| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 26 Jun 2020 10:31:34 +0200 (CEST)
From: Justin Iurman <justin.iurman@...ege.be>
To: Tom Herbert <tom@...bertland.com>
Cc: Linux Kernel Network Developers <netdev@...r.kernel.org>,
"David S. Miller" <davem@...emloft.net>
Subject: Re: [PATCH net-next 2/5] ipv6: IOAM tunnel decapsulation
Tom,
>> >> Implement the IOAM egress behavior.
>> >>
>> >> According to RFC 8200:
>> >> "Extension headers (except for the Hop-by-Hop Options header) are not
>> >> processed, inserted, or deleted by any node along a packet's delivery
>> >> path, until the packet reaches the node (or each of the set of nodes,
>> >> in the case of multicast) identified in the Destination Address field
>> >> of the IPv6 header."
>> >>
>> >> Therefore, an ingress node (an IOAM domain border) must encapsulate an
>> >> incoming IPv6 packet with another similar IPv6 header that will contain
>> >> IOAM data while it traverses the domain. When leaving, the egress node,
>> >> another IOAM domain border which is also the tunnel destination, must
>> >> decapsulate the packet.
>> >
>> > This is just IP in IP encapsulation that happens to be terminated at
>> > an egress node of the IOAM domain. The fact that it's IOAM isn't
>> > germaine, this IP in IP is done in a variety of ways. We should be
>> > using the normal protocol handler for NEXTHDR_IPV6 instead of special
>> > case code.
>>
>> Agree. The reason for this special case code is that I was not aware of a more
>> elegant solution.
>>
> The current implementation might not be what you're looking for since
> ip6ip6 wants a tunnel configured. What we really want is more like
> anonymous decapsulation, that is just decap the ip6ip6 packet and
> resubmit the packet into the stack (this is what you patch is doing).
> The idea has been kicked around before, especially in the use case
> where we're tunneling across a domain and there could be hundreds of
> such tunnels to some device. I think it's generally okay to do this,
> although someone might raise security concerns since it sort of
> obfuscates the "real packet". Probably makes sense to have a sysctl to
Indeed. However, in this precise case for IOAM, you don't have security issues since you would only decap if an IOAM HBH is found in the outer header, which is only valid if the node is part of the IOAM domain (IOAM is enabled on its ingress interface). But, for a more generic case, I agree for the sysctl solution.
> enable this and probably could default to on. Of course, if we do this
> the next question is should we also implement anonymous decapsulation
> for 44,64,46 tunnels.
Interesting question. I'd say that we should only do it if there is at least a use case that is (or will be) part of the kernel.
Justin
> Tom
>
>> Justin
>>
>> >> Signed-off-by: Justin Iurman <justin.iurman@...ege.be>
>> >> ---
>> >> include/linux/ipv6.h | 1 +
>> >> net/ipv6/ip6_input.c | 22 ++++++++++++++++++++++
>> >> 2 files changed, 23 insertions(+)
>> >>
>> >> diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
>> >> index 2cb445a8fc9e..5312a718bc7a 100644
>> >> --- a/include/linux/ipv6.h
>> >> +++ b/include/linux/ipv6.h
>> >> @@ -138,6 +138,7 @@ struct inet6_skb_parm {
>> >> #define IP6SKB_HOPBYHOP 32
>> >> #define IP6SKB_L3SLAVE 64
>> >> #define IP6SKB_JUMBOGRAM 128
>> >> +#define IP6SKB_IOAM 256
>> >> };
>> >>
>> >> #if defined(CONFIG_NET_L3_MASTER_DEV)
>> >> diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
>> >> index e96304d8a4a7..8cf75cc5e806 100644
>> >> --- a/net/ipv6/ip6_input.c
>> >> +++ b/net/ipv6/ip6_input.c
>> >> @@ -361,9 +361,11 @@ INDIRECT_CALLABLE_DECLARE(int tcp_v6_rcv(struct sk_buff
>> >> *));
>> >> void ip6_protocol_deliver_rcu(struct net *net, struct sk_buff *skb, int nexthdr,
>> >> bool have_final)
>> >> {
>> >> + struct inet6_skb_parm *opt = IP6CB(skb);
>> >> const struct inet6_protocol *ipprot;
>> >> struct inet6_dev *idev;
>> >> unsigned int nhoff;
>> >> + u8 hop_limit;
>> >> bool raw;
>> >>
>> >> /*
>> >> @@ -450,6 +452,25 @@ void ip6_protocol_deliver_rcu(struct net *net, struct
>> >> sk_buff *skb, int nexthdr,
>> >> } else {
>> >> if (!raw) {
>> >> if (xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
>> >> + /* IOAM Tunnel Decapsulation
>> >> + * Packet is going to re-enter the stack
>> >> + */
>> >> + if (nexthdr == NEXTHDR_IPV6 &&
>> >> + (opt->flags & IP6SKB_IOAM)) {
>> >> + hop_limit = ipv6_hdr(skb)->hop_limit;
>> >> +
>> >> + skb_reset_network_header(skb);
>> >> + skb_reset_transport_header(skb);
>> >> + skb->encapsulation = 0;
>> >> +
>> >> + ipv6_hdr(skb)->hop_limit = hop_limit;
>> >> + __skb_tunnel_rx(skb, skb->dev,
>> >> + dev_net(skb->dev));
>> >> +
>> >> + netif_rx(skb);
>> >> + goto out;
>> >> + }
>> >> +
>> >> __IP6_INC_STATS(net, idev,
>> >> IPSTATS_MIB_INUNKNOWNPROTOS);
>> >> icmpv6_send(skb, ICMPV6_PARAMPROB,
>> >> @@ -461,6 +482,7 @@ void ip6_protocol_deliver_rcu(struct net *net, struct
>> >> sk_buff *skb, int nexthdr,
>> >> consume_skb(skb);
>> >> }
>> >> }
>> >> +out:
>> >> return;
>> >>
>> >> discard:
>> >> --
> > >> 2.17.1
Powered by blists - more mailing lists