lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 26 Aug 2020 14:12:59 +0200
From:   Ahmed Abdelsalam <>
To:     David Ahern <>,
        "David S. Miller" <>,
        Jakub Kicinski <>,
        Alexey Kuznetsov <>,
        Hideaki YOSHIFUJI <>,
        Paolo Abeni <>,,
Subject: Re: [net-next v5 1/2] seg6: inherit DSCP of inner IPv4 packets

On 26/08/2020 02:45, David Ahern wrote:
> On 8/25/20 5:45 PM, Ahmed Abdelsalam wrote:
>> Hi David
>> The seg6 encap is implemented through the seg6_lwt rather than
>> seg6_local_lwt.
> ok. I don't know the seg6 code; just taking a guess from a quick look.
>> We can add a flag(SEG6_IPTUNNEL_DSCP) in seg6_iptunnel.h if we do not
>> want to go the sysctl direction.
> sysctl is just a big hammer with side effects.
> It struck me that the DSCP propagation is very similar to the TTL
> propagation with MPLS which is per route entry (MPLS_IPTUNNEL_TTL and
> stored as ttl_propagate in mpls_iptunnel_encap). Hence the question of
> whether SR could make this a per route attribute. Consistency across
> implementations is best.
>SRv6 does not have an issue of having this per route.
Actually, as SRv6 leverage IPv6 encapsulation, I would say it should 
consistent with ip6_tunnel not MPLS.

In ip6_tunnel, both ttl and flowinfo (tclass and flowlabel) are provided.

Ideally, SRv6 code should have done the same with:
TTL       := VLAUE | DEFAULT | inherit.
TCLASS    := 0x00 .. 0xFF | inherit
FLOWLABEL := { 0x00000 .. 0xfffff | inherit | compute.

>> Perhaps this would require various changes to seg6 infrastructure
>> including seg6_iptunnel_policy, seg6_build_state, fill_encap,
>> get_encap_size, etc.
>> We have proposed a patch before to support optional parameters for SRv6
>> behaviors [1].
>> Unfortunately, this patch was rejected.
> not sure I follow why the patch was rejected. Does it change behavior of
> existing code?

The comment from David miller was "People taking advantage of this new 
flexibility will write applications that DO NOT WORK on older kernels."

Perhaps, here we can a bit of discussion. Because also applications that 
leverage SRv6 encapsulation will not work on kernels before 4.10. 
Applications that leverage SRv6 VPN behvaiors will not work on kernels 
before 4.14. Applications that leverages SRv6 capabilites in iptables 
will not work on kernels before 4.16.

So when people write an application they have minimum requirement (e.g., 
kernel 5.x)

I would like to get David miller feedback as well as yours on how we 
should proceed and I can work on these features.

> I would expect that new attributes can be added without affecting
> handling of current ones. Looking at seg6_iptunnel.c the new attribute
> would be ignored on older kernels but should be fine on new ones and
> forward.
> ###
> Since seg6 does not have strict attribute checking the only way to find
> out if it is supported is to send down the config and then read it back.
> If the attribute is missing, the kernel does not support. Ugly, but one
> way to determine support. The next time an attribute is added to seg6
> code, strict checking should be enabled so that going forward as new
> attributes are added older kernels with strict checking would reject it.

Powered by blists - more mailing lists