lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 20 Dec 2021 14:17:10 -0600
From:   Alex Elder <elder@...aro.org>
To:     Jakub Kicinski <kuba@...nel.org>
Cc:     Network Development <netdev@...r.kernel.org>,
        "bjorn.andersson@...aro.org" <bjorn.andersson@...aro.org>
Subject: Re: Port mirroring (RFC)

On 12/15/21 5:33 PM, Jakub Kicinski wrote:
> On Tue, 14 Dec 2021 08:47:12 -0600 Alex Elder wrote:
>> I am implementing what amounts to port mirroring functionality
>> for the IPA driver.
>>
>> The IPA hardware isn't exactly a network switch (it's sort of
>> more than that), but it has the ability to supply replicas of
>> packets transferred within it to a special (read only) interface.
>>
>> My plan is to implement this using a new "ipa_mirror" network
>> device, so it could be used with a raw socket to capture the
>> arriving packets.  There currently exists one other netdev,
>> which represents access through a modem to a WWAN network.
>>
>> I would like some advice on how to proceed with this.  I want
>> the result to match "best practice" upstream, and would like
>> this to be as well integrated possible with existing network
>> tools.
>>
>> A few details about the stream of packets that arrive on
>> this hardware interface:
>> - Packet data is truncated if it's larger than a certain size
>> - Each packet is preceded by a fixed-size header describing it
>> - Packets (and their headers) are aggregated into a buffer; i.e.
>>     a single receive might carry a dozen (truncated) packets
>>
>> Here are a few specific questions, but I would love to get
>> *any* feedback about what I'm doing.
>> - Is representing this as a separate netdev a reasonable
>>     thing to do?
>> - Is there anything wrong with making a netdev read-only?
>>     (Any packets supplied for transmit would be dropped)
>> - Are there things I should do so it's clear this interface
>>     does not carry IP traffic (or even UDP, etc.)?
>> - Should the driver de-aggregate the received packets, i.e.
>>     separating each into a separate SKB for reading?
>>
>> I might have *many* more questions, but I'd just like to make
>> sure I'm on the right track, and would like both specific and
>> general suggestions about how to do this the right way.
> 
> Maybe the first question to ask is - why do you need this?

That is a great question.

> Or perhaps - how is it used? There's a significant difference
> between an interface for users and a debug interface.

This would be a debug interface.  That is, it is not intended
as a normal way of delivering packets to Linux, it's meant as
an aid in understanding what's going on inside the hardware
(exposing the packets that are passing through IPA).

> Do you aim to give users control over the forwarding which happens
> on the application processor at some point? If so Andrew and Florian
> give great suggestions but starting from debugging of the forwarding
> feels a little backward.

This actually goes back to what IPA can do, which is allow
certain IP functionality to be offloaded.  Currently, IPA
simply carries packets between the AP and a Qualcomm modem.
It provides the path needed for Linux to access the modem's
WWAN network.

However it is also possible to have the IPA hardware carry
IP packets between the modem and (for example) a USB device,
without the AP being directly involved in the transfer.
But even though Linux would not handle these packets, one
might still (for debugging purposes) like to see (on the
AP) what the packets moved by IPA look like.

That omits many details, some of which I don't think I could
even explain well right now.

But to answer your question, this would *not* be an interface
used by "normal users."  It might be useful to filter these
with networking tools for the benefit of analysis, but there
would be no forwarding of these packets anywhere else.  It
really is meant to be a monitoring interface, to be used for
development and troubleshooting.

					-Alex

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ