Linux Virtualization - Jan 2015 - [PATCH 1/3] ipv6: Select fragment id during UFO/GSO segmentation if not set.

On Di, 2015-01-27 at 09:26 -0500, Vlad Yasevich wrote:
> On 01/27/2015 08:47 AM, Hannes Frederic Sowa wrote:
> > On Di, 2015-01-27 at 10:42 +0200, Michael S. Tsirkin wrote:
> >> On Tue, Jan 27, 2015 at 02:47:54AM +0000, Ben Hutchings wrote:
> >>> On Mon, 2015-01-26 at 09:37 -0500, Vladislav Yasevich wrote:
> >>>> If the IPv6 fragment id has not been set and we perform
> >>>> fragmentation due to UFO, select a new fragment id.
> >>>> When we store the fragment id into skb_shinfo, set the bit
> >>>> in the skb so we can re-use the selected id.
> >>>> This preserves the behavior of UFO packets generated on
the
> >>>> host and solves the issue of id generation for packet
sockets
> >>>> and tap/macvtap devices.
> >>>>
> >>>> This patch moves ipv6_select_ident() back in to the header
file.
> >>>> It also provides the helper function that sets
skb_shinfo() frag
> >>>> id and sets the bit.
> >>>>
> >>>> It also makes sure that we select the fragment id when
doing
> >>>> just gso validation, since it's possible for the
packet to
> >>>> come from an untrusted source (VM) and be forwarded
through
> >>>> a UFO enabled device which will expect the fragment id.
> >>>>
> >>>> CC: Eric Dumazet <edumazet at google.com>
> >>>> Signed-off-by: Vladislav Yasevich <vyasevic at
redhat.com>
> >>>> ---
> >>>>  include/linux/skbuff.h |  3 ++-
> >>>>  include/net/ipv6.h     |  2 ++
> >>>>  net/ipv6/ip6_output.c  |  4 ++--
> >>>>  net/ipv6/output_core.c |  9 ++++++++-
> >>>>  net/ipv6/udp_offload.c | 10 +++++++++-
> >>>>  5 files changed, 23 insertions(+), 5 deletions(-)
> >>>>
> >>>> diff --git a/include/linux/skbuff.h
b/include/linux/skbuff.h
> >>>> index 85ab7d7..3ad5203 100644
> >>>> --- a/include/linux/skbuff.h
> >>>> +++ b/include/linux/skbuff.h
> >>>> @@ -605,7 +605,8 @@ struct sk_buff {
> >>>>  	__u8			ipvs_property:1;
> >>>>  	__u8			inner_protocol_type:1;
> >>>>  	__u8			remcsum_offload:1;
> >>>> -	/* 3 or 5 bit hole */
> >>>> +	__u8			ufo_fragid_set:1;
> >>> [...]
> >>>
> >>> Doesn't the flag belong in struct skb_shared_info, rather
than struct
> >>> sk_buff?  Otherwise this looks fine.
> >>>
> >>> Ben.
> >>
> >> Hmm we seem to be out of tx flags.
> >> Maybe ip6_frag_id == 0 should mean "not set".
> > 
> > Maybe that is the best idea. Definitely the ufo_fragid_set bit should
> > move into the skb_shared_info area.
> 
> That's what I originally wanted to do, but had to move and grow txflags
thus
> skb_shinfo ended up growing.  I wanted to avoid that, so stole an skb flag.
> 
> I considered treating fragid == 0 as unset, but a 0 fragid is perfectly
valid
> from the protocol perspective and could actually be generated by the id
generator
> functions.  This may cause us to call the id generation multiple times.
Are there plans in the long run to let virtio_net transmit auxiliary
data to the other end so we can clean all of this this up one day?

I don't like the whole situation: looking into the virtio_net headers
just adding a field for ipv6 fragmentation ids to those small structs
seems bloated, not doing it feels incorrect. :/

Thoughts?

Bye,
Hannes

On Tue, Jan 27, 2015 at 05:02:31PM +0100, Hannes Frederic Sowa
wrote:
> On Di, 2015-01-27 at 09:26 -0500, Vlad Yasevich wrote:
> > On 01/27/2015 08:47 AM, Hannes Frederic Sowa wrote:
> > > On Di, 2015-01-27 at 10:42 +0200, Michael S. Tsirkin wrote:
> > >> On Tue, Jan 27, 2015 at 02:47:54AM +0000, Ben Hutchings
wrote:
> > >>> On Mon, 2015-01-26 at 09:37 -0500, Vladislav Yasevich
wrote:
> > >>>> If the IPv6 fragment id has not been set and we
perform
> > >>>> fragmentation due to UFO, select a new fragment id.
> > >>>> When we store the fragment id into skb_shinfo, set
the bit
> > >>>> in the skb so we can re-use the selected id.
> > >>>> This preserves the behavior of UFO packets generated
on the
> > >>>> host and solves the issue of id generation for packet
sockets
> > >>>> and tap/macvtap devices.
> > >>>>
> > >>>> This patch moves ipv6_select_ident() back in to the
header file.
> > >>>> It also provides the helper function that sets
skb_shinfo() frag
> > >>>> id and sets the bit.
> > >>>>
> > >>>> It also makes sure that we select the fragment id
when doing
> > >>>> just gso validation, since it's possible for the
packet to
> > >>>> come from an untrusted source (VM) and be forwarded
through
> > >>>> a UFO enabled device which will expect the fragment
id.
> > >>>>
> > >>>> CC: Eric Dumazet <edumazet at google.com>
> > >>>> Signed-off-by: Vladislav Yasevich <vyasevic at
redhat.com>
> > >>>> ---
> > >>>>  include/linux/skbuff.h |  3 ++-
> > >>>>  include/net/ipv6.h     |  2 ++
> > >>>>  net/ipv6/ip6_output.c  |  4 ++--
> > >>>>  net/ipv6/output_core.c |  9 ++++++++-
> > >>>>  net/ipv6/udp_offload.c | 10 +++++++++-
> > >>>>  5 files changed, 23 insertions(+), 5 deletions(-)
> > >>>>
> > >>>> diff --git a/include/linux/skbuff.h
b/include/linux/skbuff.h
> > >>>> index 85ab7d7..3ad5203 100644
> > >>>> --- a/include/linux/skbuff.h
> > >>>> +++ b/include/linux/skbuff.h
> > >>>> @@ -605,7 +605,8 @@ struct sk_buff {
> > >>>>  	__u8			ipvs_property:1;
> > >>>>  	__u8			inner_protocol_type:1;
> > >>>>  	__u8			remcsum_offload:1;
> > >>>> -	/* 3 or 5 bit hole */
> > >>>> +	__u8			ufo_fragid_set:1;
> > >>> [...]
> > >>>
> > >>> Doesn't the flag belong in struct skb_shared_info,
rather than struct
> > >>> sk_buff?  Otherwise this looks fine.
> > >>>
> > >>> Ben.
> > >>
> > >> Hmm we seem to be out of tx flags.
> > >> Maybe ip6_frag_id == 0 should mean "not set".
> > > 
> > > Maybe that is the best idea. Definitely the ufo_fragid_set bit
should
> > > move into the skb_shared_info area.
> > 
> > That's what I originally wanted to do, but had to move and grow
txflags thus
> > skb_shinfo ended up growing.  I wanted to avoid that, so stole an skb
flag.
> > 
> > I considered treating fragid == 0 as unset, but a 0 fragid is
perfectly valid
> > from the protocol perspective and could actually be generated by the
id generator
> > functions.  This may cause us to call the id generation multiple
times.
> 
> Are there plans in the long run to let virtio_net transmit auxiliary
> data to the other end so we can clean all of this this up one day?
> 
> I don't like the whole situation: looking into the virtio_net headers
> just adding a field for ipv6 fragmentation ids to those small structs
> seems bloated, not doing it feels incorrect. :/
> 
> Thoughts?
> 
> Bye,
> Hannes
I'm not sure - what will be achieved by generating the IDs guest side as
opposed to host side?  It's certainly harder to get hold of entropy
guest-side.

-- 
MST

On 01/27/2015 11:02 AM, Hannes Frederic Sowa wrote:
> On Di, 2015-01-27 at 09:26 -0500, Vlad Yasevich wrote:
>> On 01/27/2015 08:47 AM, Hannes Frederic Sowa wrote:
>>> On Di, 2015-01-27 at 10:42 +0200, Michael S. Tsirkin wrote:
>>>> On Tue, Jan 27, 2015 at 02:47:54AM +0000, Ben Hutchings wrote:
>>>>> On Mon, 2015-01-26 at 09:37 -0500, Vladislav Yasevich
wrote:
>>>>>> If the IPv6 fragment id has not been set and we perform
>>>>>> fragmentation due to UFO, select a new fragment id.
>>>>>> When we store the fragment id into skb_shinfo, set the
bit
>>>>>> in the skb so we can re-use the selected id.
>>>>>> This preserves the behavior of UFO packets generated on
the
>>>>>> host and solves the issue of id generation for packet
sockets
>>>>>> and tap/macvtap devices.
>>>>>>
>>>>>> This patch moves ipv6_select_ident() back in to the
header file.
>>>>>> It also provides the helper function that sets
skb_shinfo() frag
>>>>>> id and sets the bit.
>>>>>>
>>>>>> It also makes sure that we select the fragment id when
doing
>>>>>> just gso validation, since it's possible for the
packet to
>>>>>> come from an untrusted source (VM) and be forwarded
through
>>>>>> a UFO enabled device which will expect the fragment id.
>>>>>>
>>>>>> CC: Eric Dumazet <edumazet at google.com>
>>>>>> Signed-off-by: Vladislav Yasevich <vyasevic at
redhat.com>
>>>>>> ---
>>>>>>  include/linux/skbuff.h |  3 ++-
>>>>>>  include/net/ipv6.h     |  2 ++
>>>>>>  net/ipv6/ip6_output.c  |  4 ++--
>>>>>>  net/ipv6/output_core.c |  9 ++++++++-
>>>>>>  net/ipv6/udp_offload.c | 10 +++++++++-
>>>>>>  5 files changed, 23 insertions(+), 5 deletions(-)
>>>>>>
>>>>>> diff --git a/include/linux/skbuff.h
b/include/linux/skbuff.h
>>>>>> index 85ab7d7..3ad5203 100644
>>>>>> --- a/include/linux/skbuff.h
>>>>>> +++ b/include/linux/skbuff.h
>>>>>> @@ -605,7 +605,8 @@ struct sk_buff {
>>>>>>  	__u8			ipvs_property:1;
>>>>>>  	__u8			inner_protocol_type:1;
>>>>>>  	__u8			remcsum_offload:1;
>>>>>> -	/* 3 or 5 bit hole */
>>>>>> +	__u8			ufo_fragid_set:1;
>>>>> [...]
>>>>>
>>>>> Doesn't the flag belong in struct skb_shared_info,
rather than struct
>>>>> sk_buff?  Otherwise this looks fine.
>>>>>
>>>>> Ben.
>>>>
>>>> Hmm we seem to be out of tx flags.
>>>> Maybe ip6_frag_id == 0 should mean "not set".
>>>
>>> Maybe that is the best idea. Definitely the ufo_fragid_set bit
should
>>> move into the skb_shared_info area.
>>
>> That's what I originally wanted to do, but had to move and grow
txflags thus
>> skb_shinfo ended up growing.  I wanted to avoid that, so stole an skb
flag.
>>
>> I considered treating fragid == 0 as unset, but a 0 fragid is perfectly
valid
>> from the protocol perspective and could actually be generated by the id
generator
>> functions.  This may cause us to call the id generation multiple times.
> 
> Are there plans in the long run to let virtio_net transmit auxiliary
> data to the other end so we can clean all of this this up one day?
Yes, and I am working on this.  Part of that is UFO/UFO6 split so that the
fragment id is carried for UFO6.
> 
> I don't like the whole situation: looking into the virtio_net headers
> just adding a field for ipv6 fragmentation ids to those small structs
> seems bloated, not doing it feels incorrect. :/
> 
We are thinking right now how to extend virtio_net header as this is
not the only extension people have thought off.  It'll probably only
happen for virtio 1.0 spec, so we may still have to support legacy
devices that may still rely on UFO being available.

-vlad
> Thoughts?
> 
> Bye,
> Hannes
> 
>

Hello,

On Di, 2015-01-27 at 18:08 +0200, Michael S. Tsirkin
wrote:
> On Tue, Jan 27, 2015 at 05:02:31PM +0100, Hannes Frederic Sowa wrote:
> > On Di, 2015-01-27 at 09:26 -0500, Vlad Yasevich wrote:
> > > On 01/27/2015 08:47 AM, Hannes Frederic Sowa wrote:
> > > > On Di, 2015-01-27 at 10:42 +0200, Michael S. Tsirkin wrote:
> > > >> On Tue, Jan 27, 2015 at 02:47:54AM +0000, Ben Hutchings
wrote:
> > > >>> On Mon, 2015-01-26 at 09:37 -0500, Vladislav
Yasevich wrote:
> > > >>>> If the IPv6 fragment id has not been set and we
perform
> > > >>>> fragmentation due to UFO, select a new fragment
id.
> > > >>>> When we store the fragment id into skb_shinfo,
set the bit
> > > >>>> in the skb so we can re-use the selected id.
> > > >>>> This preserves the behavior of UFO packets
generated on the
> > > >>>> host and solves the issue of id generation for
packet sockets
> > > >>>> and tap/macvtap devices.
> > > >>>>
> > > >>>> This patch moves ipv6_select_ident() back in to
the header file.
> > > >>>> It also provides the helper function that sets
skb_shinfo() frag
> > > >>>> id and sets the bit.
> > > >>>>
> > > >>>> It also makes sure that we select the fragment
id when doing
> > > >>>> just gso validation, since it's possible for
the packet to
> > > >>>> come from an untrusted source (VM) and be
forwarded through
> > > >>>> a UFO enabled device which will expect the
fragment id.
> > > >>>>
> > > >>>> CC: Eric Dumazet <edumazet at google.com>
> > > >>>> Signed-off-by: Vladislav Yasevich <vyasevic
at redhat.com>
> > > >>>> ---
> > > >>>>  include/linux/skbuff.h |  3 ++-
> > > >>>>  include/net/ipv6.h     |  2 ++
> > > >>>>  net/ipv6/ip6_output.c  |  4 ++--
> > > >>>>  net/ipv6/output_core.c |  9 ++++++++-
> > > >>>>  net/ipv6/udp_offload.c | 10 +++++++++-
> > > >>>>  5 files changed, 23 insertions(+), 5
deletions(-)
> > > >>>>
> > > >>>> diff --git a/include/linux/skbuff.h
b/include/linux/skbuff.h
> > > >>>> index 85ab7d7..3ad5203 100644
> > > >>>> --- a/include/linux/skbuff.h
> > > >>>> +++ b/include/linux/skbuff.h
> > > >>>> @@ -605,7 +605,8 @@ struct sk_buff {
> > > >>>>  	__u8			ipvs_property:1;
> > > >>>>  	__u8			inner_protocol_type:1;
> > > >>>>  	__u8			remcsum_offload:1;
> > > >>>> -	/* 3 or 5 bit hole */
> > > >>>> +	__u8			ufo_fragid_set:1;
> > > >>> [...]
> > > >>>
> > > >>> Doesn't the flag belong in struct
skb_shared_info, rather than struct
> > > >>> sk_buff?  Otherwise this looks fine.
> > > >>>
> > > >>> Ben.
> > > >>
> > > >> Hmm we seem to be out of tx flags.
> > > >> Maybe ip6_frag_id == 0 should mean "not set".
> > > > 
> > > > Maybe that is the best idea. Definitely the ufo_fragid_set
bit should
> > > > move into the skb_shared_info area.
> > > 
> > > That's what I originally wanted to do, but had to move and
grow txflags thus
> > > skb_shinfo ended up growing.  I wanted to avoid that, so stole an
skb flag.
> > > 
> > > I considered treating fragid == 0 as unset, but a 0 fragid is
perfectly valid
> > > from the protocol perspective and could actually be generated by
the id generator
> > > functions.  This may cause us to call the id generation multiple
times.
> > 
> > Are there plans in the long run to let virtio_net transmit auxiliary
> > data to the other end so we can clean all of this this up one day?
> > 
> > I don't like the whole situation: looking into the virtio_net
headers
> > just adding a field for ipv6 fragmentation ids to those small structs
> > seems bloated, not doing it feels incorrect. :/
> > 
> > Thoughts?
> > 
> > Bye,
> > Hannes
> 
> I'm not sure - what will be achieved by generating the IDs guest side
as
> opposed to host side?  It's certainly harder to get hold of entropy
> guest-side.
It is not only about entropy but about uniqueness. Also fragmentation
ids should not be discoverable, so there are several aspects:

I see fragmentation id generation still as security critical:
When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP
identifiers less predictable") I could patch my kernels and use the
patch regardless of the machine being virtualized or not. It was not
dependent on the hypervisor. I think that is the same reasoning why we
don't support TOE.

If we use one generator in the hypervisor in an openstack alike setting,
the host deals with quite a lot of overlay networks. A lot of default
configurations use the same addresses internally, so on the hypervisor
the frag id generators would interfere by design.

I could come up with an attack scenario for DNS servers (again :) ):

You are sitting next to a DNS server on the same hypervisor and can send
packets without source validation (because that is handled later on in
case of openvswitch when the packet is put into the corresponding
overlay network). You emit a gso packet with the same source and
destination addresses as the DNS server would do and would get an
fragmentation id which is linearly (+ time delta) incremented depending
on the source and destination address. With such a leak you could start
trying attack and spoof DNS responses (fragmentation attacks etc.).

See also details on such kind of attacks in the description of commit
04ca6973f7c1a0d.

AFAIK IETF tried with IPv6 to push fragmentation id generation to the
end hosts, that's also the reason for the introduction of atomic
fragments (which are now being rolled back ;) ).

Still it is better to generate a frag id on the hypervisor than just
sending a 0, so I am ok with this change, albeit not happy.

Thanks,
Hannes