lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <82aa82df-e378-4cf8-a296-1ebd1ab14413@openvpn.net>
Date: Wed, 5 Mar 2025 01:19:43 +0100
From: Antonio Quartulli <antonio@...nvpn.net>
To: Sabrina Dubroca <sd@...asysnail.net>
Cc: netdev@...r.kernel.org, Eric Dumazet <edumazet@...gle.com>,
 Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
 Donald Hunter <donald.hunter@...il.com>, Shuah Khan <shuah@...nel.org>,
 ryazanov.s.a@...il.com, Andrew Lunn <andrew+netdev@...n.ch>,
 Simon Horman <horms@...nel.org>, linux-kernel@...r.kernel.org,
 linux-kselftest@...r.kernel.org, Xiao Liang <shaw.leon@...il.com>
Subject: Re: [PATCH v21 18/24] ovpn: add support for peer floating



On 05/03/2025 00:19, Antonio Quartulli wrote:
> On 04/03/2025 19:37, Sabrina Dubroca wrote:
>> 2025-03-04, 01:33:48 +0100, Antonio Quartulli wrote:
>>> A peer connected via UDP may change its IP address without reconnecting
>>> (float).
>>
>> Should that trigger a reset of the peer->dst_cache? And same when
>> userspace updates the remote address? Otherwise it seems we could be
>> stuck with a cached dst that cannot reach the peer.
> 
> Yeah, that make sense, otherwise ovpn_udpX_output would just try over 
> and over to re-use the cached source address (unless it becomes 
> unavailable).

I spent some more time thinking about this.
It makes sense to reset the dst cache when the local address changes, 
but not in case of float (remote address changed).

That's because we always want to first attempt sending packets using the 
address where the remote peer sent the traffic to.
Should that not work (quite rare), then we have code in ovpn_udpX_output 
that will reset the cache and attempt a different address.


Cheers,


-- 
Antonio Quartulli
OpenVPN Inc.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ