lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <66ab8b9ef3d74_2441da2947d@willemb.c.googlers.com.notmuch>
Date: Thu, 01 Aug 2024 09:20:30 -0400
From: Willem de Bruijn <willemdebruijn.kernel@...il.com>
To: Tom Herbert <tom@...bertland.com>, 
 davem@...emloft.net, 
 kuba@...nel.org, 
 edumazet@...gle.com, 
 netdev@...r.kernel.org, 
 felipe@...anda.io
Cc: Tom Herbert <tom@...bertland.com>
Subject: Re: [PATCH 00/12] flow_dissector: Dissect UDP encapsulation protocols

Tom Herbert wrote:
> Add support in flow_dissector for dissecting into UDP
> encapsulations like VXLAN. __skb_flow_dissect_udp is called for
> IPPROTO_UDP. The flag FLOW_DISSECTOR_F_PARSE_UDP_ENCAPS enables parsing
> of UDP encapsulations. If the flag is set when parsing a UDP packet then
> a socket lookup is performed. The offset of the base network header,
> either an IPv4 or IPv6 header, is tracked and passed to
> __skb_flow_dissect_udp so that it can perform the socket lookup.
> If a socket is found and it's for a UDP encapsulation (encap_type is
> set in the UDP socket) then a switch is performed on the encap_type
> value (cases are UDP_ENCAP_* values)

The main concern with the flow dissector is that its execution depends
on untrusted packets.

For this reason we added the BPF dissector for new protocols. What is
the reason to prefer adding more C code?

And somewhat academic, but: would it be different if the BPF would
ship with the kernel and autoload at boot, just like C modules?

A second concern is changing the defaults. I have not looked at this
closely, but if dissection today stops at the outer UDP header for
skb_get_hash, then we don't want to accidentally change this behavior.
Or if not accidental, call it out explicitly.

> 
> Tested: Verified fou, gue, vxlan, and geneve are properly dissected for
> IPv4 and IPv6 cases. This includes testing ETH_P_TEB case

Manually?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ