From: "Michael S. Tsirkin" <mst@redhat.com>
To: Parav Pandit <parav@nvidia.com>
Cc: Heng Qi <hengqi@linux.alibaba.com>,
Jason Wang <jasowang@redhat.com>,
"virtio-comment@lists.oasis-open.org"
<virtio-comment@lists.oasis-open.org>,
"virtio-dev@lists.oasis-open.org"
<virtio-dev@lists.oasis-open.org>,
Yuri Benditovich <yuri.benditovich@daynix.com>,
Cornelia Huck <cohuck@redhat.com>,
Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Subject: Re: [virtio-comment] RE: [virtio-dev] Re: [virtio-comment] Re: [PATCH v7] virtio-net: support inner header hash
Date: Wed, 8 Feb 2023 09:10:09 -0500 [thread overview]
Message-ID: <20230208090936-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <PH0PR12MB54813DBBE112FC0E35B59E67DCD89@PH0PR12MB5481.namprd12.prod.outlook.com>
On Wed, Feb 08, 2023 at 02:05:52PM +0000, Parav Pandit wrote:
> > From: Michael S. Tsirkin <mst@redhat.com>
> > Sent: Wednesday, February 8, 2023 8:52 AM
> >
> > On Wed, Feb 08, 2023 at 01:38:36PM +0000, Parav Pandit wrote:
> > >
> > > > From: Michael S. Tsirkin <mst@redhat.com>
> > > > Sent: Wednesday, February 8, 2023 8:32 AM
> > > >
> > > > On Wed, Feb 08, 2023 at 05:18:32AM +0000, Parav Pandit wrote:
> > > > > > From: Heng Qi <hengqi@linux.alibaba.com>
> > > > > > Sent: Tuesday, February 7, 2023 10:25 PM
> > > > >
> > > > > [..]
> > > > > > >>
> > > > > > >> Do you think we need both hash_types and hash_tunnel_types?
> > > > > > > In struct virtio_net_config we need two fields.
> > > > > > > a. supported_hash_types (already exists) b.
> > > > > > > supported_hash_tunnel_type
> > > > > > > -> bitmap indicating for which outer headers, inner hash
> > > > > > > -> calculation is
> > > > > > supported.
> > > > > >
> > > > > > Thanks for the suggestion, we seem to have reached an agreement.
> > > > > >
> > > > > > >
> > > > > > > In struct virtio_net_hdr we need two fields.
> > > > > > > a. hash_report (already exists) b. hash_tunnel_type 8 bits ->
> > > > > > > absolute value indicating which outer header
> > > > > > exists when inner header hash calculated.
> > > > > > > You already have it in your patch named as hash_report_tunnel.
> > > > > > > May be better to name as hash_report_tunnel_type to make it
> > > > > > > clearer that its
> > > > > > type.
> > > > > >
> > > > > > Sure.
> > > > > >
> > > > > > Thanks for your reply.
> > > > >
> > > > > I had one last question. Why do we need to inform the
> > > > hash_report_tunnel_type of the outer header in the virtio_net_hdr?
> > > > > Is this for debug? Or is there a use case that will process this value?
> > > >
> > > > Well we have hash_report which is kind of similar (and also kind of
> > > > pointless but I think it's there because WHQL wants it).
> > > Hash_report is useful. It tells hash_value is in which namespace (ipv4-tcp/ipv4
> > udp etc).
> > > OS can use this value to find tcp connection in a given namespace.
> > >
> > > > Maybe we can steal some bits
> > > > from there instead of a new field?
> > > >
> > > I do not have problem adding extra bits. I just don't find that just telling that
> > its vxlan or nvgre to the OS is useful.
> > > If OS needs to know about outer header details, it needs to know the VNI
> > information than just telling vxlan.
> >
> > This does make sense.
> >
> >
> > > >
> > > > I have a follow up question though: are we only hashing the inner
> > > > header or both inner and outer header? Somewhat confused on this.
> > > >
> > > I understood as inner header. But worth to describe it. May be there. Need to
> > read v8 patch.
> >
> > Hmm. I just realized that there's a security problem with hashing just the inner
> > header: it allow users inside the tunnel control queueing outside.
> > By observing packet loss some information leaks between tunnels.
> >
> Ah I know now.
> We are leaking outer header information inside the virtio net hdr, and outer header might be already stripped off by a different entity.
>
> I think the use case here is it's the same sw entity that owns the virtio net device does the encap/decap too.
No not exactly, we are leaking info between encap tunnels.
--
MST
next prev parent reply other threads:[~2023-02-08 14:10 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-04 7:14 [PATCH v7] virtio-net: support inner header hash Heng Qi
2023-01-04 12:34 ` [virtio-comment] " Heng Qi
2023-01-04 12:37 ` Michael S. Tsirkin
2023-01-06 5:27 ` Michael S. Tsirkin
2023-01-06 6:42 ` [virtio-comment] " Heng Qi
2023-01-06 6:59 ` Michael S. Tsirkin
2023-01-09 2:43 ` [virtio-comment] Re: [virtio-dev] " Heng Qi
2023-01-09 8:59 ` Jason Wang
2023-01-09 11:34 ` Michael S. Tsirkin
2023-01-10 2:06 ` Jason Wang
2023-01-10 5:24 ` Michael S. Tsirkin
2023-01-10 5:57 ` Michael S. Tsirkin
2023-01-10 7:26 ` Heng Qi
2023-01-11 3:22 ` [virtio-comment] " Heng Qi
2023-01-11 4:45 ` Jason Wang
2023-01-11 9:49 ` Michael S. Tsirkin
2023-01-09 11:36 ` Michael S. Tsirkin
2023-01-10 7:46 ` Heng Qi
2023-01-09 11:39 ` Michael S. Tsirkin
2023-01-10 7:47 ` [virtio-comment] " Heng Qi
2023-01-11 9:45 ` Michael S. Tsirkin
2023-01-16 8:01 ` [virtio-comment] " Heng Qi
2023-01-16 8:18 ` [virtio-dev] " Cornelia Huck
2023-01-31 5:31 ` Heng Qi
2023-01-16 8:42 ` Jason Wang
2023-01-31 5:28 ` [virtio-dev] " Heng Qi
2023-02-08 2:30 ` Heng Qi
2023-02-08 3:19 ` Parav Pandit
2023-02-08 3:24 ` Heng Qi
2023-02-08 5:18 ` Parav Pandit
2023-02-08 6:11 ` Heng Qi
2023-02-08 12:21 ` Parav Pandit
2023-02-09 5:20 ` [virtio-comment] " Heng Qi
2023-02-09 5:34 ` Parav Pandit
2023-02-09 9:57 ` Heng Qi
2023-02-11 2:08 ` [virtio-comment] " Heng Qi
2023-02-08 13:31 ` [virtio-comment] " Michael S. Tsirkin
2023-02-08 13:38 ` Parav Pandit
2023-02-08 13:52 ` Michael S. Tsirkin
2023-02-08 14:00 ` Parav Pandit
2023-02-08 14:09 ` Michael S. Tsirkin
2023-02-08 14:29 ` Parav Pandit
2023-02-09 5:12 ` Heng Qi
2023-02-09 6:05 ` [virtio-dev] " Heng Qi
2023-02-08 14:05 ` Parav Pandit
2023-02-08 14:10 ` Michael S. Tsirkin [this message]
2023-01-18 23:45 ` [virtio-dev] " Parav Pandit
2023-01-31 5:57 ` [virtio-comment] " Heng Qi
2023-02-01 1:51 ` Parav Pandit
2023-02-01 6:47 ` Michael S. Tsirkin
2023-02-01 6:56 ` Michael S. Tsirkin
2023-02-02 3:55 ` Parav Pandit
2023-02-02 6:55 ` Heng Qi
2023-02-01 7:14 ` Heng Qi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230208090936-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=cohuck@redhat.com \
--cc=hengqi@linux.alibaba.com \
--cc=jasowang@redhat.com \
--cc=parav@nvidia.com \
--cc=virtio-comment@lists.oasis-open.org \
--cc=virtio-dev@lists.oasis-open.org \
--cc=xuanzhuo@linux.alibaba.com \
--cc=yuri.benditovich@daynix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.