| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 1 Dec 2016 17:06:04 +0100 From: Florian Westphal <fw@...len.de> To: Thomas Graf <tgraf@...g.ch> Cc: Florian Westphal <fw@...len.de>, netdev@...r.kernel.org Subject: Re: [flamebait] xdp, well meaning but pointless Thomas Graf <tgraf@...g.ch> wrote: > On 12/01/16 at 10:11am, Florian Westphal wrote: > > Aside from this, XDP, like DPDK, is a kernel bypass. > > You might say 'Its just stack bypass, not a kernel bypass!'. > > But what does that mean exactly? That packets can still be passed > > onward to normal stack? > > Bypass solutions like netmap can also inject packets back to > > kernel stack again. > > I have a fundamental issue with the approach of exporting packets into > user space and reinjecting them: Once the packet leaves the kernel, > any security guarantees are off. I have no control over what is > running in user space and whether whatever listener up there has been > compromised or not. To me, that's a no go, in particular for servers > hosting multi tenant workloads. This is one of the main reasons why > XDP, in particular in combination with BPF, is very interesting to me. Funny, I see it exactly the other way around :) To me packet coming from this "userspace injection" is no different than a tun/tap, or any other packet coming from network. I see no change or increase in attack surface.
Powered by blists - more mailing lists