lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <526A2B8F.4030700@alphalink.fr>
Date:	Fri, 25 Oct 2013 10:27:59 +0200
From:	François Cachereul <f.cachereul@...halink.fr>
To:	James Chapman <jchapman@...alix.com>
CC:	Benjamin LaHaise <bcrl@...ck.org>,
	Paul Mackerras <paulus@...ba.org>, netdev@...r.kernel.org,
	linux-ppp@...r.kernel.org
Subject: Re: [RFC PATCH net-next] ppp: Allow ppp device connected to an l2tp
 session to change of namespace

On 10/24/2013 06:51 PM, James Chapman wrote:
> On 24/10/13 16:53, Benjamin LaHaise wrote:
>> On Thu, Oct 24, 2013 at 04:43:42PM +0100, James Chapman wrote:
>>> I'm thinking about the implications of a skb in the net namespace of the
>>> ppp interface passing through a tunnel socket which is in another
>>> namespace. I think net namespaces are completely isolated.
>>>
>>> To keep your ppp interfaces isolated from each other, have you
>>> considered using netfilter to prevent data being passed between ppp
>>> interfaces?
>>
>> Using network namespaces for this is far more efficient.  We've already 
>> added support for doing this to other tunneling interfaces.  This approach 
>> also makes creating VPNs where there is re-use of the private address space 
>> between different customers far easier to implement.
>>
>> 		-ben
> 
> Yes, it's definitely more efficient and potentially useful, I agree.
> 
> But unlike the other tunneling interfaces for which this has already
> been done, L2TP uses a socket for its tunnel and a skb will cross net
> namespace boundaries while passing through the socket. I remember a
> similar discussion came up several months ago with vxlan which also uses
> UDP sockets. See http://www.spinics.net/lists/netdev/msg221498.html.
> 
> Changing the behaviour of ppp interfaces only when they are created by
> l2tp feels wrong to me, unless it is the first step in doing the same
> for all ppp interfaces.


I agree, I only took care of l2TP first because it seemed safe and that's
why I posted the patch as RFC in the first place.

François
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ