From: Ido Schimmel <idosch@nvidia.com>
To: netdev@kapio-technology.com
Cc: Vladimir Oltean <olteanv@gmail.com>,
davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org,
Andrew Lunn <andrew@lunn.ch>,
Vivien Didelot <vivien.didelot@gmail.com>,
Florian Fainelli <f.fainelli@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Jiri Pirko <jiri@resnulli.us>,
Ivan Vecera <ivecera@redhat.com>, Roopa Prabhu <roopa@nvidia.com>,
Nikolay Aleksandrov <razor@blackwall.org>,
Shuah Khan <shuah@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org,
linux-kselftest@vger.kernel.org
Subject: Re: [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers
Date: Tue, 9 Aug 2022 12:20:56 +0300 [thread overview]
Message-ID: <YvIm+OvXvxbH6POv@shredder> (raw)
In-Reply-To: <79683d9cf122e22b66b5da3bbbb0ee1f@kapio-technology.com>
On Mon, Aug 01, 2022 at 05:33:49PM +0200, netdev@kapio-technology.com wrote:
> On 2022-07-13 14:39, Ido Schimmel wrote:
>
> >
> > What are "Storm Prevention" and "zero-DPV" FDB entries?
> >
>
> For the zero-DPV entries, I can summarize:
>
> Since a CPU can become saturated from constant SA Miss Violations from a
> denied source, source MAC address are masked by loading a zero-DPV
> (Destination Port Vector) entry in the ATU. As the address now appears in
> the database it will not cause more Miss Violations. ANY port trying to send
> a frame to this unauthorized address is discarded. Any locked port trying to
> use this unauthorized address has its frames discarded too (as the ports SA
> bit is not set in the ATU entry).
What happens to unlocked ports that have learning enabled and are trying
to use this address as SMAC? AFAICT, at least in the bridge driver, the
locked entry will roam, but will keep the "locked" flag, which is
probably not what we want. Let's see if we can agree on these semantics
for a "locked" entry:
1. It discards packets with matching DMAC, regardless of ingress port. I
read the document [1] you linked to in a different reply and could not
find anything against this approach, so this might be fine or at least
not very significant.
Note that this means that "locked" entries need to be notified to device
drivers so that they will install a matching entry in the HW FDB.
2. It is not refreshed and has ageing enabled. That is, after initial
installation it will be removed by the bridge driver after configured
ageing time unless converted to a regular (unlocked) entry.
I assume this allows you to remove the timer implementation from your
driver and let the bridge driver notify you about the removal of this
entry.
3. With regards to roaming, the entry cannot roam between locked ports
(they need to have learning disabled anyway), but can roam to an
unlocked port, in which case it becomes a regular entry that can roam
and age.
If we agree on these semantics, then I can try to verify that at least
Spectrum can support them (it seems mv88e6xxx can).
P.S. Sorry for the delay, I'm busy with other tasks at the moment.
[1] https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/MAB/MAB_Dep_Guide.html#wp392522
next prev parent reply other threads:[~2022-08-09 9:21 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-07 15:29 [PATCH v4 net-next 0/6] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Hans Schultz
2022-07-07 15:29 ` [PATCH v4 net-next 1/6] net: bridge: add locked entry fdb flag to extend locked port feature Hans Schultz
2022-07-10 8:20 ` Ido Schimmel
2022-07-07 15:29 ` [PATCH v4 net-next 2/6] net: switchdev: add support for offloading of fdb locked flag Hans Schultz
2022-07-08 8:54 ` Vladimir Oltean
2022-08-02 8:27 ` netdev
2022-08-02 10:13 ` netdev
2022-07-07 15:29 ` [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers Hans Schultz
2022-07-08 7:12 ` kernel test robot
2022-07-08 8:49 ` Vladimir Oltean
2022-07-08 9:06 ` netdev
2022-07-08 9:15 ` Vladimir Oltean
2022-07-08 9:27 ` netdev
2022-07-08 9:50 ` netdev
2022-07-08 11:56 ` Vladimir Oltean
2022-07-08 12:34 ` netdev
2022-07-10 8:35 ` Ido Schimmel
2022-07-13 7:09 ` netdev
2022-07-13 12:39 ` Ido Schimmel
2022-07-17 12:21 ` netdev
2022-07-17 12:57 ` Vladimir Oltean
2022-07-17 13:09 ` netdev
2022-07-17 13:59 ` Vladimir Oltean
2022-07-17 14:57 ` netdev
2022-07-17 15:08 ` Vladimir Oltean
2022-07-17 16:10 ` netdev
2022-07-21 11:54 ` Vladimir Oltean
2022-07-17 15:20 ` Ido Schimmel
2022-07-17 15:53 ` netdev
2022-07-21 11:59 ` Vladimir Oltean
2022-07-21 13:27 ` Ido Schimmel
2022-07-21 14:20 ` Vladimir Oltean
2022-07-24 11:10 ` Ido Schimmel
2022-08-01 11:57 ` netdev
2022-08-01 13:14 ` netdev
2022-08-02 12:54 ` netdev
2022-08-01 15:33 ` netdev
2022-08-09 9:20 ` Ido Schimmel [this message]
2022-08-09 20:00 ` netdev
2022-08-10 7:21 ` Ido Schimmel
2022-08-10 8:40 ` netdev
2022-08-11 11:28 ` Ido Schimmel
2022-08-12 15:33 ` netdev
2022-08-16 7:51 ` netdev
2022-08-17 6:21 ` Ido Schimmel
2022-07-21 11:51 ` Vladimir Oltean
2022-07-08 20:39 ` kernel test robot
2022-07-07 15:29 ` [PATCH v4 net-next 4/6] net: dsa: mv88e6xxx: allow reading FID when handling ATU violations Hans Schultz
2022-07-07 15:29 ` [PATCH v4 net-next 5/6] net: dsa: mv88e6xxx: mac-auth/MAB implementation Hans Schultz
2022-07-08 9:46 ` kernel test robot
2022-07-17 0:47 ` Vladimir Oltean
2022-07-17 12:34 ` netdev
2022-07-21 12:04 ` Vladimir Oltean
2022-08-19 8:28 ` netdev
2022-07-07 15:29 ` [PATCH v4 net-next 6/6] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests Hans Schultz
2022-07-10 7:29 ` Ido Schimmel
2022-07-12 12:28 ` netdev
2022-07-08 1:00 ` [PATCH v4 net-next 0/6] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Jakub Kicinski
2022-08-11 5:09 ` Benjamin Poirier
-- strict thread matches above, loose matches on Subject: below --
2022-08-12 12:29 [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers netdev
2022-08-14 14:55 ` Ido Schimmel
2022-08-19 9:51 ` netdev
2022-08-21 7:08 ` Ido Schimmel
2022-08-21 13:43 ` netdev
2022-08-22 5:40 ` Ido Schimmel
2022-08-22 7:49 ` netdev
2022-08-23 6:48 ` Ido Schimmel
2022-08-23 7:13 ` netdev
2022-08-23 7:24 ` Ido Schimmel
2022-08-23 7:37 ` netdev
2022-08-23 12:36 ` Ido Schimmel
2022-08-24 7:07 ` netdev
2022-08-23 11:41 ` netdev
2022-08-25 9:36 ` Ido Schimmel
2022-08-25 10:28 ` netdev
2022-08-25 15:14 ` netdev
2022-08-24 20:29 ` netdev
2022-08-25 9:23 ` Ido Schimmel
2022-08-25 10:27 ` netdev
2022-08-25 11:58 ` Ido Schimmel
2022-08-25 13:41 ` netdev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YvIm+OvXvxbH6POv@shredder \
--to=idosch@nvidia.com \
--cc=andrew@lunn.ch \
--cc=bridge@lists.linux-foundation.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=f.fainelli@gmail.com \
--cc=ivecera@redhat.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@kapio-technology.com \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=pabeni@redhat.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=shuah@kernel.org \
--cc=vivien.didelot@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).