From: Steffen Klassert <steffen.klassert@secunet.com>
To: Hannes Frederic Sowa <hannes@stressinduktion.org>,
netdev@vger.kernel.org, eric.dumazet@gmail.com,
davem@davemloft.net
Subject: Re: [PATCH net-next 1/2] ipv4: add forwarding_uses_pmtu knob to protect forward path to use pmtu info
Date: Mon, 6 Jan 2014 10:05:21 +0100 [thread overview]
Message-ID: <20140106090521.GQ31491@secunet.com> (raw)
In-Reply-To: <20131231042840.GC27636@order.stressinduktion.org>
On Tue, Dec 31, 2013 at 05:28:40AM +0100, Hannes Frederic Sowa wrote:
> Hi Steffen!
>
> On Fri, Dec 20, 2013 at 02:08:22PM +0100, Hannes Frederic Sowa wrote:
> > Provide a mode where the forwarding path does not use the protocol path
> > MTU to calculate the maximum size for a forwarded packet but instead
> > uses the interface or the per-route locked MTU.
> >
> > It is easy to inject bogus or malicious path mtu information which
> > will cause either unneeded fragmentation-needed icmp errors (in case
> > of DF-bit set) or unnecessary fragmentation of packets (by default down
> > to min_pmtu). This could be used to either create blackholes on routers
> > (if the generated DF-bit gets dropped later on) or to leverage attacks
> > on fragmentation.
> >
> > Forwarded skbs are marked with IPSKB_FORWARDED in ip_forward. This flag
> > was introduced for multicast forwarding, but as it does not conflict with
> > our usage in the unicast code path it is perfect for reuse.
> >
> > I moved the functions ip_sk_accept_pmtu, ip_sk_use_pmtu and ip_skb_dst_mtu
> > along with the new ip_dst_mtu_secure to net/ip.h to fix circular
> > dependencies because of IPSKB_FORWARDED.
>
> IIRC you have a (semi-)automatic test suite to test for (p)mtu problems? Would
> these checks cover such a change?
>
I'm currenlty testing these patches. ipv4 looks good but on
ipv6 with 'ping6' the packet size is not reduced according
to the pmtu when forward_use_pmtu is set to 0.
I'll run the tests again with your updated v3 patches.
next prev parent reply other threads:[~2014-01-06 9:05 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-20 13:08 [PATCH net-next 1/2] ipv4: add forwarding_uses_pmtu knob to protect forward path to use pmtu info Hannes Frederic Sowa
2013-12-31 3:20 ` David Miller
2013-12-31 3:52 ` Hannes Frederic Sowa
2013-12-31 6:04 ` David Miller
2013-12-31 7:02 ` Hannes Frederic Sowa
2013-12-31 17:59 ` John Heffner
2013-12-31 18:41 ` Hannes Frederic Sowa
2014-01-05 10:41 ` Hannes Frederic Sowa
2014-01-05 19:45 ` David Miller
2013-12-31 4:28 ` Hannes Frederic Sowa
2014-01-06 9:05 ` Steffen Klassert [this message]
2014-01-06 9:14 ` Hannes Frederic Sowa
2014-01-06 13:18 ` Steffen Klassert
2014-01-06 13:29 ` Hannes Frederic Sowa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140106090521.GQ31491@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=hannes@stressinduktion.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.