From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
To: Eric Dumazet <edumazet@google.com>
Cc: "David S. Miller" <davem@davemloft.net>,
netdev <netdev@vger.kernel.org>,
Eric Dumazet <eric.dumazet@gmail.com>
Subject: Re: [PATCH net] tcp: md5: add missing memory barriers in tcp_md5_do_add()/tcp_md5_hash_key()
Date: Tue, 30 Jun 2020 20:27:20 -0400 (EDT) [thread overview]
Message-ID: <731827688.18225.1593563240917.JavaMail.zimbra@efficios.com> (raw)
In-Reply-To: <CANn89iKHBkTbT9fZ3qbfZKE25MuS=av+frnRerGvP+_gUHPSAA@mail.gmail.com>
----- On Jun 30, 2020, at 7:50 PM, Eric Dumazet edumazet@google.com wrote:
> On Tue, Jun 30, 2020 at 4:47 PM Mathieu Desnoyers
> <mathieu.desnoyers@efficios.com> wrote:
>>
>> ----- On Jun 30, 2020, at 7:41 PM, Eric Dumazet edumazet@google.com wrote:
>>
>> > MD5 keys are read with RCU protection, and tcp_md5_do_add()
>> > might update in-place a prior key.
>> >
>> > Normally, typical RCU updates would allocate a new piece
>> > of memory. In this case only key->key and key->keylen might
>> > be updated, and we do not care if an incoming packet could
>> > see the old key, the new one, or some intermediate value,
>> > since changing the key on a live flow is known to be problematic
>> > anyway.
>>
>> What makes it acceptable to observe an intermediate bogus key during the
>> transition ?
>
> If you change a key while packets are in flight, the result is that :
>
> 1) Either your packet has the correct key and is handled
>
> 2) Or the key do not match, packet is dropped.
>
> Sender will retransmit eventually.
This train of thoughts seem to apply to incoming traffic, what about outgoing ?
>
> If this was not the case, then we could not revert the patch you are
> complaining about :)
Please let me know where I'm incorrect with the following scenario:
- Local peer is a Linux host, which supports only a single MD5 key
per socket at any given time.
- Remote peer is a Ericsson/Redback device allowing 2 passwords (old/new)
to co-exist until both sides are OK with the new password.
The local peer updates the MD5 password for a socket in parallel with
packets flow. If we guarantee that no intermediate bogus key state is
observable, the flow going out of the Linux peer should always be seen as
valid, with either the old or the new key.
Allowing an intermediate bogus key to be observable means this introduces
a race condition during which the remote peer can observe a corrupted key.
Thanks,
Mathieu
--
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com
next prev parent reply other threads:[~2020-07-01 0:27 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-30 23:41 [PATCH net] tcp: md5: add missing memory barriers in tcp_md5_do_add()/tcp_md5_hash_key() Eric Dumazet
2020-06-30 23:47 ` Mathieu Desnoyers
2020-06-30 23:50 ` Eric Dumazet
2020-07-01 0:27 ` Mathieu Desnoyers [this message]
2020-07-01 0:34 ` Eric Dumazet
2020-07-01 0:40 ` Mathieu Desnoyers
2020-07-01 0:52 ` Hideaki Yoshifuji
2020-07-01 0:55 ` Eric Dumazet
2020-07-01 1:53 ` Mathieu Desnoyers
2020-07-01 1:15 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=731827688.18225.1593563240917.JavaMail.zimbra@efficios.com \
--to=mathieu.desnoyers@efficios.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).