| Message ID | 20171211203837.2540-1-tom@quantonium.net |
|---|---|
| Headers | show |
| Series | net: Generic network resolver backend and ILA resolver | expand |
From: Tom Herbert <tom@quantonium.net> Date: Mon, 11 Dec 2017 12:38:28 -0800 > DOS mitigations: > > - The number of outstanding resolutions is limited by the size of the > table > - Timeout of pending entries limits the number of netlink resolution > messages > - Packets are not queued that are pending resolution. In the current > model that can be forwarded to a router that has all reachability > information (ILA use case for example) None of these mitigation schemes matter. If packet traffic can influence the table of entries (your cache or whatever), then you will be DoS'able. If you limit outstanding resolutions, you harm legitimate traffic whose resolutions will not be processed now too just as equally as you will harm "bad guy" traffic. If you forward in the case of pending resolution, the bad guy can make you forward everything there. The bad guy can effectively make your caching node stop caching completely. Please, learn from OVS, the ipv4 routing cache, and the IPSEC flow cache. This kind of architecture, _especially_ when the resolution is user side, is deeply flawed. We're trying to remove code that does this kind of stuff, rather than add new instances. Thank you.
On Mon, Dec 11, 2017 at 1:34 PM, David Miller <davem@davemloft.net> wrote: > From: Tom Herbert <tom@quantonium.net> > Date: Mon, 11 Dec 2017 12:38:28 -0800 > >> DOS mitigations: >> >> - The number of outstanding resolutions is limited by the size of the >> table >> - Timeout of pending entries limits the number of netlink resolution >> messages >> - Packets are not queued that are pending resolution. In the current >> model that can be forwarded to a router that has all reachability >> information (ILA use case for example) > > None of these mitigation schemes matter. > > If packet traffic can influence the table of entries (your cache > or whatever), then you will be DoS'able. > > If you limit outstanding resolutions, you harm legitimate traffic > whose resolutions will not be processed now too just as equally > as you will harm "bad guy" traffic. > David, How can we build a system that allows an unlimited number of resolutions without drop? Unless the resolution path can handle a higher packet load than the receive path, there will be some place in the system where memory is allocated and that limits the amount of pending resolutions (i.e. pending packet skbs, entry in a resolution table, skbs on a netlink socket). > If you forward in the case of pending resolution, the bad guy can > make you forward everything there. The bad guy can effectively > make your caching node stop caching completely. > But a DOS attack doesn't stop fowarding, at best it forces suboptimal forwarding. This analogous to when the SYN cache is filled up but SYN cookies allow forward progress in a degraded operational mode. Thanks, Tom
On Mon, Dec 11, 2017 at 2:16 PM, Tom Herbert <tom@quantonium.net> wrote: > On Mon, Dec 11, 2017 at 1:34 PM, David Miller <davem@davemloft.net> wrote: >> From: Tom Herbert <tom@quantonium.net> >> Date: Mon, 11 Dec 2017 12:38:28 -0800 >> >>> DOS mitigations: >>> >>> - The number of outstanding resolutions is limited by the size of the >>> table >>> - Timeout of pending entries limits the number of netlink resolution >>> messages >>> - Packets are not queued that are pending resolution. In the current >>> model that can be forwarded to a router that has all reachability >>> information (ILA use case for example) >> >> None of these mitigation schemes matter. >> >> If packet traffic can influence the table of entries (your cache >> or whatever), then you will be DoS'able. >> >> If you limit outstanding resolutions, you harm legitimate traffic >> whose resolutions will not be processed now too just as equally >> as you will harm "bad guy" traffic. >> > David, > Actually, please disregard. I will respin to use secure redirects. > How can we build a system that allows an unlimited number of > resolutions without drop? Unless the resolution path can handle a > higher packet load than the receive path, there will be some place in > the system where memory is allocated and that limits the amount of > pending resolutions (i.e. pending packet skbs, entry in a resolution > table, skbs on a netlink socket). > >> If you forward in the case of pending resolution, the bad guy can >> make you forward everything there. The bad guy can effectively >> make your caching node stop caching completely. >> > But a DOS attack doesn't stop fowarding, at best it forces suboptimal > forwarding. This analogous to when the SYN cache is filled up but SYN > cookies allow forward progress in a degraded operational mode. > > Thanks, > Tom
From: Tom Herbert <tom@quantonium.net> Date: Mon, 11 Dec 2017 14:16:17 -0800 > How can we build a system that allows an unlimited number of > resolutions without drop? IPV4 routing solves this with a prefixed trie, for example. The fundamental backing datastructure for the switching or whatever operation must be in-memory, in the kernel, scalable, and without a fronting "cache".
This patch implements generic in-kernel network resolver. The idea is that an LWT "resolver" route is set in the kernel to cover some prefix. When a packet hits the route a netlink message is fired to request resolution and pending resolutions are tracked in a table. Route resolution works in the following manner: Initial configuration: 0. An ila-rslv LWT route is set for some network prefix. The route includes an optional timeout to expire resolution. Resolution process 1. Packet is sent to the a destination in the prefix being resolved 2. A lookup is performed on the destination address in a table of outstanding resolutions requests. If no entry is found: a. A new entry is created for the destination with a timeout value as set in the resolver route b. A netlink "RTM_ADDR_RESOLVE" message is sent to kick the resolution protocol or processing 3. The packet is forwarded per the resolver route When an address is resolved 4. At some point a route is is set that resolves the outstanding request (for instance a host route is set for the destination). The entry is removed for the table. Subsequent packets to the destination will hit the new route rather than the resolver route since prefix is longer 5. Resolution entries may timeout and entry removed from the table. A subsequent packet to the destination will kick off a new resolution as in #2 6. The resolved route might also be timed out or removed, in which case subsequent packets to the same destination can trigger the resolution process DOS mitigations: - The number of outstanding resolutions is limited by the size of the table - Timeout of pending entries limits the number of netlink resolution messages - Packets are not queued that are pending resolution. In the current model that can be forwarded to a router that has all reachability information (ILA use case for example) Possible future work - An optional method to queue packets for pending resolution - More DOS mitigations. It might make sense to limit the number of resolutions per source address etc. This patch set implements an ILA host side resolver. That uses the generic resolver described above. This uses LWT to implement the hook to a userspace resolver and tracks pending unresolved address using the backend net resolver. This patch set contains: - A generic resolver backend infrastructure. This primary does two things: track unresolved addresses and implement a timeout for resolution not happening. These mechanisms provides rate limiting control over resolution requests (for instance in ILA it use used to rate limit requests to userspace to resolve addresses). - The ILA resolver. This is implements to path from the kernel ILA implementation to a userspace daemon that an identifier address needs to be resolved. - Routing messages are used over netlink to indicate resolution requests. - Add net to ila build_state - Add flush command to ila_xlat - Fix uses for rhashtable for latest fixes v3: - Removed rhashtable changes to their own patch set - Restructure ILA code to be more amenbale to changes - Remove extra call back functions in resolution interface Changes from initial RFC: - Added net argument to LWT build_state - Made resolve timeout an attribute of the LWT encap route - Changed ILA notifications to be regular routing messages of event RTM_ADDR_RESOLVE, family RTNL_FAMILY_ILA, and group RTNLGRP_ILA_NOTIFY Tom Herbert (9): lwt: Add net to build_state argument ila: Fix use of rhashtable walk in ila_xlat.c ila: Call library function alloc_bucket_locks ila: create main ila source file ila: Flush netlink command to clear xlat table net: Generic resolver backend ila: Resolver mechanism resolver: add netlink control ila: add netlink control ILA resolver include/net/lwtunnel.h | 6 +- include/net/resolver.h | 67 +++++ include/uapi/linux/ila.h | 21 ++ include/uapi/linux/lwtunnel.h | 1 + include/uapi/linux/rtnetlink.h | 8 +- net/Kconfig | 1 + net/Makefile | 1 + net/core/lwt_bpf.c | 2 +- net/core/lwtunnel.c | 6 +- net/ipv4/fib_semantics.c | 13 +- net/ipv4/ip_tunnel_core.c | 4 +- net/ipv6/Kconfig | 1 + net/ipv6/ila/Makefile | 2 +- net/ipv6/ila/ila.h | 46 +++- net/ipv6/ila/ila_common.c | 30 --- net/ipv6/ila/ila_lwt.c | 10 +- net/ipv6/ila/ila_main.c | 161 ++++++++++++ net/ipv6/ila/ila_resolver.c | 310 +++++++++++++++++++++++ net/ipv6/ila/ila_xlat.c | 280 ++++++++++----------- net/ipv6/route.c | 2 +- net/ipv6/seg6_iptunnel.c | 2 +- net/ipv6/seg6_local.c | 5 +- net/mpls/mpls_iptunnel.c | 2 +- net/resolver/Kconfig | 7 + net/resolver/Makefile | 8 + net/resolver/resolver.c | 559 +++++++++++++++++++++++++++++++++++++++++ 26 files changed, 1356 insertions(+), 199 deletions(-) create mode 100644 include/net/resolver.h create mode 100644 net/ipv6/ila/ila_main.c create mode 100644 net/ipv6/ila/ila_resolver.c create mode 100644 net/resolver/Kconfig create mode 100644 net/resolver/Makefile create mode 100644 net/resolver/resolver.c