lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 1 Dec 2015 13:04:20 +0100
From:	Maximilian Wilhelm <max@...2324.org>
To:	netdev@...r.kernel.org
Subject: [RFC] Stable interface index option

Hi,

we are operating some free wifi networks (»Freifunk« in Germany)
including a backbone in the DFZ all running on Linux boxes, thanks to
all the cool stuff available there! :)

For a while now we are struggling with unstable/random interface
indexes as our interfaces (GRE tunnels, OpenVPN/Tinc tunnels, etc.)
come and go as users come and go and are obviously rearranged after a
reboot because of undeterministic start up behaviour of services.

Arguably we could force the interface indexes of GRE tunnels and
OpenVPN interfaces to be stable when creating them manually and not
rely on the infrastructure provided by the distribution (Debian in
most cases). That would fix some of our problems, but currently I
don't see a way to create tinc interfaces or even l2tp interfaces this
way with stable indexes.

The reason we would like to have those is quite simple: As we operate
a somewhat larger network we would like to monitor it accordingly and
see when links get saturated etc. Therefore we used snmp based
solutions and the net-snmp daemon on all the boxes. Now SNMP uses
interface indexes for identifying the interfaces. If they aren't
stable the monitoring software will see a lot of new interfaces now
and then, e.g. after a OpenVPN server/client restarted (which is bad)
or even mix up interfaces (which is worse).

As the first approach of hacking the net-snmp daemon to map the
interface ids of interfaces with certian names to stable ids got messy
and doesn't seem suitable we thought about solving the "underlying
problem" and add some mechanism for stable ids to the kernel. As there
already is an option to netlink/iproute to create certian interfaces
with a given index that seems as a nice way to go.

A prove of concept hack (see attached patch) works fine for me. The
idea I would propose would be to add some kind of bind/unbind
interface like for device drivers by which a user could add/remove and
in addition to driver bindings view the current "ifname -> ifindex"
bindings. I would assume that would best be done in sysfs? While
digging around a bit I didn't find a useful place where to place these
and I didn't find the relevant pieces of code where this is done to
add some PoC therefore as well.

I believe this would be a nice optional feature (I would assume this
would be something one could activate in Kconfig) to aid people using
Linux for heavy networking stuff. Any thoughs and hints on this?

At [42] you can see a console log showing the code works as intended.

Thanks in advance and best regards
Max

[42] http://files.rfc2324.org/kernel/stable_ifindexes/stable_ifindexes.txt
-- 
"I have to admit I've always suspected that MTBWTF would be a more useful
 metric of real-world performance."
 -- Valdis Kletnieks on NANOG

View attachment "stable_ifindexes_poc.patch" of type "text/x-diff" (1072 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ