lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 22 Oct 2009 19:53:50 +0200
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Jay Vosburgh <fubar@...ibm.com>
CC:	Jasper Spaans <spaans@...-it.com>, netdev@...r.kernel.org
Subject: Re: bridging + load balancing bonding

Jay Vosburgh a écrit :

> 	By "packets from one flow" do you really mean that packets from
> a given "flow" (TCP connection, UDP "stream", etc) are not always
> delivered to the same bonding port?  I.e., that two packets from the
> same "flow" will be delivered to different ports?  I'm not sure how
> that's possible unless the source MAC in the packets changes during the
> course of the flow.
> 
> 	Or is your problem really that the balance algorithm on the
> bonding send side doesn't match the algorithm used on the other side of
> the IDS machines coming the other direction (and, thus, packets for a
> given flow going in one direction end up at a different IDS than the
> packets going the other direction)?
> 

Yes this is probably Jasper problem : catch both direction on same IDS target

Say you have machine A with MAC address MAC_A
and machine B with MAC address MAC_B
(I suspect asymetric routing on A or B is out of the question :) )

A tcp / udp/ whatever protocol flow is running between these two machines

When machine A sends a frame to machine B, Jasper machine
receives a copy of this frame, with eth->src = MAC_A and eth->dst = MAC_B

With current xor algo, we perform a hash on (bond->dev_addr[5] ^ MAC_B[5])  -> IDS X

When machine B sends a frame to machine A, Jasper machine
receives a copy of this frame, with eth->src = MAC_B and eth->dst = MAC_A

With current xor algo, we peform a hash on (bond->dev_addr[5] ^ MAC_A[5])  -> possibly other IDS Y


With his fix, algo is a commutative hash (MAC_A[5] ^ MAC_B[5]) ==  (MAC_B[5] ^ MAC_A[5])



I suspect multicast/broadcast trafic should be sent to both IDS, so bonding might be inappropriate anyway...

an iptables solution might be more powerfull
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ