the cert has been copied. Although it's also possible that, for example, a backup was restored.