lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 Mar 2022 16:00:03 +0200 From: Vladimir Oltean <olteanv@...il.com> To: Hans Schultz <schultz.hans@...il.com> Cc: davem@...emloft.net, kuba@...nel.org, netdev@...r.kernel.org, Andrew Lunn <andrew@...n.ch>, Vivien Didelot <vivien.didelot@...il.com>, Florian Fainelli <f.fainelli@...il.com>, Jiri Pirko <jiri@...nulli.us>, Ivan Vecera <ivecera@...hat.com>, Roopa Prabhu <roopa@...dia.com>, Nikolay Aleksandrov <razor@...ckwall.org>, Shuah Khan <shuah@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, Ido Schimmel <idosch@...dia.com>, linux-kernel@...r.kernel.org, bridge@...ts.linux-foundation.org, linux-kselftest@...r.kernel.org Subject: Re: [PATCH v2 net-next 2/4] net: switchdev: add support for offloading of fdb locked flag On Fri, Mar 25, 2022 at 02:48:36PM +0100, Hans Schultz wrote: > > If you'd cache the locked ATU entry in the mv88e6xxx driver, and you'd > > notify switchdev only if the entry is new to the cache, then you'd > > actually still achieve something major. Yes, the bridge FDB will contain > > locked FDB entries that aren't in the ATU. But that's because your > > printer has been silent for X seconds. The policy for the printer still > > hasn't changed, as far as the mv88e6xxx, or bridge, software drivers are > > concerned. If the unauthorized printer says something again after the > > locked ATU entry expires, the mv88e6xxx driver will find its MAC SA > > in the cache of denied addresses, and reload the ATU. What this > > achieves > > The driver will in this case just trigger a new miss violation and add > the entry again I think. > The problem with all this is that a malicious attack that spams the > switch with random mac addresses will be able to DOS the device as any > handling of the fdb will be too resource demanding. That is why it is > needed to remove those fdb entries after a time out, which dynamic > entries would serve. An attacker sweeping through the 2^47 source MAC address range is a problem regardless of the implementations proposed so far, no? If unlimited growth of the mv88e6xxx locked ATU entry cache is a concern (which it is), we could limit its size, and when we purge a cached entry in software is also when we could emit a SWITCHDEV_FDB_DEL_TO_BRIDGE for it, right?
Powered by blists - more mailing lists