lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <6423b21b-8feb-486f-f06b-cf7921894b16@gmail.com>
Date:   Tue, 22 Jun 2021 09:36:47 -0600
From:   David Ahern <dsahern@...il.com>
To:     Paolo Lungaroni <paolo.lungaroni@...roma2.it>,
        David Ahern <dsahern@...nel.org>, netdev@...r.kernel.org
Cc:     Jakub Kicinski <kuba@...nel.org>,
        Stephen Hemminger <stephen@...workplumber.org>,
        Stefano Salsano <stefano.salsano@...roma2.it>,
        Ahmed Abdelsalam <ahabdels.dev@...il.com>,
        Andrea Mayer <andrea.mayer@...roma2.it>
Subject: Re: [iproute2-next v1] seg6: add support for SRv6 End.DT46 Behavior

On 6/17/21 11:23 AM, Paolo Lungaroni wrote:
> We introduce the new "End.DT46" action for supporting the SRv6 End.DT46
> Behavior in iproute2.
> The SRv6 End.DT46 Behavior, defined in RFC 8986 [1] section 4.8, can be
> used to implement L3 VPNs based on Segment Routing over IPv6 networks in
> multi-tenants environments and it is capable of handling both IPv4 and
> IPv6 tenant traffic at the same time.
> The SRv6 End.DT46 Behavior decapsulates the received packets and it
> performs the IPv4 or IPv6 routing lookup in the routing table of the
> tenant.
> 
> As for the End.DT4 and for the End.DT6 in VRF mode, the SRv6 End.DT46
> Behavior leverages a VRF device in order to force the routing lookup into
> the associated routing table using the "vrftable" attribute.
> 
> To make the End.DT46 work properly, it must be guaranteed that the
> routing table used for routing lookup operations is bound to one and
> only one VRF during the tunnel creation. Such constraint has to be
> enforced by enabling the VRF strict_mode sysctl parameter, i.e.:
> 
>  $ sysctl -wq net.vrf.strict_mode=1
> 
> Note that the same approach is used for the End.DT4 Behavior and for the
> End.DT6 Behavior in VRF mode.
> 
> An SRv6 End.DT46 Behavior instance can be created as follows:
> 
>  $ ip -6 route add 2001:db8::1 encap seg6local action End.DT46 vrftable 100 dev vrf100
> 
> Standard Output:
>  $ ip -6 route show 2001:db8::1
>  2001:db8::1  encap seg6local action End.DT46 vrftable 100 dev vrf100 metric 1024 pref medium
> 
> JSON Output:
> $ ip -6 -j -p route show 2001:db8::1
> [ {
>         "dst": "2001:db8::1",
>         "encap": "seg6local",
>         "action": "End.DT46",
>         "vrftable": 100,
>         "dev": "vrf100",
>         "metric": 1024,
>         "flags": [ ],
>         "pref": "medium"
> } ]
> 
> This patch updates the route.8 man page and the ip route help with the
> information related to End.DT46.
> Considering that the same information was missing for the SRv6 End.DT4 and
> the End.DT6 Behaviors, we have also added it.
> 
> [1] https://www.rfc-editor.org/rfc/rfc8986.html#name-enddt46-decapsulation-and-s
> 
> Signed-off-by: Andrea Mayer <andrea.mayer@...roma2.it>
> Signed-off-by: Paolo Lungaroni <paolo.lungaroni@...roma2.it>
> ---
>  include/uapi/linux/seg6_local.h |  2 ++
>  ip/iproute.c                    |  4 +--
>  ip/iproute_lwtunnel.c           |  1 +
>  man/man8/ip-route.8.in          | 48 +++++++++++++++++++++++++++++++++
>  4 files changed, 53 insertions(+), 2 deletions(-)
> 

applied to iproute2-next. Thanks,

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ