lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 20 Jul 2023 10:17:43 +0200
From: Jiri Benc <jbenc@...hat.com>
To: Jakub Kicinski <kuba@...nel.org>
Cc: netdev@...r.kernel.org, Jesse Brandeburg <jesse.brandeburg@...el.com>,
 Tony Nguyen <anthony.l.nguyen@...el.com>
Subject: Re: [PATCH net] vxlan: calculate correct header length for GPE

On Wed, 19 Jul 2023 21:08:28 -0700, Jakub Kicinski wrote:
> On Tue, 18 Jul 2023 12:50:13 +0200 Jiri Benc wrote:
> > This causes problems in skb_tunnel_check_pmtu, where incorrect PMTU is
> > cached. If the VXLAN-GPE interface has MTU 1464 set (with the underlying
> > interface having the usual MTU of 1500), a TCP stream sent over the
> > tunnel is first segmented to 1514 byte frames only to be immediatelly
> > followed by a resend with 1500 bytes frames, before the other side even
> > has a chance to ack them.  
> 
> Sounds like we are overly conservative, assuming the header will be
> larger than it ends up being. But you're saying it leads to oversized,
> not undersized packets?

Sorry for not providing enough details. The packets are actually
correctly sized, initially. Then a lower, incorrect PMTU is cached.

In the collect_md mode (which is the only mode that VXLAN-GPE
supports), there's no magic auto-setting of the tunnel interface MTU.
It can't be, since the destination and thus the underlying interface
may be different for each packet.

So, the administrator is responsible for setting the correct tunnel
interface MTU. Apparently, the administrators are capable enough to
calculate that the maximum MTU for VXLAN-GPE is (their_lower_MTU - 36).
They set the tunnel interface MTU to 1464. If you run a TCP stream over
such interface, it's then segmented according to the MTU 1464, i.e.
producing 1514 bytes frames. Which is okay, this still fits the lower
MTU.

However, skb_tunnel_check_pmtu (called from vxlan_xmit_one) uses 50 as
the header size and thus incorrectly calculates the frame size to be
1528. This leads to ICMP too big message being generated (locally),
PMTU of 1450 to be cached and the TCP stream to be resegmented.

The fix is to use the correct actual header size, especially for
skb_tunnel_check_pmtu calculation.

Should I resend with more detailed patch description?

Thanks,

 Jiri

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ