lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 28 Nov 2018 19:15:12 -0800
From:   Eric Dumazet <edumazet@...gle.com>
To:     jri.ietf@...il.com
Cc:     Christoph Paasch <cpaasch@...le.com>,
        netdev <netdev@...r.kernel.org>, Ian Swett <ianswett@...gle.com>,
        lhedstrom@...le.com
Subject: Re: [PATCH] udp: Allow to defer reception until connect() happened

On Wed, Nov 28, 2018 at 7:09 PM Jana Iyengar <jri.ietf@...il.com> wrote:
>
>
> On Wed, Nov 28, 2018 at 6:19 PM Eric Dumazet <edumazet@...gle.com> wrote:
>>
>> On Wed, Nov 28, 2018 at 5:57 PM Christoph Paasch <cpaasch@...le.com> wrote:
>> >
>> > There are use-cases where a host wants to use a UDP socket with a
>> > specific 4-tuple. The way to do this is to bind() and then connect() the
>> > socket. However, after the bind(), the socket starts receiving data even
>> > if it does not match the intended 4-tuple. That is because after the
>> > bind() UDP-socket will match in the lookup for all incoming UDP-traffic
>> > that has the specific IP/port.
>> >
>> > This patch prevents any incoming traffic until the connect() system-call
>> > is called whenever the app sets the UDP socket-option
>> > UDP_WAIT_FOR_CONNECT.
>>
>> Please do not add something that could mislead applications writers to
>> think UDP stack can scale.
>
>
>> UDP stack does not have a full hash on 4-tuples, it means that
>> incoming traffic on a 'shared port' has
>> to scan a list of XXX sockets to find the best match ...
>
>
>> Also you add another cache line miss in UDP lookup to access
>> udp_sk()->wait_for_connect.
>>
>> recvfrom() can be used to filter whatever frame that came before the connect()
>
>
> I don't think I understand that argument -- connect() is supported for UDP sockets, and UDP sockets are being used for serving QUIC traffic. Are you suggesting that connect() never be used?

If the source port is not shared, Christoph patch is not needed.

If it is shared, then a whole can of worm is opened.

Trying to hack UDP stack while it is not fully 4-tuple ready is not
going to fly.

Powered by blists - more mailing lists