Intel-Wired-Lan Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Ahmed Zaki <ahmed.zaki@intel.com>
To: Jakub Kicinski <kuba@kernel.org>, <willemdebruijn.kernel@gmail.com>
Cc: mkubecek@suse.cz, andrew@lunn.ch,
	Wojciech Drewek <wojciech.drewek@intel.com>,
	corbet@lwn.net, netdev@vger.kernel.org,
	linux-doc@vger.kernel.org, jesse.brandeburg@intel.com,
	edumazet@google.com, anthony.l.nguyen@intel.com,
	horms@kernel.org, vladimir.oltean@nxp.com,
	intel-wired-lan@lists.osuosl.org, pabeni@redhat.com,
	davem@davemloft.net
Subject: Re: [Intel-wired-lan] [PATCH net-next v4 1/6] net: ethtool: allow symmetric-xor RSS hash for any flow type
Date: Fri, 20 Oct 2023 15:24:41 -0600	[thread overview]
Message-ID: <45c6ab9f-50f6-4e9e-a035-060a4491bded@intel.com> (raw)
In-Reply-To: <20231018165020.55cc4a79@kernel.org>



On 2023-10-18 17:50, Jakub Kicinski wrote:
> On Wed, 18 Oct 2023 11:12:13 -0700 Alexander Duyck wrote:
>>>> Based on earlier comments it doesn't change the inputs, it just
>>>> changes how I have to handle the data and the key. It starts reducing
>>>> things down to something like the Intel implementation of Flow
>>>> Director in terms of how the key gets generated and hashed.
>>>
>>> About Flow Director I know only that it is bad :)
>>
>> Yeah, and that is my concern w/ the symmetric XOR is that it isn't
>> good. It opens up the toeplitz hash to exploitation. You can target
>> the same bucket by just making sure that source IP and port XOR with
>> destination IP and port to the same value. That can be done by adding
>> the same amount to each side. So there are 2^144 easily predictable
>> possible combinations that will end up in the same hash bucket. Seems
>> like it might be something that could be exploitable. That is why I
>> want it marked out as a separate algo since it is essentially
>> destroying entropy before we even get to the Toeplitz portion of the
>> hash. As such it isn't a hash I would want to use for anything that is
>> meant to spread workload since it is so easily exploitable.
> 
> I see your point.
> 
> Which is not to say that I know what to do about it. crc or any
> future secure algo will get destroyed all the same. It's the input
> entropy that gets destroyed, independently of the algo.
> 
> We already support xor, and it doesn't come with a warning saying
> it's insecure so we kind of assume user knows what they are doing.
> 
> I think the API we pick for configuring sym-xor should be the same as
> sym-sort. And the "makes algo insecure" argument won't apply to sort.
> 
> IMO fat warning in the documentation and ethtool man saying that this
> makes the algo (any / all) vulnerable to attack would be enough.
> Willem?

Please advise on the next step. Should I send a new version with the Doc 
warning, or will you use v5?

Thanks.
_______________________________________________
Intel-wired-lan mailing list
Intel-wired-lan@osuosl.org
https://lists.osuosl.org/mailman/listinfo/intel-wired-lan

  reply	other threads:[~2023-10-20 21:25 UTC|newest]

Thread overview: 45+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-16 15:49 [Intel-wired-lan] [PATCH net-next v4 0/6] Support symmetric RSS (Toeplitz) hash Ahmed Zaki
2023-10-16 15:49 ` [Intel-wired-lan] [PATCH net-next v4 1/6] net: ethtool: allow symmetric-xor RSS hash for any flow type Ahmed Zaki
2023-10-16 20:17   ` Alexander H Duyck
2023-10-16 21:08     ` Ahmed Zaki
2023-10-16 22:15       ` Alexander Duyck
2023-10-16 22:44         ` Ahmed Zaki
2023-10-16 22:55           ` Alexander Duyck
2023-10-16 23:30             ` Jakub Kicinski
2023-10-17  0:08               ` Ahmed Zaki
2023-10-17 18:42                 ` Alexander Duyck
2023-10-17 19:14                   ` Ahmed Zaki
2023-10-17 20:03                     ` Alexander Duyck
2023-10-17 20:19                       ` Jakub Kicinski
2023-10-17 20:28                         ` Alexander Duyck
2023-10-17 18:37               ` Alexander Duyck
2023-10-17 20:17                 ` Jakub Kicinski
2023-10-17 20:41                   ` Alexander Duyck
2023-10-17 22:12                     ` Ahmed Zaki
2023-10-18  0:34                     ` Jakub Kicinski
2023-10-18 18:12                       ` Alexander Duyck
2023-10-18 23:50                         ` Jakub Kicinski
2023-10-20 21:24                           ` Ahmed Zaki [this message]
2023-10-20 22:33                             ` Jakub Kicinski
2023-10-20 23:14                               ` Ahmed Zaki
2023-10-20 23:49                                 ` Jakub Kicinski
2023-10-21  0:00                                   ` Ahmed Zaki
2023-10-29 12:25                                     ` Gal Pressman
2023-10-29 12:42                                       ` Ahmed Zaki
2023-10-29 12:48                                         ` Gal Pressman
2023-10-29 16:59                                           ` Ahmed Zaki
2023-10-31 12:00                                             ` Gal Pressman
2023-10-31 14:40                                               ` Ahmed Zaki
2023-10-31 14:45                                                 ` Gal Pressman
2023-10-31 15:14                                                   ` Ahmed Zaki
2023-10-31 15:20                                                     ` Jakub Kicinski
2023-10-31 16:13                                                       ` Gal Pressman
2023-10-31 19:57                                                         ` Jakub Kicinski
2023-10-31 16:12                                                     ` Gal Pressman
2023-10-31 14:59                                               ` Alexander Duyck
2023-10-31 16:11                                                 ` Gal Pressman
2023-10-16 15:49 ` [Intel-wired-lan] [PATCH net-next v4 2/6] ice: fix ICE_AQ_VSI_Q_OPT_RSS_* register values Ahmed Zaki
2023-10-16 15:49 ` [Intel-wired-lan] [PATCH net-next v4 3/6] ice: refactor RSS configuration Ahmed Zaki
2023-10-16 15:49 ` [Intel-wired-lan] [PATCH net-next v4 4/6] ice: refactor the FD and RSS flow ID generation Ahmed Zaki
2023-10-16 15:49 ` [Intel-wired-lan] [PATCH net-next v4 5/6] ice: enable symmetric RSS Toeplitz hash for any flow type Ahmed Zaki
2023-10-16 15:49 ` [Intel-wired-lan] [PATCH net-next v4 6/6] iavf: enable symmetric RSS Toeplitz hash Ahmed Zaki

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=45c6ab9f-50f6-4e9e-a035-060a4491bded@intel.com \
    --to=ahmed.zaki@intel.com \
    --cc=andrew@lunn.ch \
    --cc=anthony.l.nguyen@intel.com \
    --cc=corbet@lwn.net \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=intel-wired-lan@lists.osuosl.org \
    --cc=jesse.brandeburg@intel.com \
    --cc=kuba@kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=mkubecek@suse.cz \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=vladimir.oltean@nxp.com \
    --cc=willemdebruijn.kernel@gmail.com \
    --cc=wojciech.drewek@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox