| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 Dec 2015 16:50:52 +0100
From: Maximilian Wilhelm <max@...2324.org>
To: netdev@...r.kernel.org
Subject: Re: [RFC] Stable interface index option
Anno domini 2015 Sowmini Varadhan scripsit:
> On (12/01/15 13:04), Maximilian Wilhelm wrote:
> > The reason we would like to have those is quite simple: As we operate
> > a somewhat larger network we would like to monitor it accordingly and
> > see when links get saturated etc. Therefore we used snmp based
> > solutions and the net-snmp daemon on all the boxes. Now SNMP uses
> > interface indexes for identifying the interfaces. If they aren't
> > stable the monitoring software will see a lot of new interfaces now
> > and then, e.g. after a OpenVPN server/client restarted (which is bad)
> > or even mix up interfaces (which is worse).
>
> FWIW, this is how router implementations such as cisco network OS-es
> deal with this issue- every interface has 2 32-bit integers associated
> with it, one is the "snmp-ifindex", conformant with rfc 2863,
> that never changes, and encodes positional information like slot#,
> chassis#, card type etc. This number is sparse (i.e., it
> is not necessarily a consecutive number space) Encoding is implementation
> specific, of course, and macros are supplied if you want to look into
> the encoding itself.
>
> the other number is the one used internally by the network stack,
> and is subject to frequent change, as interfaces come and go (up/down,
> virtual interfaces change etc). This is a packed number-space- next
> available index is handed to each interface as it comes up.
>
> SNMP mibs publish the first number, and apps can use that number
> to uniquely identify an interface.
>
> If there are enough apps that rely on an immutable index to identify
> an interface, it might be worthwhile to consider this type of approach.
I would assume that at least all snmp implementations and connected
system (libreNMS, Observium and the like) do.
> > + if (!dev->ifindex) {
> > + if (strcmp (dev->name, "gre_ffrl_fra_a") == 0) {
> > + ifindex = 23;
> > + } else if (strcmp (dev->name, "bb-pad-cr01") == 0) {
> > + ifindex = 42;
> > + }
>
> I'm not sure I understand how this would work- are we going to
> pin down the ifindex for some subset of interfaces?
I'm not sure what your idea is, but I guess we might mean the same
thing:
What I have in mind is that the user can supply a list of (ifname ->
ifindex) entries via a sysfs/procfs interface and if such a list is
present, the kernel will search the list for every ifname which is
registered and check if there is an entry. If there is, the ifindex
for this entry is used. If there is no entry found for the given
ifname, the usual algorithm is used (therefore inherently providing
backward compatibility).
What I'm not sure about is what to do if there is any entry in the
list but the ifindex is already in use. One option would be to fail
the register call because the user wanted this particular ifindex and
therefore is seen responsible for ensuring its availability. The other
option is to silenty fall back to the usual approach (as my hardcoded
hack currently does).
I hope I could clarify on my idea?
Kind regards
Max
--
"Du kannst die Grundlagen von C. Das einzige, was C++ Dir noch gibt, ist mehr Schmerz!
Und ein paar mehr Schrotflinten in die Hand..."
-- Matthias Bolte
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists