lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 13 Dec 2021 14:31:47 +0200
From:   Vladimir Oltean <olteanv@...il.com>
To:     Richard Cochran <richardcochran@...il.com>
Cc:     Jakub Kicinski <kuba@...nel.org>,
        Tobias Waldekranz <tobias@...dekranz.com>,
        Kurt Kanzenbach <kurt@...-computers.de>,
        Andrew Lunn <andrew@...n.ch>,
        Vivien Didelot <vivien.didelot@...il.com>,
        Florian Fainelli <f.fainelli@...il.com>,
        "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: [PATCH net-next v1] net: dsa: mv88e6xxx: Trap PTP traffic

Hi Richard,

On Mon, Dec 13, 2021 at 04:10:45AM -0800, Richard Cochran wrote:
> On Sat, Dec 11, 2021 at 07:39:26AM -0800, Richard Cochran wrote:
> > On Fri, Dec 10, 2021 at 09:14:10PM -0800, Jakub Kicinski wrote:
> > > On Fri, 10 Dec 2021 01:07:59 +0100 Tobias Waldekranz wrote:
> > > > Do we know how PTP is supposed to work in relation to things like STP?
> > > > I.e should you be able to run PTP over a link that is currently in
> > > > blocking?
> > > 
> > > Not sure if I'm missing the real question but IIRC the standard
> > > calls out that PTP clock distribution tree can be different that
> > > the STP tree, ergo PTP ignores STP forwarding state.
> > 
> > That is correct.  The PTP will form its own spanning tree, and that
> > might be different than the STP.  In fact, the Layer2 PTP messages
> > have special MAC addresses that are supposed to be sent
> > unconditionally, even over blocked ports.
> 
> Let me correct that statement.
> 
> I looked at 1588 again, and for E2E TC it states, "All PTP version 2
> messages shall be forwarded according to the addressing rules of the
> network."  I suppose that includes the STP state.
> 
> For P2P TC, there is an exception that the peer delay messages are not
> forwarded.  These are generated and consumed by the switch.
> 
> The PTP spanning tree still is formed by the Boundary Clocks (BC), and
> a Transparent Clock (TC) does not participate in forming the PTP
> spanning tree.
> 
> What does this mean for Linux DSA switch drivers?
> 
> 1. All incoming PTP frames should be forwarded to the CPU port, so
>    that the software stack may perform its BC or TC functions.
> 
> 2. When used as a BC, the PTP frames sent from the CPU port should not
>    be dropped.
> 
> 3. When used as a TC, PTP frames sent from the CPU port can be dropped
>    on blocked external ports, except for the Peer Delay messages.
> 
> Now maybe a particular switch implementation makes it hard to form
> rules for #3 that still work for UDP over IPv4/6.

With other drivers, all packets injected from the CPU port act as if in
"god mode", bypassing any STP state. It then becomes the responsibility
of the software to not send packets on a port that is blocking,
except for packets for control protocols. Would you agree that ptp4l
should consider monitoring whether its ports are under a bridge, and
what STP state that bridge port is in? I think this isn't even specific
to DSA, the same thing would happen with software bridging: packets sent
through sockets opened on the bridge would have egress prevented on
blocking ports by virtue of the bridge driver code, but packets sent
through sockets opened on the bridge port directly, I don't think the
bridge driver has any saying about the STP state. So similarly, it
becomes the application's responsibility.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ