[PATCH net-next 0/6] add support for RFC 8335 PROBE

[PATCH net-next 0/6] add support for RFC 8335 PROBE

[Andreas Roeseler]

The popular utility ping has several severe limitations such as the
inability to query specific interfaces on a node and requiring
bidirectional connectivity between the probing and probed interfaces.
RFC 8335 attempts to solve these limitations by creating the new utility
PROBE which is a specialized ICMP message that makes use of the ICMP
Extention Structure outlined in RFC 4884.

This patchset adds definitions for the ICMP Extended Echo Request and
Reply (PROBE) types for both IPV4 and IPV6, adds a sysctl to enable 
response to PROBE messages, expands the list of supported ICMP messages
to accommodate PROBE types, and adds functionality to respond to PROBE
requests.

Andreas Roeseler (6):
  icmp: support for RFC 8335
  ICMPv6: support for RFC 8335
  net: add sysctl for enabling RFC 8335 PROBE messages
  net: add sysctl for enabling RFC 8335 PROBE messages
  net: add support for sending RFC 8335 PROBE messages
  icmp: add response to RFC 8335 PROBE messages

 include/net/netns/ipv4.h    |   1 +
 include/uapi/linux/icmp.h   |  22 ++++++
 include/uapi/linux/icmpv6.h |   6 ++
 net/ipv4/icmp.c             | 135 +++++++++++++++++++++++++++++++++---
 net/ipv4/ping.c             |   4 +-
 net/ipv4/sysctl_net_ipv4.c  |   7 ++
 6 files changed, 164 insertions(+), 11 deletions(-)

-- 
2.25.1

[PATCH net-next 1/6] icmp: support for RFC 8335

[Andreas Roeseler]

Add definitions for PROBE ICMP types and codes.

Add a struct to represent the additional header when probing by IP
address (ctype == 3) for use in parsing incoming PROBE messages.

Signed-off-by: Andreas Roeseler <andreas.a.roeseler@gmail.com>

---
 include/uapi/linux/icmp.h | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/include/uapi/linux/icmp.h b/include/uapi/linux/icmp.h
index fb169a50895e..0b69f1492f85 100644
--- a/include/uapi/linux/icmp.h
+++ b/include/uapi/linux/icmp.h
@@ -66,6 +66,21 @@
 #define ICMP_EXC_TTL		0	/* TTL count exceeded		*/
 #define ICMP_EXC_FRAGTIME	1	/* Fragment Reass time exceeded	*/
 
+/* Codes for EXT_ECHO (PROBE) */
+#define ICMP_EXT_ECHO		42
+#define ICMP_EXT_ECHOREPLY	43
+#define ICMP_EXT_MAL_QUERY	1	/* Malformed Query */
+#define ICMP_EXT_NO_IF		2	/* No such Interface */
+#define ICMP_EXT_NO_TABLE_ENT	3	/* No such Table Entry */
+#define ICMP_EXT_MULT_IFS	4	/* Multiple Interfaces Satisfy Query */
+
+/* constants for EXT_ECHO (PROBE) */
+#define EXT_ECHOREPLY_ACTIVE	(1 << 2)/* position of active flag in reply */
+#define EXT_ECHOREPLY_IPV4	(1 << 1)/* position of ipv4 flag in reply */
+#define EXT_ECHOREPLY_IPV6	1	/* position of ipv6 flag in reply */
+#define CTYPE_NAME		1
+#define CTYPE_INDEX		2
+#define CTYPE_ADDR		3
 
 struct icmphdr {
   __u8		type;
@@ -118,4 +133,11 @@ struct icmp_extobj_hdr {
 	__u8		class_type;
 };
 
+/* RFC 8335: 2.1 Header for C-type 3 payload */
+struct icmp_ext_ctype3_hdr {
+	__u16		afi;
+	__u8		addrlen;
+	__u8		reserved;
+};
+
 #endif /* _UAPI_LINUX_ICMP_H */
-- 
2.25.1

[PATCH net-next 2/6] ICMPv6: support for RFC 8335

[Andreas Roeseler]

Add definitions for the ICMPV6 type of Extended Echo Request and
Extended Echo Reply, as defined in sections 2 and 3 of RFC 8335.

Signed-off-by: Andreas Roeseler <andreas.a.roeseler@gmail.com>
---
 include/uapi/linux/icmpv6.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/include/uapi/linux/icmpv6.h b/include/uapi/linux/icmpv6.h
index 0564fd7ccde4..b2a9017ddb2d 100644
--- a/include/uapi/linux/icmpv6.h
+++ b/include/uapi/linux/icmpv6.h
@@ -140,6 +140,12 @@ struct icmp6hdr {
 #define ICMPV6_UNK_OPTION		2
 #define ICMPV6_HDR_INCOMP		3
 
+/*
+ *	Codes for EXT_ECHO (PROBE)
+ */
+#define ICMPV6_EXT_ECHO_REQUEST		160
+#define ICMPV6_EXT_ECHO_REPLY		161
+
 /*
  *	constants for (set|get)sockopt
  */
-- 
2.25.1

[PATCH net-next 3/6] net: add sysctl for enabling RFC 8335 PROBE messages

[Andreas Roeseler]

Section 8 of RFC 8335 specifies potential security concerns of
responding to PROBE requests, and states that nodes that support PROBE
functionality MUST be able to enable/disable responses and it is
disabled by default. 

Add sysctl to enable responses to PROBE messages. 

Signed-off-by: Andreas Roeseler <andreas.a.roeseler@gmail.com>
---
 include/net/netns/ipv4.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index 8e4fcac4df72..1d9b74228f3e 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -85,6 +85,7 @@ struct netns_ipv4 {
 #endif
 
 	int sysctl_icmp_echo_ignore_all;
+	int sysctl_icmp_echo_enable_probe;
 	int sysctl_icmp_echo_ignore_broadcasts;
 	int sysctl_icmp_ignore_bogus_error_responses;
 	int sysctl_icmp_ratelimit;
-- 
2.25.1

[PATCH net-next 4/6] net: add sysctl for enabling RFC 8335 PROBE messages

[Andreas Roeseler]

Section 8 of RFC 8335 specifies potential security concerns of
responding to PROBE requests, and states that nodes that support PROBE
functionality MUST be able to enable/disable responses and it is
disabled by default. 

Add sysctl to enable responses to PROBE messages. 

Signed-off-by: Andreas Roeseler <andreas.a.roeseler@gmail.com>
---
 net/ipv4/sysctl_net_ipv4.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 3e5f4f2e705e..f9f0e9d7394f 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -599,6 +599,13 @@ static struct ctl_table ipv4_net_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec
 	},
+	{
+		.procname	= "icmp_echo_enable_probe",
+		.data		= &init_net.ipv4.sysctl_icmp_echo_enable_probe,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec
+	},
 	{
 		.procname	= "icmp_echo_ignore_broadcasts",
 		.data		= &init_net.ipv4.sysctl_icmp_echo_ignore_broadcasts,
-- 
2.25.1

[PATCH net-next 5/6] net: add support for sending RFC 8335 PROBE messages

[Andreas Roeseler]

Modify the ping_supported function to support PROBE message types. This
allows tools such as the ping command in the iputils package to be
modified to send PROBE requests through the existing framework for
sending ping requests.

Signed-off-by: Andreas Roeseler <andreas.a.roeseler@gmail.com>
---
 net/ipv4/ping.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 248856b301c4..39bdcb2bfc92 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -453,7 +453,9 @@ EXPORT_SYMBOL_GPL(ping_bind);
 static inline int ping_supported(int family, int type, int code)
 {
 	return (family == AF_INET && type == ICMP_ECHO && code == 0) ||
-	       (family == AF_INET6 && type == ICMPV6_ECHO_REQUEST && code == 0);
+	       (family == AF_INET && type == ICMP_EXT_ECHO && code == 0) ||
+	       (family == AF_INET6 && type == ICMPV6_ECHO_REQUEST && code == 0) ||
+	       (family == AF_INET6 && type == ICMPV6_EXT_ECHO_REQUEST && code == 0);
 }
 
 /*
-- 
2.25.1

[PATCH net-next 6/6] icmp: add response to RFC 8335 PROBE messages

[Andreas Roeseler]

Modify the icmp_rcv function to check for PROBE messages and call
icmp_echo if a PROBE request is detected.

Modify the existing icmp_echo function to respond to both ping and PROBE
requests.

This was tested using a custom modification of the iputils package and
wireshark. It supports IPV4 probing by name, ifindex, and probing by both IPV4 and IPV6
addresses. It currently does not support responding to probes off the proxy node
(See RFC 8335 Section 2). 

Signed-off-by: Andreas Roeseler <andreas.a.roeseler@gmail.com>
---
 net/ipv4/icmp.c | 135 ++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 125 insertions(+), 10 deletions(-)

diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 005faea415a4..313061b60387 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -984,20 +984,121 @@ static bool icmp_redirect(struct sk_buff *skb)
 static bool icmp_echo(struct sk_buff *skb)
 {
 	struct net *net;
+	struct icmp_bxm icmp_param;
+	struct net_device *dev;
+	struct net_device *target_dev;
+	struct in_ifaddr *ifaddr;
+	struct inet6_ifaddr *inet6_ifaddr;
+	struct list_head *position;
+	struct icmp_extobj_hdr *extobj_hdr;
+	struct icmp_ext_ctype3_hdr *ctype3_hdr;
+	__u8 status;
 
 	net = dev_net(skb_dst(skb)->dev);
-	if (!net->ipv4.sysctl_icmp_echo_ignore_all) {
-		struct icmp_bxm icmp_param;
+	/* should there be an ICMP stat for ignored echos? */
+	if (net->ipv4.sysctl_icmp_echo_ignore_all)
+		return true;
+
+	icmp_param.data.icmph		= *icmp_hdr(skb);
+	icmp_param.skb			= skb;
+	icmp_param.offset		= 0;
+	icmp_param.data_len		= skb->len;
+	icmp_param.head_len		= sizeof(struct icmphdr);
 
-		icmp_param.data.icmph	   = *icmp_hdr(skb);
+	if (icmp_param.data.icmph.type == ICMP_ECHO) {
 		icmp_param.data.icmph.type = ICMP_ECHOREPLY;
-		icmp_param.skb		   = skb;
-		icmp_param.offset	   = 0;
-		icmp_param.data_len	   = skb->len;
-		icmp_param.head_len	   = sizeof(struct icmphdr);
-		icmp_reply(&icmp_param, skb);
+		goto send_reply;
 	}
-	/* should there be an ICMP stat for ignored echos? */
+	if (!net->ipv4.sysctl_icmp_echo_enable_probe)
+		return true;
+	/* We currently do not support probing off the proxy node */
+	if ((ntohs(icmp_param.data.icmph.un.echo.sequence) & 1) == 0)
+		return true;
+
+	icmp_param.data.icmph.type = ICMP_EXT_ECHOREPLY;
+	icmp_param.data.icmph.un.echo.sequence &= htons(0xFF00);
+	extobj_hdr = (struct icmp_extobj_hdr *)(skb->data + sizeof(struct icmp_ext_hdr));
+	ctype3_hdr = (struct icmp_ext_ctype3_hdr *)(extobj_hdr + 1);
+	status = 0;
+	target_dev = NULL;
+	read_lock(&dev_base_lock);
+	for_each_netdev(net, dev) {
+		switch (extobj_hdr->class_type) {
+		case CTYPE_NAME:
+			if (strcmp(dev->name, (char *)(extobj_hdr + 1)) == 0)
+				goto found_matching_interface;
+			break;
+		case CTYPE_INDEX:
+			if (ntohl(*((uint32_t *)(extobj_hdr + 1))) ==
+				dev->ifindex)
+				goto found_matching_interface;
+			break;
+		case CTYPE_ADDR:
+			switch (ntohs(ctype3_hdr->afi)) {
+			/* IPV4 address */
+			case 1:
+				ifaddr = dev->ip_ptr->ifa_list;
+				while (ifaddr) {
+					if (memcmp(&ifaddr->ifa_address,
+						   (ctype3_hdr + 1),
+						   sizeof(ifaddr->ifa_address)) == 0)
+						goto found_matching_interface;
+					ifaddr = ifaddr->ifa_next;
+				}
+				break;
+			/* IPV6 address */
+			case 2:
+				list_for_each(position,
+					      &dev->ip6_ptr->addr_list) {
+					inet6_ifaddr = list_entry(position,
+								  struct inet6_ifaddr,
+								  if_list);
+					if (memcmp(&inet6_ifaddr->addr.in6_u,
+						   (ctype3_hdr + 1),
+						   sizeof(inet6_ifaddr->addr.in6_u)) == 0)
+						goto found_matching_interface;
+				}
+				break;
+			default:
+				icmp_param.data.icmph.code = ICMP_EXT_MAL_QUERY;
+				goto unlock_dev;
+			}
+			break;
+		default:
+			icmp_param.data.icmph.code = ICMP_EXT_MAL_QUERY;
+			goto unlock_dev;
+		}
+		continue;
+found_matching_interface:
+		if (target_dev) {
+			icmp_param.data.icmph.code = ICMP_EXT_MULT_IFS;
+			goto unlock_dev;
+		}
+		target_dev = dev;
+	}
+	if (!target_dev) {
+		icmp_param.data.icmph.code = ICMP_EXT_NO_IF;
+		goto unlock_dev;
+	}
+
+	/* RFC 8335: 3 the last 8 bits of the Extended Echo Reply Message
+	 *  are laid out as follows:
+	 *	+-+-+-+-+-+-+-+-+
+	 *	|State|Res|A|4|6|
+	 *	+-+-+-+-+-+-+-+-+
+	 */
+	if (target_dev->flags & IFF_UP)
+		status |= EXT_ECHOREPLY_ACTIVE;
+	if (target_dev->ip_ptr->ifa_list)
+		status |= EXT_ECHOREPLY_IPV4;
+	if (!list_empty(&target_dev->ip6_ptr->addr_list))
+		status |= EXT_ECHOREPLY_IPV6;
+
+	icmp_param.data.icmph.un.echo.sequence |= htons(status);
+unlock_dev:
+	read_unlock(&dev_base_lock);
+send_reply:
+	icmp_reply(&icmp_param, skb);
 	return true;
 }
 
@@ -1087,6 +1188,13 @@ int icmp_rcv(struct sk_buff *skb)
 	icmph = icmp_hdr(skb);
 
 	ICMPMSGIN_INC_STATS(net, icmph->type);
+
+	/*
+	 *	Check for ICMP Extended Echo (PROBE) messages
+	 */
+	if (icmph->type == ICMP_EXT_ECHO || icmph->type == ICMPV6_EXT_ECHO_REQUEST)
+		goto probe;
+
 	/*
 	 *	18 is the highest 'known' ICMP type. Anything else is a mystery
 	 *
@@ -1096,7 +1204,6 @@ int icmp_rcv(struct sk_buff *skb)
 	if (icmph->type > NR_ICMP_TYPES)
 		goto error;
 
-
 	/*
 	 *	Parse the ICMP message
 	 */
@@ -1123,6 +1230,7 @@ int icmp_rcv(struct sk_buff *skb)
 
 	success = icmp_pointers[icmph->type].handler(skb);
 
+success_check:
 	if (success)  {
 		consume_skb(skb);
 		return NET_RX_SUCCESS;
@@ -1136,6 +1244,13 @@ int icmp_rcv(struct sk_buff *skb)
 error:
 	__ICMP_INC_STATS(net, ICMP_MIB_INERRORS);
 	goto drop;
+probe:
+	/*
+	 * We can't use icmp_pointers[].handler() because the codes for PROBE
+	 *   messages are 42 or 160
+	 */
+	success = icmp_echo(skb);
+	goto success_check;
 }
 
 static bool ip_icmp_error_rfc4884_validate(const struct sk_buff *skb, int off)
-- 
2.25.1

Re: [PATCH net-next 6/6] icmp: add response to RFC 8335 PROBE messages

[David Ahern]

On 12/3/20 8:17 PM, Andreas Roeseler wrote:
> diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
> index 005faea415a4..313061b60387 100644
> --- a/net/ipv4/icmp.c
> +++ b/net/ipv4/icmp.c
> @@ -984,20 +984,121 @@ static bool icmp_redirect(struct sk_buff *skb)
>  static bool icmp_echo(struct sk_buff *skb)
>  {
>  	struct net *net;
> +	struct icmp_bxm icmp_param;
> +	struct net_device *dev;
> +	struct net_device *target_dev;
> +	struct in_ifaddr *ifaddr;
> +	struct inet6_ifaddr *inet6_ifaddr;
> +	struct list_head *position;
> +	struct icmp_extobj_hdr *extobj_hdr;
> +	struct icmp_ext_ctype3_hdr *ctype3_hdr;
> +	__u8 status;

networking coding style is reverse xmas tree — i.e., longest to shortest.


>  
>  	net = dev_net(skb_dst(skb)->dev);
> -	if (!net->ipv4.sysctl_icmp_echo_ignore_all) {
> -		struct icmp_bxm icmp_param;
> +	/* should there be an ICMP stat for ignored echos? */
> +	if (net->ipv4.sysctl_icmp_echo_ignore_all)
> +		return true;
> +
> +	icmp_param.data.icmph		= *icmp_hdr(skb);
> +	icmp_param.skb			= skb;
> +	icmp_param.offset		= 0;
> +	icmp_param.data_len		= skb->len;
> +	icmp_param.head_len		= sizeof(struct icmphdr);
>  
> -		icmp_param.data.icmph	   = *icmp_hdr(skb);
> +	if (icmp_param.data.icmph.type == ICMP_ECHO) {
>  		icmp_param.data.icmph.type = ICMP_ECHOREPLY;
> -		icmp_param.skb		   = skb;
> -		icmp_param.offset	   = 0;
> -		icmp_param.data_len	   = skb->len;
> -		icmp_param.head_len	   = sizeof(struct icmphdr);
> -		icmp_reply(&icmp_param, skb);
> +		goto send_reply;
>  	}
> -	/* should there be an ICMP stat for ignored echos? */
> +	if (!net->ipv4.sysctl_icmp_echo_enable_probe)
> +		return true;
> +	/* We currently do not support probing off the proxy node */
> +	if ((ntohs(icmp_param.data.icmph.un.echo.sequence) & 1) == 0)
> +		return true;
> +
> +	icmp_param.data.icmph.type = ICMP_EXT_ECHOREPLY;
> +	icmp_param.data.icmph.un.echo.sequence &= htons(0xFF00);
> +	extobj_hdr = (struct icmp_extobj_hdr *)(skb->data + sizeof(struct icmp_ext_hdr));
> +	ctype3_hdr = (struct icmp_ext_ctype3_hdr *)(extobj_hdr + 1);
> +	status = 0;
> +	target_dev = NULL;
> +	read_lock(&dev_base_lock);
> +	for_each_netdev(net, dev) {

for_each_netdev needs to be replaced by an appropriate lookup.


> +		switch (extobj_hdr->class_type) {
> +		case CTYPE_NAME:
> +			if (strcmp(dev->name, (char *)(extobj_hdr + 1)) == 0)
> +				goto found_matching_interface;
> +			break;
> +		case CTYPE_INDEX:
> +			if (ntohl(*((uint32_t *)(extobj_hdr + 1))) ==
> +				dev->ifindex)
> +				goto found_matching_interface;
> +			break;
> +		case CTYPE_ADDR:

1. In general, a name lookup is done by __dev_get_by_name /
dev_get_by_name_rcu / dev_get_by_name based on locking. rtnl is not held
in the datapath. Depending on need, you can hold the rcu lock
(rcu_read_lock) and use dev_get_by_name_rcu but you need to make sure
all references to the dev are used before calling rcu_read_unlock.

2. Similarly, lookup by index is done using __dev_get_by_index /
dev_get_by_index_rcu / dev_get_by_index.

3. Address to device lookup is done using something like __ip_dev_find
(IPv4) or ipv6_dev_find (IPv6) - again check the locking needs.


> +			switch (ntohs(ctype3_hdr->afi)) {
> +			/* IPV4 address */
> +			case 1:
> +				ifaddr = dev->ip_ptr->ifa_list;
> +				while (ifaddr) {
> +					if (memcmp(&ifaddr->ifa_address,
> +						   (ctype3_hdr + 1),
> +						   sizeof(ifaddr->ifa_address)) == 0)
> +						goto found_matching_interface;
> +					ifaddr = ifaddr->ifa_next;
> +				}
> +				break;
> +			/* IPV6 address */
> +			case 2:

No magic numbers - if AFI enums do not exist, add them.

Re: [PATCH net-next 3/6] net: add sysctl for enabling RFC 8335 PROBE messages

[David Ahern]

On 12/3/20 8:16 PM, Andreas Roeseler wrote:
> Section 8 of RFC 8335 specifies potential security concerns of
> responding to PROBE requests, and states that nodes that support PROBE
> functionality MUST be able to enable/disable responses and it is
> disabled by default. 
> 
> Add sysctl to enable responses to PROBE messages. 
> 
> Signed-off-by: Andreas Roeseler <andreas.a.roeseler@gmail.com>
> ---
>  include/net/netns/ipv4.h | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
> index 8e4fcac4df72..1d9b74228f3e 100644
> --- a/include/net/netns/ipv4.h
> +++ b/include/net/netns/ipv4.h
> @@ -85,6 +85,7 @@ struct netns_ipv4 {
>  #endif
>  
>  	int sysctl_icmp_echo_ignore_all;
> +	int sysctl_icmp_echo_enable_probe;
>  	int sysctl_icmp_echo_ignore_broadcasts;
>  	int sysctl_icmp_ignore_bogus_error_responses;
>  	int sysctl_icmp_ratelimit;
> 

this can be folded into patch 4; no need for a standalone patch here.