| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 26 Aug 2020 14:12:59 +0200
From: Ahmed Abdelsalam <ahabdels@...il.com>
To: David Ahern <dsahern@...il.com>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Alexey Kuznetsov <kuznet@....inr.ac.ru>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Cc: andrea.mayer@...roma2.it
Subject: Re: [net-next v5 1/2] seg6: inherit DSCP of inner IPv4 packets
On 26/08/2020 02:45, David Ahern wrote:
> On 8/25/20 5:45 PM, Ahmed Abdelsalam wrote:
>>
>> Hi David
>>
>> The seg6 encap is implemented through the seg6_lwt rather than
>> seg6_local_lwt.
>
> ok. I don't know the seg6 code; just taking a guess from a quick look.
>
>> We can add a flag(SEG6_IPTUNNEL_DSCP) in seg6_iptunnel.h if we do not
>> want to go the sysctl direction.
>
> sysctl is just a big hammer with side effects.
>
> It struck me that the DSCP propagation is very similar to the TTL
> propagation with MPLS which is per route entry (MPLS_IPTUNNEL_TTL and
> stored as ttl_propagate in mpls_iptunnel_encap). Hence the question of
> whether SR could make this a per route attribute. Consistency across
> implementations is best.
>SRv6 does not have an issue of having this per route.
Actually, as SRv6 leverage IPv6 encapsulation, I would say it should
consistent with ip6_tunnel not MPLS.
In ip6_tunnel, both ttl and flowinfo (tclass and flowlabel) are provided.
Ideally, SRv6 code should have done the same with:
TTL := VLAUE | DEFAULT | inherit.
TCLASS := 0x00 .. 0xFF | inherit
FLOWLABEL := { 0x00000 .. 0xfffff | inherit | compute.
>> Perhaps this would require various changes to seg6 infrastructure
>> including seg6_iptunnel_policy, seg6_build_state, fill_encap,
>> get_encap_size, etc.
>>
>> We have proposed a patch before to support optional parameters for SRv6
>> behaviors [1].
>> Unfortunately, this patch was rejected.
>>
>
> not sure I follow why the patch was rejected. Does it change behavior of
> existing code?
>
The comment from David miller was "People taking advantage of this new
flexibility will write applications that DO NOT WORK on older kernels."
Perhaps, here we can a bit of discussion. Because also applications that
leverage SRv6 encapsulation will not work on kernels before 4.10.
Applications that leverage SRv6 VPN behvaiors will not work on kernels
before 4.14. Applications that leverages SRv6 capabilites in iptables
will not work on kernels before 4.16.
So when people write an application they have minimum requirement (e.g.,
kernel 5.x)
I would like to get David miller feedback as well as yours on how we
should proceed and I can work on these features.
> I would expect that new attributes can be added without affecting
> handling of current ones. Looking at seg6_iptunnel.c the new attribute
> would be ignored on older kernels but should be fine on new ones and
> forward.
>
> ###
>
> Since seg6 does not have strict attribute checking the only way to find
> out if it is supported is to send down the config and then read it back.
> If the attribute is missing, the kernel does not support. Ugly, but one
> way to determine support. The next time an attribute is added to seg6
> code, strict checking should be enabled so that going forward as new
> attributes are added older kernels with strict checking would reject it.
>
Powered by blists - more mailing lists