lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 24 Jun 2020 21:23:07 +0200
From:   Justin Iurman <justin.iurman@...ege.be>
To:     netdev@...r.kernel.org
Cc:     davem@...emloft.net, justin.iurman@...ege.be
Subject: [PATCH net-next 2/5] ipv6: IOAM tunnel decapsulation

Implement the IOAM egress behavior.

According to RFC 8200:
"Extension headers (except for the Hop-by-Hop Options header) are not
 processed, inserted, or deleted by any node along a packet's delivery
 path, until the packet reaches the node (or each of the set of nodes,
 in the case of multicast) identified in the Destination Address field
 of the IPv6 header."

Therefore, an ingress node (an IOAM domain border) must encapsulate an
incoming IPv6 packet with another similar IPv6 header that will contain
IOAM data while it traverses the domain. When leaving, the egress node,
another IOAM domain border which is also the tunnel destination, must
decapsulate the packet.

Signed-off-by: Justin Iurman <justin.iurman@...ege.be>
---
 include/linux/ipv6.h |  1 +
 net/ipv6/ip6_input.c | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index 2cb445a8fc9e..5312a718bc7a 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -138,6 +138,7 @@ struct inet6_skb_parm {
 #define IP6SKB_HOPBYHOP        32
 #define IP6SKB_L3SLAVE         64
 #define IP6SKB_JUMBOGRAM      128
+#define IP6SKB_IOAM           256
 };
 
 #if defined(CONFIG_NET_L3_MASTER_DEV)
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index e96304d8a4a7..8cf75cc5e806 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -361,9 +361,11 @@ INDIRECT_CALLABLE_DECLARE(int tcp_v6_rcv(struct sk_buff *));
 void ip6_protocol_deliver_rcu(struct net *net, struct sk_buff *skb, int nexthdr,
 			      bool have_final)
 {
+	struct inet6_skb_parm *opt = IP6CB(skb);
 	const struct inet6_protocol *ipprot;
 	struct inet6_dev *idev;
 	unsigned int nhoff;
+	u8 hop_limit;
 	bool raw;
 
 	/*
@@ -450,6 +452,25 @@ void ip6_protocol_deliver_rcu(struct net *net, struct sk_buff *skb, int nexthdr,
 	} else {
 		if (!raw) {
 			if (xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
+				/* IOAM Tunnel Decapsulation
+				 * Packet is going to re-enter the stack
+				 */
+				if (nexthdr == NEXTHDR_IPV6 &&
+				    (opt->flags & IP6SKB_IOAM)) {
+					hop_limit = ipv6_hdr(skb)->hop_limit;
+
+					skb_reset_network_header(skb);
+					skb_reset_transport_header(skb);
+					skb->encapsulation = 0;
+
+					ipv6_hdr(skb)->hop_limit = hop_limit;
+					__skb_tunnel_rx(skb, skb->dev,
+							dev_net(skb->dev));
+
+					netif_rx(skb);
+					goto out;
+				}
+
 				__IP6_INC_STATS(net, idev,
 						IPSTATS_MIB_INUNKNOWNPROTOS);
 				icmpv6_send(skb, ICMPV6_PARAMPROB,
@@ -461,6 +482,7 @@ void ip6_protocol_deliver_rcu(struct net *net, struct sk_buff *skb, int nexthdr,
 			consume_skb(skb);
 		}
 	}
+out:
 	return;
 
 discard:
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ