lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 19 Feb 2019 16:36:55 +0000
From:   James Chapman <jchapman@...alix.com>
To:     t.martitz@....de
Cc:     davem@...emloft.net, netdev <netdev@...r.kernel.org>
Subject: Re: L2TPv3 offset

On 19/02/2019 13:09, t.martitz@....de wrote:
>
> Hello,
>
> thanks for your quick response.
>
> "James Chapman" <jchapman@...alix.com> schrieb am 19.02.2019 13:40:10:
>
> > Von: "James Chapman" <jchapman@...alix.com>
> > An: t.martitz@....de
> > Kopie: davem@...emloft.net, "netdev" <netdev@...r.kernel.org>
> > Datum: 19.02.2019 13:40
> > Betreff: Re: L2TPv3 offset
> >
> > On 19/02/2019 09:17, t.martitz@....de wrote:
> > >
> > > Hello,
> > >
> > > I saw that you removed the offset option from l2tp sessions in Linux
> > > 4.16 (commit 900631ee6a2651dc4fbaecb8ef9fa5f1e3378853 l2tp: remove
> > > configurable payload offset). Since we need something like that I'm
> > > reaching out to you.
> > >
> > Adding netdev.
> > >
> > >
> > > Our use case is pseudo-wire over l2tp, so we encapsulate ethernet
> > > within l2tpv3. This has lots of benifits for us, but one remarkable
> > > drawback is that the receiver, who's removing the encapsulation, will
> > > see a misaligned inner IP header.
> > >
> > > So we planned to use the offset to correct that. But I saw that the
> > > offset was removed not too long ago. Now I see that there is still
> > > "l2specific_len" / L2TP_ATTR_L2SPEC_LEN that we can use for pretty
> > > much the same purpose but I get the feeling that this should only be 0
> > > or 4 while we would need 2 or 6. I get this feeling because "ip l2tp"
> > > of the iproute2 package does not allow setting this at all and
> > > hardcodes 0 or 4 based on the type.
> > >
> > In L2TPv3, any payload offset would need to be implemented by defining a
> > new L2SpecificSublayer type since the L2TPv3 header has no offset field.
> > There are two standard L2TPv3 sublayers supported - None and Default.
> > These are fixed size (0 and 4 bytes respectively), hence the kernel now
> > ignores L2TP_ATTR_L2SPEC_LEN since the length can be derived from
> > L2TP_ATTR_L2SPEC_TYPE. For reference, the set of defined types are
> > listed at
> > https://www.iana.org/assignments/l2tp-parameters/l2tp-
> > parameters.xhtml#l2tp-parameters-37.
> > No L2SpecificSublayer type was ever defined for L2TPv3 to allow a
> > configurable payload offset in ethernet pseudowires.
>
>
> So are we the only ones to encapsulate Ethernet within L2TPv3? It's
> hard to believe.
>
No of course not.
>
>
> Because everytime a LCCE decapsulates such traffic it'll suffer from
> unaligned access to the inner IP header (likewise for the outer IP
> header when encapsulating). It's a fundamental assumption that the IP
> header is word-aligned in Linux so I'm surprised this isn't solved
> already. And now the only way "fix" without patching the kernel is
> being removed.
>
It was removed to prevent the possibility of sending non-compliant
L2TPv3 packets into the network. L2TPv3 allows for new
L2SpecificSublayer header types to be defined. It's a shame that one
hasn't been added to allow for this.

Are you using a CPU that can't do unaligned word accesses?

>
> >
> > So my question is what should we do know? Being based on removed
> > functionality is kind of bad, but we must fix the misaligned inner ip
> > header.
> > We control the sender and receiver so we could apply all kinds of
> > hacks, but we would rather find a solution compliant with the Internet
> > community.
> >
> If you really need to insert padding in transmitted L2TPv3 packets
> between the L2TPv3 header and its payload, one option is to define a new
> L2SpecificHeaderType and patch the kernel to accept it.
>
> If you control both the sender and receiver, is using FOU an option?
>

What does FOU refer to?

Foo-Over-UDP. See ip-fou(8).



Powered by blists - more mailing lists