Re: [PATCH net-next v5 00/11] ipv6: Only create RTF_CACHE route after encountering pmtu exception

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Alexander Holler <holler@ahsoftware.de>
To: Martin KaFai Lau <kafai@fb.com>, netdev <netdev@vger.kernel.org>
Cc: David Miller <davem@davemloft.net>,
	Hannes Frederic Sowa <hannes@stressinduktion.org>,
	Julian Anastasov <ja@ssi.bg>,
	Steffen Klassert <steffen.klassert@secunet.com>,
	Kernel Team <Kernel-team@fb.com>,
	stable@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH net-next v5 00/11] ipv6: Only create RTF_CACHE route after encountering pmtu exception
Date: Sat, 15 Aug 2015 09:48:26 +0200	[thread overview]
Message-ID: <55CEEECA.8000702@ahsoftware.de> (raw)
In-Reply-To: <55BA1144.9090203@ahsoftware.de>

Am 30.07.2015 um 13:57 schrieb Alexander Holler:
> Am 29.07.2015 um 11:25 schrieb Alexander Holler:
>> Am 23.05.2015 um 05:55 schrieb Martin KaFai Lau:
>>
>>> This series is to avoid creating a RTF_CACHE route whenever we are
>>> consulting
>>> the fib6 tree with a new destination.  Instead, only create RTF_CACHE
>>> route
>>> when we see a pmtu exception.
>>
>> That even helps on systems without an IPv6-connection to world because
>> it avoids the IPv6 route add/delete pairs which happened before whenever
>> an IPv6-connection was tried (e.g. by Happy Eyeballs algorithms).
>>
>> I think that's worse a laud. thanks.
>
> Of course, I meant worth. Sorry, but the left part of my brain seems to
> be sometimes in a (maybe forced) power save mode. ;)
>
> Also I wonder how the previous algorithm went into the kernel at all or
> why it wasn't fixed earlier. Anyway, it's great that someone took the
> time to fix that annoying behaviour (I've had on my radar since quiet
> some time).

To complete the discussion, that "annoying behaviour" is also a big 
information leak.

Because routes aren't considered confidential and aren't subject to 
privacy, that broken behaviour enabled *everyone* on the same system to 
see *all* the remote IPv6 systems to which there have been connection 
establishment tries.

E.g. I can see the following on a system when browsing to facebook.com 
and google.com:

--------
[aholler@krabat snetmanmon.git]$ ./snetmanmon snetmanmon.conf.simple_example

snetmanmon V1.3-5-g9f06

(C) 2015 Alexander Holler

(...)
New route 2a00:1450:4001:80c::100a (gateway fe80::21f:7bff:feb4:d13, 
type v6, scope universe) on interface 'virbr0'
New route 2a03:2880:2130:cf05:face:b00c:0:1 (gateway 
fe80::21f:7bff:feb4:d13, type v6, scope universe) on interface 'virbr0'
New route 2a00:1450:4001:80c::1007 (gateway fe80::21f:7bff:feb4:d13, 
type v6, scope universe) on interface 'virbr0'
New route 2a00:1450:400f:803::101f (gateway fe80::21f:7bff:feb4:d13, 
type v6, scope universe) on interface 'virbr0'
New route 2a00:1450:4001:80c::1008 (gateway fe80::21f:7bff:feb4:d13, 
type v6, scope universe) on interface 'virbr0'
New route 2a00:1450:4001:80c::1017 (gateway fe80::21f:7bff:feb4:d13, 
type v6, scope universe) on interface 'virbr0'
New route 2a00:1450:4016:804::200d (gateway fe80::21f:7bff:feb4:d13, 
type v6, scope universe) on interface 'virbr0'
New route 2a00:1450:4001:80c::1000 (gateway fe80::21f:7bff:feb4:d13, 
type v6, scope universe) on interface 'virbr0'
New route 2a00:1450:4001:80c::1016 (gateway fe80::21f:7bff:feb4:d13, 
type v6, scope universe) on interface 'virbr0'
New route 2a00:1450:400f:803::1013 (gateway fe80::21f:7bff:feb4:d13, 
type v6, scope universe) on interface 'virbr0'
New route 2a00:1450:4001:80c::1006 (gateway fe80::21f:7bff:feb4:d13, 
type v6, scope universe) on interface 'virbr0'
New route 2a00:1450:4001:80c::1018 (gateway fe80::21f:7bff:feb4:d13, 
type v6, scope universe) on interface 'virbr0'
New route 2a00:1450:4016:804::2009 (gateway fe80::21f:7bff:feb4:d13, 
type v6, scope universe) on interface 'virbr0'
New route 2a00:1450:4001:80c::1005 (gateway fe80::21f:7bff:feb4:d13, 
type v6, scope universe) on interface 'virbr0'
Route 2a00:1450:4001:80c::100a (gateway fe80::21f:7bff:feb4:d13, type 
v6, scope universe) on interface 'virbr0' was deleted
Route 2a03:2880:2130:cf05:face:b00c:0:1 (gateway 
fe80::21f:7bff:feb4:d13, type v6, scope universe) on interface 'virbr0' 
was deleted
Route 2a00:1450:4001:80c::1000 (gateway fe80::21f:7bff:feb4:d13, type 
v6, scope universe) on interface 'virbr0' was deleted
Route 2a00:1450:4001:80c::1005 (gateway fe80::21f:7bff:feb4:d13, type 
v6, scope universe) on interface 'virbr0' was deleted
Route 2a00:1450:4001:80c::1006 (gateway fe80::21f:7bff:feb4:d13, type 
v6, scope universe) on interface 'virbr0' was deleted
Route 2a00:1450:4001:80c::1007 (gateway fe80::21f:7bff:feb4:d13, type 
v6, scope universe) on interface 'virbr0' was deleted
Route 2a00:1450:4001:80c::1008 (gateway fe80::21f:7bff:feb4:d13, type 
v6, scope universe) on interface 'virbr0' was deleted
Route 2a00:1450:4001:80c::1016 (gateway fe80::21f:7bff:feb4:d13, type 
v6, scope universe) on interface 'virbr0' was deleted
Route 2a00:1450:4001:80c::1017 (gateway fe80::21f:7bff:feb4:d13, type 
v6, scope universe) on interface 'virbr0' was deleted
Route 2a00:1450:4001:80c::1018 (gateway fe80::21f:7bff:feb4:d13, type 
v6, scope universe) on interface 'virbr0' was deleted
Route 2a00:1450:400f:803::1013 (gateway fe80::21f:7bff:feb4:d13, type 
v6, scope universe) on interface 'virbr0' was deleted
Route 2a00:1450:400f:803::101f (gateway fe80::21f:7bff:feb4:d13, type 
v6, scope universe) on interface 'virbr0' was deleted
Route 2a00:1450:4016:804::2009 (gateway fe80::21f:7bff:feb4:d13, type 
v6, scope universe) on interface 'virbr0' was deleted
Route 2a00:1450:4016:804::200d (gateway fe80::21f:7bff:feb4:d13, type 
v6, scope universe) on interface 'virbr0' was deleted
--------
(those deletes happen because I've no IPv6 connection to the outside 
world on that system)

Also this doesn't give me the used URLs (or the user). it gives me quiet 
some good idea about what happens on a system.

Therefor I think it's worse to think about backporting this patch series 
at least to the current long term stable kernel (4.1) too.

Regards,

Alexander Holler

next prev parent reply	other threads:[~2015-08-15  7:48 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-05-23  3:55 [PATCH net-next v5 00/11] ipv6: Only create RTF_CACHE route after encountering pmtu exception Martin KaFai Lau
2015-05-23  3:55 ` [PATCH net-next v5 01/11] ipv6: Clean up ipv6_select_ident() and ip6_fragment() Martin KaFai Lau
2015-05-23  3:55 ` [PATCH net-next v5 02/11] ipv6: Remove external dependency on rt6i_dst and rt6i_src Martin KaFai Lau
2015-05-23  3:55 ` [PATCH net-next v5 03/11] ipv6: Remove external dependency on rt6i_gateway and RTF_ANYCAST Martin KaFai Lau
2015-05-23  3:55 ` [PATCH net-next v5 04/11] ipv6: Combine rt6_alloc_cow and rt6_alloc_clone Martin KaFai Lau
2015-05-23  3:56 ` [PATCH net-next v5 05/11] ipv6: Only create RTF_CACHE routes after encountering pmtu exception Martin KaFai Lau
2015-05-23  3:56 ` [PATCH net-next v5 06/11] ipv6: Add rt6_get_cookie() function Martin KaFai Lau
2015-05-23  3:56 ` [PATCH net-next v5 07/11] ipv6: Set FLOWI_FLAG_KNOWN_NH at flowi6_flags Martin KaFai Lau
2015-05-23  3:56 ` [PATCH net-next v5 08/11] ipv6: Create RTF_CACHE clone when FLOWI_FLAG_KNOWN_NH is set Martin KaFai Lau
2015-05-23  3:56 ` [PATCH net-next v5 09/11] ipv6: Keep track of DST_NOCACHE routes in case of iface down/unregister Martin KaFai Lau
2015-05-23  3:56 ` [PATCH net-next v5 10/11] ipv6: Break up ip6_rt_copy() Martin KaFai Lau
2015-05-23  3:56 ` [PATCH net-next v5 11/11] ipv6: Create percpu rt6_info Martin KaFai Lau
2015-05-25 17:34 ` [PATCH net-next v5 00/11] ipv6: Only create RTF_CACHE route after encountering pmtu exception David Miller
2015-05-26 21:20   ` Hannes Frederic Sowa
2015-05-26 21:34     ` Martin KaFai Lau
2015-07-29  9:25 ` Alexander Holler
2015-07-30 11:57   ` Alexander Holler
2015-08-15  7:48     ` Alexander Holler [this message]
2015-08-17  9:43       ` Alexander Holler
2015-08-28  7:36         ` Martin KaFai Lau
2015-08-28  9:27           ` Alexander Holler
2015-08-28  9:34             ` Alexander Holler
2015-08-28 18:27           ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=55CEEECA.8000702@ahsoftware.de \
    --to=holler@ahsoftware.de \
    --cc=Kernel-team@fb.com \
    --cc=davem@davemloft.net \
    --cc=hannes@stressinduktion.org \
    --cc=ja@ssi.bg \
    --cc=kafai@fb.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=steffen.klassert@secunet.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).