| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 31 Oct 2018 16:26:33 -0700
From: Christoph Paasch <cpaasch@...le.com>
To: netdev@...r.kernel.org
Cc: Ian Swett <ianswett@...gle.com>,
Leif Hedstrom <lhedstrom@...le.com>,
Jana Iyengar <jri.ietf@...il.com>
Subject: [RFC 0/2] Delayed binding of UDP sockets for Quic per-connection
sockets
Implementations of Quic might want to create a separate socket for each
Quic-connection by creating a connected UDP-socket.
To achieve that on the server-side, a "master-socket" needs to wait for
incoming new connections and then creates a new socket that will be a
connected UDP-socket. To create that latter one, the server needs to
first bind() and then connect(). However, after the bind() the server
might already receive traffic on that new socket that is unrelated to the
Quic-connection at hand. Only after the connect() a full 4-tuple match
is happening. So, one can't really create this kind of a server that has
a connected UDP-socket per Quic connection.
So, what is needed is an "atomic bind & connect" that basically
prevents any incoming traffic until the connect() call has been issued
at which point the full 4-tuple is known.
This patchset implements this functionality and exposes a socket-option
to do this.
Usage would be:
int fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
int val = 1;
setsockopt(fd, SOL_SOCKET, SO_DELAYED_BIND, &val, sizeof(val));
bind(fd, (struct sockaddr *)&src, sizeof(src));
/* At this point, incoming traffic will never match on this socket */
connect(fd, (struct sockaddr *)&dst, sizeof(dst));
/* Only now incoming traffic will reach the socket */
There is literally an infinite number of ways on how to implement it,
which is why I first send it out as an RFC. With this approach here I
chose the least invasive one, just preventing the match on the incoming
path.
The reason for choosing a SOL_SOCKET socket-option and not at the
SOL_UDP-level is because that functionality actually could be useful for
other protocols as well. E.g., TCP wants to better use the full 4-tuple space
by binding to the source-IP and the destination-IP at the same time.
Feedback is very welcome!
Christoph Paasch (2):
net: Add new socket-option SO_DELAYED_BIND
udp: Support SO_DELAYED_BIND
arch/alpha/include/uapi/asm/socket.h | 2 ++
arch/ia64/include/uapi/asm/socket.h | 2 ++
arch/mips/include/uapi/asm/socket.h | 2 ++
arch/parisc/include/uapi/asm/socket.h | 2 ++
arch/s390/include/uapi/asm/socket.h | 2 ++
arch/sparc/include/uapi/asm/socket.h | 2 ++
arch/xtensa/include/uapi/asm/socket.h | 2 ++
include/net/sock.h | 1 +
include/uapi/asm-generic/socket.h | 2 ++
net/core/sock.c | 21 +++++++++++++++++++++
net/ipv4/datagram.c | 1 +
net/ipv4/udp.c | 3 +++
12 files changed, 42 insertions(+)
--
2.16.2
Powered by blists - more mailing lists