lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 4 Aug 2023 11:16:17 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Kuniyuki Iwashima <kuniyu@...zon.com>
Cc: "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, 
	Paolo Abeni <pabeni@...hat.com>, David Ahern <dsahern@...nel.org>, 
	Kuniyuki Iwashima <kuni1840@...il.com>, netdev@...r.kernel.org
Subject: Re: [PATCH v3 net-next 1/2] tcp: Disable header prediction for MD5 flow.

On Fri, Aug 4, 2023 at 12:46 AM Kuniyuki Iwashima <kuniyu@...zon.com> wrote:
>
> TCP socket saves the minimum required header length in tcp_header_len
> of struct tcp_sock, and later the value is used in __tcp_fast_path_on()
> to generate a part of TCP header in tcp_sock(sk)->pred_flags.
>
> In tcp_rcv_established(), if the incoming packet has the same pattern
> with pred_flags, we enter the fast path and skip full option parsing.
>
> The MD5 option is parsed in tcp_v[46]_rcv(), so we need not parse it
> again later in tcp_rcv_established() unless other options exist.  We
> add TCPOLEN_MD5SIG_ALIGNED to tcp_header_len in two paths to avoid the
> slow path.
>
> For passive open connections with MD5, we add TCPOLEN_MD5SIG_ALIGNED
> to tcp_header_len in tcp_create_openreq_child() after 3WHS.
>
> On the other hand, we do it in tcp_connect_init() for active open
> connections.  However, the value is overwritten while processing
> SYN+ACK or crossed SYN in tcp_rcv_synsent_state_process().
>
> These two cases will have the wrong value in pred_flags and never go
> into the fast path.
>
> We could update tcp_header_len in tcp_rcv_synsent_state_process(), but
> a test with slightly modified netperf which uses MD5 for each flow shows
> that the slow path is actually a bit faster than the fast path.
>
>   On c5.4xlarge EC2 instance (16 vCPU, 32 GiB mem)
>
>   $ for i in {1..10}; do
>   ./super_netperf $(nproc) -H localhost -l 10 -- -m 256 -M 256;
>   done
>
>   Avg of 10
>   * 36e68eadd303  : 10.376 Gbps
>   * all fast path : 10.374 Gbps (patch v2, See Link)
>   * all slow path : 10.394 Gbps
>
> The header prediction is not worth adding complexity for MD5, so let's
> disable it for MD5.
>
> Link: https://lore.kernel.org/netdev/20230803042214.38309-1-kuniyu@amazon.com/
> Signed-off-by: Kuniyuki Iwashima <kuniyu@...zon.com>
> ---

Reviewed-by: Eric Dumazet <edumazet@...gle.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ