From: Alexander Clouter <alex@digriz.org.uk>
To: Philip Prindeville <philipp_subx@redfish-solutions.com>
Cc: netdev@vger.kernel.org
Subject: Re: setsockopt(IP_TOS) being privileged or distinct capability?
Date: Sun, 4 Jul 2010 00:48:13 +0100 [thread overview]
Message-ID: <20100703234813.GJ24655@chipmunk> (raw)
In-Reply-To: <4C2FC2C8.8080203@redfish-solutions.com>
Hi,
* Philip Prindeville <philipp_subx@redfish-solutions.com> [2010-07-03 17:07:52-0600]:
>
> On 7/3/10 12:55 PM, Alexander Clouter wrote:
>>
>>> Does anyone else think that setsockopt(IP_TOS) should be a privileged
>>> operation, perhaps using CAP_NET_ADMIN, or maybe even adding separate
>>> granularity as CAP_NET_TOS?
>>>
>>>
>> I really would prefer not having to run telnet and ssh *clients* as
>> root. :)
>
> Don't ping and traceroute -I currently run as root?
>
Indeed, but I have no idea what that has to do with ToS/DSCP flags?
ping and (old skool) traceroute use ICMP where you need to open a
privileged socket; to send and receive ICMP packets. Opening a UDP/TCP
is an unprivileged operation and so is setsockopt(IP_TOS).
I'm guessing, if you excuse me Google-stalking you), this is all linked
to:
https://bugzilla.mindrot.org/show_bug.cgi?id=1733
You have to bear in mind ToS is a marking that userland can utilise to
request that the network provides it with a particular QoS, this does
not mean for an instant the network has to honour that (I know my ISP
does not and neither does my work network I sysadmin for)...otherwise
nothing would stop me using:
iptables -t mangle -I POSTROUTING -j DSCP --set-dscp-class EF
QoS is meaningless unless you place boundaries on the policies; the
ToS/DSCP marking should only be used as a *hint* for classification of
traffic flows.
For example, 'interactive' and 'low latency' (in the case of SSH or
telnet) should not exceed 10kB/s...unless you like to play 0verkill :)
Anything marking it's traffic as interactive but shutting traffic at
500kB/s is obviously telling lies. If you build your policing rules to
blindly accept whatever is in the ToS/DSCP field, you are configuring a
DoS vector on your network.
Cheers
--
Alexander Clouter
.sigmonster says: A rolling stone gathers momentum.
next prev parent reply other threads:[~2010-07-03 23:57 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-03 17:58 setsockopt(IP_TOS) being privileged or distinct capability? Philip Prindeville
2010-07-03 18:55 ` Alexander Clouter
2010-07-03 23:07 ` Philip Prindeville
2010-07-03 23:48 ` Alexander Clouter [this message]
2010-07-05 18:04 ` Philip Prindeville
2010-07-06 2:07 ` Hagen Paul Pfeifer
2010-07-06 3:08 ` Philip Prindeville
2010-07-06 3:13 ` David Miller
2010-07-06 10:56 ` Benny Amorsen
2010-07-05 18:08 ` Philip Prindeville
2010-07-06 8:17 ` Rémi Denis-Courmont
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100703234813.GJ24655@chipmunk \
--to=alex@digriz.org.uk \
--cc=netdev@vger.kernel.org \
--cc=philipp_subx@redfish-solutions.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.