| Message ID | 1572571718-83139-1-git-send-email-ankur.sharma@nutanix.com |
|---|---|
| Headers | show |
| Series | ALLOW Stateless NAT operations | expand |
On Fri, Nov 1, 2019 at 6:58 AM Ankur Sharma <ankur.sharma@nutanix.com> wrote: > > NAT implementation in OVN uses connection tracker to replace > source and dest ips. This implementation works fine and > is the right approach for cases where external ips are shared > (i.e. SNAT) or where we replace ip only when relevant flow is there > (i.e. DNAT). > > However, it opens the possibility of Dos Attack, where attacker > can easily simluate multiple 5 tuples, to consume the connection > tracker entry in an OVN chassis. This way they can easily attain > the CT limit, there by impacting the usage of it by other features > like valid NAT, ACL etc. > > This attack is even worse, when external ip is a public ip, > i.e internet routable ip. > > In this patch we are introducing an option with NAT table entry. > Option "stateless=true" indicates that NAT implmentation > should not be using CT, i.e it should not use ct_snat/dnat actions. > > Instead of ct_* actions, we will use ip4.src/dst OVN actions, which > will replace source and destination ips, while recalculating the > checksums. > > This option is applicable only for the NAT rules which can be > 1:1 mapped between inner and external ips, i.e dnat_and_snat rule. > > Signed-off-by: Ankur Sharma <ankur.sharma@nutanix.com> Thanks. I applied this series to master. Numan > > Ankur Sharma (2): > OVN: ADD nbctl cli to mark a dnat_and_snat rule as stateless > OVN: Use ip4.src and ip4.dst actions for NAT rules > > northd/ovn-northd.8.xml | 33 ++++- > northd/ovn-northd.c | 84 +++++++++++-- > ovn-nb.ovsschema | 6 +- > ovn-nb.xml | 5 + > tests/ovn-nbctl.at | 37 ++++++ > tests/ovn-northd.at | 95 ++++++++++++++ > tests/ovn.at | 311 ++++++++++++++++++++++++++++++++++++++++++++++ > utilities/ovn-nbctl.8.xml | 12 +- > utilities/ovn-nbctl.c | 30 ++++- > 9 files changed, 594 insertions(+), 19 deletions(-) > > -- > 1.8.3.1 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
On Fri, Nov 1, 2019, 2:57 PM Numan Siddique <numans@ovn.org> wrote: > On Fri, Nov 1, 2019 at 6:58 AM Ankur Sharma <ankur.sharma@nutanix.com> > wrote: > > > > NAT implementation in OVN uses connection tracker to replace > > source and dest ips. This implementation works fine and > > is the right approach for cases where external ips are shared > > (i.e. SNAT) or where we replace ip only when relevant flow is there > > (i.e. DNAT). > > > > However, it opens the possibility of Dos Attack, where attacker > > can easily simluate multiple 5 tuples, to consume the connection > > tracker entry in an OVN chassis. This way they can easily attain > > the CT limit, there by impacting the usage of it by other features > > like valid NAT, ACL etc. > > > > This attack is even worse, when external ip is a public ip, > > i.e internet routable ip. > > > > In this patch we are introducing an option with NAT table entry. > > Option "stateless=true" indicates that NAT implmentation > > should not be using CT, i.e it should not use ct_snat/dnat actions. > > > > Instead of ct_* actions, we will use ip4.src/dst OVN actions, which > > will replace source and destination ips, while recalculating the > > checksums. > > > > This option is applicable only for the NAT rules which can be > > 1:1 mapped between inner and external ips, i.e dnat_and_snat rule. > > > > Signed-off-by: Ankur Sharma <ankur.sharma@nutanix.com> > > Thanks. > > I applied this series to master. Can you please submit a follow up patch to add a news entry ? Numan > Numan > > > > > Ankur Sharma (2): > > OVN: ADD nbctl cli to mark a dnat_and_snat rule as stateless > > OVN: Use ip4.src and ip4.dst actions for NAT rules > > > > northd/ovn-northd.8.xml | 33 ++++- > > northd/ovn-northd.c | 84 +++++++++++-- > > ovn-nb.ovsschema | 6 +- > > ovn-nb.xml | 5 + > > tests/ovn-nbctl.at | 37 ++++++ > > tests/ovn-northd.at | 95 ++++++++++++++ > > tests/ovn.at | 311 > ++++++++++++++++++++++++++++++++++++++++++++++ > > utilities/ovn-nbctl.8.xml | 12 +- > > utilities/ovn-nbctl.c | 30 ++++- > > 9 files changed, 594 insertions(+), 19 deletions(-) > > > > -- > > 1.8.3.1 > > > > _______________________________________________ > > dev mailing list > > dev@openvswitch.org > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
Hi Numan, Thanks for applying the patches. Sure, I have sent out the NEW entry changes. Just noticed that Acked-by is missing in the commits. Regards, Ankur From: Numan Siddique <numans@ovn.org> Sent: Friday, November 1, 2019 9:51 AM To: Ankur Sharma <ankur.sharma@nutanix.com> Cc: ovs-dev@openvswitch.org Subject: Re: [ovs-dev] [PATCH v4 0/2] ALLOW Stateless NAT operations On Fri, Nov 1, 2019, 2:57 PM Numan Siddique <numans@ovn.org<mailto:numans@ovn.org>> wrote: On Fri, Nov 1, 2019 at 6:58 AM Ankur Sharma <ankur.sharma@nutanix.com<mailto:ankur.sharma@nutanix.com>> wrote: > > NAT implementation in OVN uses connection tracker to replace > source and dest ips. This implementation works fine and > is the right approach for cases where external ips are shared > (i.e. SNAT) or where we replace ip only when relevant flow is there > (i.e. DNAT). > > However, it opens the possibility of Dos Attack, where attacker > can easily simluate multiple 5 tuples, to consume the connection > tracker entry in an OVN chassis. This way they can easily attain > the CT limit, there by impacting the usage of it by other features > like valid NAT, ACL etc. > > This attack is even worse, when external ip is a public ip, > i.e internet routable ip. > > In this patch we are introducing an option with NAT table entry. > Option "stateless=true" indicates that NAT implmentation > should not be using CT, i.e it should not use ct_snat/dnat actions. > > Instead of ct_* actions, we will use ip4.src/dst OVN actions, which > will replace source and destination ips, while recalculating the > checksums. > > This option is applicable only for the NAT rules which can be > 1:1 mapped between inner and external ips, i.e dnat_and_snat rule. > > Signed-off-by: Ankur Sharma <ankur.sharma@nutanix.com<mailto:ankur.sharma@nutanix.com>> Thanks. I applied this series to master. Can you please submit a follow up patch to add a news entry ? Numan Numan > > Ankur Sharma (2): > OVN: ADD nbctl cli to mark a dnat_and_snat rule as stateless > OVN: Use ip4.src and ip4.dst actions for NAT rules > > northd/ovn-northd.8.xml | 33 ++++- > northd/ovn-northd.c | 84 +++++++++++-- > ovn-nb.ovsschema | 6 +- > ovn-nb.xml | 5 + > tests/ovn-nbctl.at [ovn-nbctl.at]<https://urldefense.proofpoint.com/v2/url?u=http-3A__ovn-2Dnbctl.at&d=DwMFaQ&c=s883GpUCOChKOHiocYtGcg&r=mZwX9gFQgeJHzTg-68aCJgsODyUEVsHGFOfL90J6MJY&m=YZ-yzLqDHYdnZtQchAxjJnIcVdF_Zeb0nIZ0cN4nB9Y&s=aO9sOuPuIT1Xl5-wYLhphXDat0tkD05LaGTeGNaXXX0&e=> | 37 ++++++ > tests/ovn-northd.at [ovn-northd.at]<https://urldefense.proofpoint.com/v2/url?u=http-3A__ovn-2Dnorthd.at&d=DwMFaQ&c=s883GpUCOChKOHiocYtGcg&r=mZwX9gFQgeJHzTg-68aCJgsODyUEVsHGFOfL90J6MJY&m=YZ-yzLqDHYdnZtQchAxjJnIcVdF_Zeb0nIZ0cN4nB9Y&s=c5IfQw6bObiRN2TI_tcwttyxMPgFJVkwU_BSwrDEZeY&e=> | 95 ++++++++++++++ > tests/ovn.at [ovn.at]<https://urldefense.proofpoint.com/v2/url?u=http-3A__ovn.at&d=DwMFaQ&c=s883GpUCOChKOHiocYtGcg&r=mZwX9gFQgeJHzTg-68aCJgsODyUEVsHGFOfL90J6MJY&m=YZ-yzLqDHYdnZtQchAxjJnIcVdF_Zeb0nIZ0cN4nB9Y&s=o-ecwOgnFjLzExHLICefl-LCZVesnIOoDi_d6xRcmHM&e=> | 311 ++++++++++++++++++++++++++++++++++++++++++++++ > utilities/ovn-nbctl.8.xml | 12 +- > utilities/ovn-nbctl.c | 30 ++++- > 9 files changed, 594 insertions(+), 19 deletions(-) > > -- > 1.8.3.1 > > _______________________________________________ > dev mailing list > dev@openvswitch.org<mailto:dev@openvswitch.org> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev [mail.openvswitch.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwMFaQ&c=s883GpUCOChKOHiocYtGcg&r=mZwX9gFQgeJHzTg-68aCJgsODyUEVsHGFOfL90J6MJY&m=YZ-yzLqDHYdnZtQchAxjJnIcVdF_Zeb0nIZ0cN4nB9Y&s=vPxNiy5LZtA6jq5RYig_EKbeOkUkV-LHoB9P9o6zrvk&e=>
NAT implementation in OVN uses connection tracker to replace source and dest ips. This implementation works fine and is the right approach for cases where external ips are shared (i.e. SNAT) or where we replace ip only when relevant flow is there (i.e. DNAT). However, it opens the possibility of Dos Attack, where attacker can easily simluate multiple 5 tuples, to consume the connection tracker entry in an OVN chassis. This way they can easily attain the CT limit, there by impacting the usage of it by other features like valid NAT, ACL etc. This attack is even worse, when external ip is a public ip, i.e internet routable ip. In this patch we are introducing an option with NAT table entry. Option "stateless=true" indicates that NAT implmentation should not be using CT, i.e it should not use ct_snat/dnat actions. Instead of ct_* actions, we will use ip4.src/dst OVN actions, which will replace source and destination ips, while recalculating the checksums. This option is applicable only for the NAT rules which can be 1:1 mapped between inner and external ips, i.e dnat_and_snat rule. Signed-off-by: Ankur Sharma <ankur.sharma@nutanix.com> Ankur Sharma (2): OVN: ADD nbctl cli to mark a dnat_and_snat rule as stateless OVN: Use ip4.src and ip4.dst actions for NAT rules northd/ovn-northd.8.xml | 33 ++++- northd/ovn-northd.c | 84 +++++++++++-- ovn-nb.ovsschema | 6 +- ovn-nb.xml | 5 + tests/ovn-nbctl.at | 37 ++++++ tests/ovn-northd.at | 95 ++++++++++++++ tests/ovn.at | 311 ++++++++++++++++++++++++++++++++++++++++++++++ utilities/ovn-nbctl.8.xml | 12 +- utilities/ovn-nbctl.c | 30 ++++- 9 files changed, 594 insertions(+), 19 deletions(-)