netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v2 net 0/2] ipv4: less uses of shared IP generator
@ 2022-01-27  1:10 Eric Dumazet
  2022-01-27  1:10 ` [PATCH v2 net 1/2] ipv4: tcp: send zero IPID in SYNACK messages Eric Dumazet
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Eric Dumazet @ 2022-01-27  1:10 UTC (permalink / raw)
  To: David S . Miller, Jakub Kicinski
  Cc: David Ahern, netdev, Eric Dumazet, Eric Dumazet

From: Eric Dumazet <edumazet@google.com>

We keep receiving research reports based on linux IPID generation.

Before breaking part of the Internet by switching to pure
random generator, this series reduces the need for the
shared IP generator for TCP sockets.

v2: fix sparse warning in the first patch.

Eric Dumazet (2):
  ipv4: tcp: send zero IPID in SYNACK messages
  ipv4: avoid using shared IP generator for connected sockets

 include/net/ip.h     | 21 ++++++++++-----------
 net/ipv4/ip_output.c | 11 +++++++++--
 2 files changed, 19 insertions(+), 13 deletions(-)

-- 
2.35.0.rc0.227.g00780c9af4-goog


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH v2 net 1/2] ipv4: tcp: send zero IPID in SYNACK messages
  2022-01-27  1:10 [PATCH v2 net 0/2] ipv4: less uses of shared IP generator Eric Dumazet
@ 2022-01-27  1:10 ` Eric Dumazet
  2022-01-27  1:10 ` [PATCH v2 net 2/2] ipv4: avoid using shared IP generator for connected sockets Eric Dumazet
  2022-01-27 17:10 ` [PATCH v2 net 0/2] ipv4: less uses of shared IP generator patchwork-bot+netdevbpf
  2 siblings, 0 replies; 4+ messages in thread
From: Eric Dumazet @ 2022-01-27  1:10 UTC (permalink / raw)
  To: David S . Miller, Jakub Kicinski
  Cc: David Ahern, netdev, Eric Dumazet, Eric Dumazet, Ray Che,
	Geoff Alexander, Willy Tarreau

From: Eric Dumazet <edumazet@google.com>

In commit 431280eebed9 ("ipv4: tcp: send zero IPID for RST and
ACK sent in SYN-RECV and TIME-WAIT state") we took care of some
ctl packets sent by TCP.

It turns out we need to use a similar strategy for SYNACK packets.

By default, they carry IP_DF and IPID==0, but there are ways
to ask them to use the hashed IP ident generator and thus
be used to build off-path attacks.
(Ref: Off-Path TCP Exploits of the Mixed IPID Assignment)

One of this way is to force (before listener is started)
echo 1 >/proc/sys/net/ipv4/ip_no_pmtu_disc

Another way is using forged ICMP ICMP_FRAG_NEEDED
with a very small MTU (like 68) to force a false return from
ip_dont_fragment()

In this patch, ip_build_and_send_pkt() uses the following
heuristics.

1) Most SYNACK packets are smaller than IPV4_MIN_MTU and therefore
can use IP_DF regardless of the listener or route pmtu setting.

2) In case the SYNACK packet is bigger than IPV4_MIN_MTU,
we use prandom_u32() generator instead of the IPv4 hashed ident one.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Ray Che <xijiache@gmail.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Cc: Geoff Alexander <alexandg@cs.unm.edu>
Cc: Willy Tarreau <w@1wt.eu>
---
 net/ipv4/ip_output.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index e331c8d4e6cfc4f2199a7877d8257b3b3b519561..139cec29ed06cd092ebdfd2bf0d13aaf67c5359d 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -162,12 +162,19 @@ int ip_build_and_send_pkt(struct sk_buff *skb, const struct sock *sk,
 	iph->daddr    = (opt && opt->opt.srr ? opt->opt.faddr : daddr);
 	iph->saddr    = saddr;
 	iph->protocol = sk->sk_protocol;
-	if (ip_dont_fragment(sk, &rt->dst)) {
+	/* Do not bother generating IPID for small packets (eg SYNACK) */
+	if (skb->len <= IPV4_MIN_MTU || ip_dont_fragment(sk, &rt->dst)) {
 		iph->frag_off = htons(IP_DF);
 		iph->id = 0;
 	} else {
 		iph->frag_off = 0;
-		__ip_select_ident(net, iph, 1);
+		/* TCP packets here are SYNACK with fat IPv4/TCP options.
+		 * Avoid using the hashed IP ident generator.
+		 */
+		if (sk->sk_protocol == IPPROTO_TCP)
+			iph->id = (__force __be16)prandom_u32();
+		else
+			__ip_select_ident(net, iph, 1);
 	}
 
 	if (opt && opt->opt.optlen) {
-- 
2.35.0.rc0.227.g00780c9af4-goog


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH v2 net 2/2] ipv4: avoid using shared IP generator for connected sockets
  2022-01-27  1:10 [PATCH v2 net 0/2] ipv4: less uses of shared IP generator Eric Dumazet
  2022-01-27  1:10 ` [PATCH v2 net 1/2] ipv4: tcp: send zero IPID in SYNACK messages Eric Dumazet
@ 2022-01-27  1:10 ` Eric Dumazet
  2022-01-27 17:10 ` [PATCH v2 net 0/2] ipv4: less uses of shared IP generator patchwork-bot+netdevbpf
  2 siblings, 0 replies; 4+ messages in thread
From: Eric Dumazet @ 2022-01-27  1:10 UTC (permalink / raw)
  To: David S . Miller, Jakub Kicinski
  Cc: David Ahern, netdev, Eric Dumazet, Eric Dumazet, Ray Che,
	Willy Tarreau

From: Eric Dumazet <edumazet@google.com>

ip_select_ident_segs() has been very conservative about using
the connected socket private generator only for packets with IP_DF
set, claiming it was needed for some VJ compression implementations.

As mentioned in this referenced document, this can be abused.
(Ref: Off-Path TCP Exploits of the Mixed IPID Assignment)

Before switching to pure random IPID generation and possibly hurt
some workloads, lets use the private inet socket generator.

Not only this will remove one vulnerability, this will also
improve performance of TCP flows using pmtudisc==IP_PMTUDISC_DONT

Fixes: 73f156a6e8c1 ("inetpeer: get rid of ip_id_count")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reported-by: Ray Che <xijiache@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>
---
 include/net/ip.h | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/include/net/ip.h b/include/net/ip.h
index 81e23a102a0d5edec859b78239b81e6dcd82c54d..b51bae43b0ddb00735a09718530aa3fff4a04872 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -525,19 +525,18 @@ static inline void ip_select_ident_segs(struct net *net, struct sk_buff *skb,
 {
 	struct iphdr *iph = ip_hdr(skb);
 
+	/* We had many attacks based on IPID, use the private
+	 * generator as much as we can.
+	 */
+	if (sk && inet_sk(sk)->inet_daddr) {
+		iph->id = htons(inet_sk(sk)->inet_id);
+		inet_sk(sk)->inet_id += segs;
+		return;
+	}
 	if ((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) {
-		/* This is only to work around buggy Windows95/2000
-		 * VJ compression implementations.  If the ID field
-		 * does not change, they drop every other packet in
-		 * a TCP stream using header compression.
-		 */
-		if (sk && inet_sk(sk)->inet_daddr) {
-			iph->id = htons(inet_sk(sk)->inet_id);
-			inet_sk(sk)->inet_id += segs;
-		} else {
-			iph->id = 0;
-		}
+		iph->id = 0;
 	} else {
+		/* Unfortunately we need the big hammer to get a suitable IPID */
 		__ip_select_ident(net, iph, segs);
 	}
 }
-- 
2.35.0.rc0.227.g00780c9af4-goog


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH v2 net 0/2] ipv4: less uses of shared IP generator
  2022-01-27  1:10 [PATCH v2 net 0/2] ipv4: less uses of shared IP generator Eric Dumazet
  2022-01-27  1:10 ` [PATCH v2 net 1/2] ipv4: tcp: send zero IPID in SYNACK messages Eric Dumazet
  2022-01-27  1:10 ` [PATCH v2 net 2/2] ipv4: avoid using shared IP generator for connected sockets Eric Dumazet
@ 2022-01-27 17:10 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-01-27 17:10 UTC (permalink / raw)
  To: Eric Dumazet; +Cc: davem, kuba, dsahern, netdev, edumazet

Hello:

This series was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 26 Jan 2022 17:10:20 -0800 you wrote:
> From: Eric Dumazet <edumazet@google.com>
> 
> We keep receiving research reports based on linux IPID generation.
> 
> Before breaking part of the Internet by switching to pure
> random generator, this series reduces the need for the
> shared IP generator for TCP sockets.
> 
> [...]

Here is the summary with links:
  - [v2,net,1/2] ipv4: tcp: send zero IPID in SYNACK messages
    https://git.kernel.org/netdev/net/c/970a5a3ea86d
  - [v2,net,2/2] ipv4: avoid using shared IP generator for connected sockets
    https://git.kernel.org/netdev/net/c/23f57406b82d

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-01-27 17:10 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-01-27  1:10 [PATCH v2 net 0/2] ipv4: less uses of shared IP generator Eric Dumazet
2022-01-27  1:10 ` [PATCH v2 net 1/2] ipv4: tcp: send zero IPID in SYNACK messages Eric Dumazet
2022-01-27  1:10 ` [PATCH v2 net 2/2] ipv4: avoid using shared IP generator for connected sockets Eric Dumazet
2022-01-27 17:10 ` [PATCH v2 net 0/2] ipv4: less uses of shared IP generator patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).