From: Edward Cree <ecree.xilinx@gmail.com>
To: Daniel Xu <dxu@dxuuu.xyz>
Cc: bpf@vger.kernel.org, linux-kselftest@vger.kernel.org,
netdev@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH bpf-next v2 0/8] Support defragmenting IPv(4|6) packets in BPF
Date: Mon, 27 Feb 2023 22:58:47 +0000 [thread overview]
Message-ID: <cc4712f7-c723-89fc-dc9c-c8db3ff8c760@gmail.com> (raw)
In-Reply-To: <20230227220406.4x45jcigpnjjpdfy@kashmir.localdomain>
On 27/02/2023 22:04, Daniel Xu wrote:
> I don't believe full L4 headers are required in the first fragment.
> Sufficiently sneaky attackers can, I think, send a byte at a time to
> subvert your proposed algorithm. Storing skb data seems inevitable here.
> Someone can correct me if I'm wrong here.
My thinking was that legitimate traffic would never do this and thus if
your first fragment doesn't have enough data to make a determination
then you just DROP the packet.
> What I find valuable about this patch series is that we can
> leverage the well understood and battle hardened kernel facilities. So
> avoid all the correctness and security issues that the kernel has spent
> 20+ years fixing.
I can certainly see the argument here. I guess it's a question of are
you more worried about the DoS from tricking the validator into thinking
good fragments are bad (the reverse is irrelevant because if you can
trick a validator into thinking your bad fragment belongs to a previously
seen good packet, then you can equally trick a reassembler into stitching
your bad fragment into that packet), or are you more worried about the
DoS from tying lots of memory down in the reassembly cache.
Even with reordering handling, a data structure to record which ranges of
a packet have been seen takes much less memory than storing the complete
fragment bodies. (Just a simple bitmap of 8-byte blocks — the resolution
of iph->frag_off — reduces size by a factor of 64, not counting all the
overhead of a struct sk_buff for each fragment in the queue. Or you
could re-use the rbtree-based code from the reassembler, just with a
freshly allocated node containing only offset & length, instead of the
whole SKB.)
And having a BPF helper effectively consume the skb is awkward, as you
noted; someone is likely to decide that skb_copy() is too slow, try to
add ctx invalidation, and thereby create a whole new swathe of potential
correctness and security issues.
Plus, imagine trying to support this in a hardware-offload XDP device.
They'd have to reimplement the entire frag cache, which is a much bigger
attack surface than just a frag validator, and they couldn't leverage
the battle-hardened kernel implementation.
> And make it trivial for the next person that comes
> along to do the right thing.
Fwiw the validator approach could *also* be a helper, it doesn't have to
be something the BPF developer writes for themselves.
But if after thinking about the possibility you still prefer your way, I
won't try to stop you — I just wanted to ensure it had been considered.
-ed
next prev parent reply other threads:[~2023-02-27 22:58 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-27 19:51 [PATCH bpf-next v2 0/8] Support defragmenting IPv(4|6) packets in BPF Daniel Xu
2023-02-27 19:51 ` [PATCH bpf-next v2 1/8] ip: frags: Return actual error codes from ip_check_defrag() Daniel Xu
2023-02-27 19:51 ` [PATCH bpf-next v2 3/8] bpf, net, frags: Add bpf_ip_check_defrag() kfunc Daniel Xu
2023-02-28 19:37 ` Stanislav Fomichev
2023-02-28 22:00 ` Daniel Xu
2023-02-28 22:18 ` Stanislav Fomichev
2023-02-27 19:51 ` [PATCH bpf-next v2 4/8] net: ipv6: Factor ipv6_frag_rcv() to take netns and user Daniel Xu
2023-02-27 19:51 ` [PATCH bpf-next v2 5/8] bpf: net: ipv6: Add bpf_ipv6_frag_rcv() kfunc Daniel Xu
2023-02-28 8:15 ` kernel test robot
2023-02-28 9:37 ` kernel test robot
2023-02-27 20:38 ` [PATCH bpf-next v2 0/8] Support defragmenting IPv(4|6) packets in BPF Edward Cree
2023-02-27 22:04 ` Daniel Xu
2023-02-27 22:58 ` Edward Cree [this message]
2023-03-01 16:24 ` Daniel Xu
2023-02-27 23:03 ` Alexei Starovoitov
[not found] ` <20230228015712.clq6kyrsd7rrklbz@kashmir.localdomain>
2023-02-28 4:56 ` Alexei Starovoitov
2023-02-28 13:43 ` Daniel Borkmann
2023-02-28 23:17 ` Daniel Xu
2023-03-07 4:17 ` Alexei Starovoitov
2023-03-07 19:48 ` Daniel Xu
2023-03-07 20:11 ` Florian Westphal
2023-03-07 21:18 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cc4712f7-c723-89fc-dc9c-c8db3ff8c760@gmail.com \
--to=ecree.xilinx@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=dxu@dxuuu.xyz \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).