| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 09 Jul 2015 20:12:13 -0600 From: David Ahern <dsa@...ulusnetworks.com> To: "Eric W. Biederman" <ebiederm@...ssion.com>, Sowmini Varadhan <sowmini05@...il.com> CC: netdev <netdev@...r.kernel.org>, Shrijeet Mukherjee <shm@...ulusnetworks.com>, Roopa Prabhu <roopa@...ulusnetworks.com>, Andy Gospodarek <gospo@...ulusnetworks.com>, jtoppins@...ulusnetworks.com, nikolay@...ulusnetworks.com, ddutt@...ulusnetworks.com, Hannes Frederic Sowa <hannes@...essinduktion.org>, Nicolas Dichtel <nicolas.dichtel@...nd.com>, Stephen Hemminger <stephen@...workplumber.org>, hadi@...atatu.com, David Miller <davem@...emloft.net> Subject: Re: [RFC net-next 3/6] net: Introduce VRF device driver - v2 On 7/9/15 7:36 PM, Eric W. Biederman wrote: > Sowmini Varadhan <sowmini05@...il.com> writes: > >> On Thu, Jul 9, 2015 at 7:19 PM, David Ahern <dsa@...ulusnetworks.com> wrote: >> >>> On the to-do list to use cmsg to specify a VRF for outbound packets using >>> non-connected sockets. I do not believe it is going to work, but need to >>> look into it. >>> >>>> What about setting ipsec policy for interfaces in the vrf? >> >> From a purely parochial standpoint, how would rds sockets work in this model? >> Would the tcp encaps happen before or after the the vrf "driver" output? >> Same problem for NFS. >> >> From a non-parochial standpoint. There are a *lot* of routing apps that actually >> need more visibility into many details about the "slave" interface: e.g., OSPF, >> ARP snoop, IPSLA.. the list is pretty long. >> >> I think it's a bad idea to use a "driver" to represent a table lookup. Too many >> hacks will become necessary. > > With respect to sockets there is also the issue that ip addresses are > not per vrf. IP addresses are per interface and interfaces are uniquely assigned to a VRF so why do you think IP addresses are not per VRF? > Which means things like packet fragmentation reassembly > can easily do the wrong thing. Similarly things like the xfrm for ipsec > tunnels are not hooked into this mix. > > So I really do not see how this VRF/MRF thing as designed can support > general purpose sockets. I am not certain it can correctly support any > kind of socket except perhaps SOCK_RAW. Sockets bound to the VRF device work properly. Why do you think they won't? > > Which strongly suggests to me you can leave off the magic network device > and simply add the fib_lookup logic that finds the base fib table by > looking at the in coming network device. That seems a whole lot simpler > and a whole lot less surprising. The better routing will work and > people playing with sockets will clearly see the dangers. I believe Hannes is looking at that approach. Hopefully patches will be available soon to have more meaningful conversations (e.g., LPC). As we move along with working patch sets we can compare and contrast the 2 models -- what features do each enable and at what cost. David -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists