lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <eaf3d0d8-fca2-029e-9c57-ddae31f17726@funlab.cc>
Date:   Sat, 26 Aug 2023 21:55:30 +0200
From:   Volodymyr Litovka <doka@...lab.cc>
To:     linux-kernel@...r.kernel.org
Cc:     doka@...lab.cc
Subject: [Networking] ERSPAN decapsulation drops DHCP unicast packets

Hi colleagues,

I'm trying to catch and process (in 3rd party analytics app) DHCP 
packets from ERSPAN session, but cannot do this due to absence of DHCP 
unicast packets after decapsulation.

The model is pretty simple: there is PHY interface (enp2s0) which 
receive ERSPAN traffic and erspan-type interface to get decapsulated 
packets (inspan, created using command "ip link add inspan type erspan 
seq key 10 local 10.171.165.65 erspan_ver 1", where 10.171.165.65 is 
ERSPAN target). Then I'm going to rewrite headers in the proper ways 
(nftable's netdev family) and forward packets to the pool of workers.

Having this, I'm expecting everything, which is encapsulated inside 
ERSPAN, on 'inspan' interface. And there is _almost_ everything except 
DHCP unicast packets - tcpdump shows about 1kps on this interface of 
decapsulated packets, but no DHCP unicast (see below traces).

To avoid any interactions, I removed and disabled everything that can 
catch DHCP in userspace - systemd-networkd, netplan, dhcp-client. There 
is no DHCP server and ifupdown - for test purposes, I'm bringing 
networking manually. Apparmor disabled as well. Kernel (Linux 
5.19.0-42-generic #43~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC) compiled 
without CONFIG_IP_PNP (according to /boot/config-5.19.0-42-generic). 
Nothing in userspace listens on UDP/68 and UDP/67:

# netstat -tunlpa
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         
State       PID/Program name
tcp        0      0 0.0.0.0:22 0.0.0.0:*               LISTEN      
544/sshd: /usr/sbin
tcp6       0      0 :::22 :::*                    LISTEN      544/sshd: 
/usr/sbin

I have no ideas, why this is happening. Decapsulation itself works, but 
particular kind of packets get lost.

I will appreciate if anyone can help me understand where is the bug - in 
my configuration or somewhere inside the kernel?

Evidence of traffic presence/absence is below.

Thank you.

Encapsulated ERSPAN session (udp and port 67/68) contains lot of 
different kinds of DHCP packets:

# tcpdump -s0 -w- -i enp2s0 'proto gre and ether[73:1]=17 and 
(ether[84:2]=67 or ether[84:2]=68)' | tshark -r- -l
  [ ... ]
     7   0.001942  0.0.0.0 → 255.255.255.255 DHCP 392 DHCP Discover - 
Transaction ID 0x25c096fc
     8   0.003432  z.z.z.z → a.a.a.a         DHCP 418 DHCP ACK      - 
Transaction ID 0x5515126a
     9   0.005170  m.m.m.m → z.z.z.z         DHCP 435 DHCP Discover - 
Transaction ID 0xa7b7
    10   0.005171  m.m.m.m → z.z.z.z         DHCP 435 DHCP Discover - 
Transaction ID 0xa7b7
    11   0.015399  n.n.n.n → z.z.z.z         DHCP 690 DHCP Request  - 
Transaction ID 0x54955233
    12   0.025537  z.z.z.z → n.n.n.n         DHCP 420 DHCP ACK      - 
Transaction ID 0x54955233
    13   0.030313  z.z.z.z → m.m.m.m         DHCP 413 DHCP Offer    - 
Transaction ID 0xa7b7

but decapsulated traffic (which I'm seeing on inspan interface) contains 
just the following:

# tcpdump -i inspan 'port 67 or port 68'
listening on inspan, link-type EN10MB (Ethernet), snapshot length 262144 
bytes
17:23:36.540721 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, 
Request from 00:1a:64:33:8d:fa (oui Unknown), length 300
17:23:39.760036 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, 
Request from 00:1a:64:33:8d:fa (oui Unknown), length 300
17:23:44.135711 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, 
Request from 00:1a:64:33:8d:fa (oui Unknown), length 300
17:23:52.008504 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, 
Request from 00:1a:64:33:8d:fa (oui Unknown), length 300

Thanks again for the help.


-- 
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ