From: netdev@kapio-technology.com
To: Ido Schimmel <idosch@nvidia.com>
Cc: Vladimir Oltean <olteanv@gmail.com>,
davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org,
Andrew Lunn <andrew@lunn.ch>,
Vivien Didelot <vivien.didelot@gmail.com>,
Florian Fainelli <f.fainelli@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Jiri Pirko <jiri@resnulli.us>,
Ivan Vecera <ivecera@redhat.com>, Roopa Prabhu <roopa@nvidia.com>,
Nikolay Aleksandrov <razor@blackwall.org>,
Shuah Khan <shuah@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org,
linux-kselftest@vger.kernel.org
Subject: Re: [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers
Date: Mon, 01 Aug 2022 15:14:39 +0200 [thread overview]
Message-ID: <2c95ec0a86674c598b5faf6d66410e1f@kapio-technology.com> (raw)
In-Reply-To: <Yt0ouiEcAHs8AqAA@shredder>
On 2022-07-24 13:10, Ido Schimmel wrote:
>
>> In the mv88e6xxx offload implementation, the locked entries eventually
>> age out from time to time, practically giving the true owner of the
>> MAC
>> address another chance every 5 minutes or so. In the pure software
>> implementation of locked FDB entries I'm not quite sure. It wouldn't
>> make much sense for the behavior to differ significantly though.
>
> From what I can tell, the same happens in software, but this behavior
> does not really make sense to me. It differs from how other learned
> entries age/roam and can lead to problems such as the one described
> above. It is also not documented anywhere, so I can't tell if it's
> intentional or an oversight. We need to have a good reason for such a
> behavior other than the fact that it appears to conform to the quirks
> of
> one hardware implementation.
>
>>
>> > It seems like the main purpose of these locked entries is to signal to
>> > user space the presence of a certain MAC behind a locked port, but they
>> > should not be able to affect packet forwarding in the bridge, unlike
>> > regular entries.
>>
>> So essentially what you want is for br_handle_frame_finish() to treat
>> "dst = br_fdb_find_rcu(br, eth_hdr(skb)->h_dest, vid);" as NULL if
>> test_bit(BR_FDB_LOCKED, &dst->flags) is true?
>
> Yes. It's not clear to me why unauthorized hosts should be given the
> ability to affect packet forwarding in the bridge through these locked
> entries when their primary purpose seems to be notifying user space
> about the presence of the MAC. At the very least this should be
> explained in the commit message, to indicate that some thought went
> into
> this decision.
>
I guess you are right that the SW setup locked entries can be used to
gain uni-directional traffic through a switch, which should really not
be the case.
In this case I expect the zero-DPV entries to not give this ability,
which is the correct behaviour with MAB IMHO.
>>
>> > Regarding a separate knob for MAB, I tend to agree we need it. Otherwise
>> > we cannot control which locked ports are able to populate the FDB with
>> > locked entries. I don't particularly like the fact that we overload an
>> > existing flag ("learning") for that. Any reason not to add an explicit
>> > flag ("mab")? At least with the current implementation, locked entries
>> > cannot roam between locked ports and cannot be refreshed, which differs
>> > from regular learning.
>>
>> Well, assuming we model the software bridge closer to mv88e6xxx (where
>> locked FDB entries can roam after a certain time), does this change
>> things?
>> In the software implementation I think it would make sense for them to
>> be able to roam right away (the age-out interval in mv88e6xxx is just
>> a
>> compromise between responsiveness to roaming and resistance to DoS).
>
> Exactly. If this is the best that we can do with mv88e6xxx, then so be
> it, but other implementations (software/hardware) do not have the same
> limitations and I don't see a reason to bend them.
>
> Regarding "learning" vs. "mab" (or something else), the former is a
> well-defined flag available since forever. In 5.18 and 5.19 it can also
> be enabled together with "locked" and packets from an unauthorized host
> (modulo link-local ones) will not populate the FDB. I prefer not to
> change an existing behavior.
>
> From usability point of view, I think a new flag would be easier to
> explain than explaining that "learning on" behaves like A or B, based
> on
> whether "locked on" is set. The bridge can also be taught to forbid the
> new flag from being set when "locked" is not set.
>
> A user space daemon that wants to try 802.1x and fallback to MAB can
> enable both flags or enable "mab" after some timer expires.
With this driver it is not really an option to use +learning for a
opt-in for MAB. I think locked port should always have -learning before
locking the port. In fact there is a problem in this implementation with
MAB if -learning is applied after locking the port, as that will disable
MAB, but also refresh and all other violation interrupts.
So I guess I need to disable the learning flag to the driver when the
port is locked, or even from the bridge?
WARNING: multiple messages have this Message-ID (diff)
From: netdev@kapio-technology.com
To: Ido Schimmel <idosch@nvidia.com>
Cc: Ivan Vecera <ivecera@redhat.com>, Andrew Lunn <andrew@lunn.ch>,
Florian Fainelli <f.fainelli@gmail.com>,
Jiri Pirko <jiri@resnulli.us>,
Daniel Borkmann <daniel@iogearbox.net>,
netdev@vger.kernel.org, Nikolay Aleksandrov <razor@blackwall.org>,
bridge@lists.linux-foundation.org, linux-kernel@vger.kernel.org,
Vivien Didelot <vivien.didelot@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
linux-kselftest@vger.kernel.org, Roopa Prabhu <roopa@nvidia.com>,
kuba@kernel.org, Vladimir Oltean <olteanv@gmail.com>,
Shuah Khan <shuah@kernel.org>,
davem@davemloft.net
Subject: Re: [Bridge] [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers
Date: Mon, 01 Aug 2022 15:14:39 +0200 [thread overview]
Message-ID: <2c95ec0a86674c598b5faf6d66410e1f@kapio-technology.com> (raw)
In-Reply-To: <Yt0ouiEcAHs8AqAA@shredder>
On 2022-07-24 13:10, Ido Schimmel wrote:
>
>> In the mv88e6xxx offload implementation, the locked entries eventually
>> age out from time to time, practically giving the true owner of the
>> MAC
>> address another chance every 5 minutes or so. In the pure software
>> implementation of locked FDB entries I'm not quite sure. It wouldn't
>> make much sense for the behavior to differ significantly though.
>
> From what I can tell, the same happens in software, but this behavior
> does not really make sense to me. It differs from how other learned
> entries age/roam and can lead to problems such as the one described
> above. It is also not documented anywhere, so I can't tell if it's
> intentional or an oversight. We need to have a good reason for such a
> behavior other than the fact that it appears to conform to the quirks
> of
> one hardware implementation.
>
>>
>> > It seems like the main purpose of these locked entries is to signal to
>> > user space the presence of a certain MAC behind a locked port, but they
>> > should not be able to affect packet forwarding in the bridge, unlike
>> > regular entries.
>>
>> So essentially what you want is for br_handle_frame_finish() to treat
>> "dst = br_fdb_find_rcu(br, eth_hdr(skb)->h_dest, vid);" as NULL if
>> test_bit(BR_FDB_LOCKED, &dst->flags) is true?
>
> Yes. It's not clear to me why unauthorized hosts should be given the
> ability to affect packet forwarding in the bridge through these locked
> entries when their primary purpose seems to be notifying user space
> about the presence of the MAC. At the very least this should be
> explained in the commit message, to indicate that some thought went
> into
> this decision.
>
I guess you are right that the SW setup locked entries can be used to
gain uni-directional traffic through a switch, which should really not
be the case.
In this case I expect the zero-DPV entries to not give this ability,
which is the correct behaviour with MAB IMHO.
>>
>> > Regarding a separate knob for MAB, I tend to agree we need it. Otherwise
>> > we cannot control which locked ports are able to populate the FDB with
>> > locked entries. I don't particularly like the fact that we overload an
>> > existing flag ("learning") for that. Any reason not to add an explicit
>> > flag ("mab")? At least with the current implementation, locked entries
>> > cannot roam between locked ports and cannot be refreshed, which differs
>> > from regular learning.
>>
>> Well, assuming we model the software bridge closer to mv88e6xxx (where
>> locked FDB entries can roam after a certain time), does this change
>> things?
>> In the software implementation I think it would make sense for them to
>> be able to roam right away (the age-out interval in mv88e6xxx is just
>> a
>> compromise between responsiveness to roaming and resistance to DoS).
>
> Exactly. If this is the best that we can do with mv88e6xxx, then so be
> it, but other implementations (software/hardware) do not have the same
> limitations and I don't see a reason to bend them.
>
> Regarding "learning" vs. "mab" (or something else), the former is a
> well-defined flag available since forever. In 5.18 and 5.19 it can also
> be enabled together with "locked" and packets from an unauthorized host
> (modulo link-local ones) will not populate the FDB. I prefer not to
> change an existing behavior.
>
> From usability point of view, I think a new flag would be easier to
> explain than explaining that "learning on" behaves like A or B, based
> on
> whether "locked on" is set. The bridge can also be taught to forbid the
> new flag from being set when "locked" is not set.
>
> A user space daemon that wants to try 802.1x and fallback to MAB can
> enable both flags or enable "mab" after some timer expires.
With this driver it is not really an option to use +learning for a
opt-in for MAB. I think locked port should always have -learning before
locking the port. In fact there is a problem in this implementation with
MAB if -learning is applied after locking the port, as that will disable
MAB, but also refresh and all other violation interrupts.
So I guess I need to disable the learning flag to the driver when the
port is locked, or even from the bridge?
next prev parent reply other threads:[~2022-08-01 13:14 UTC|newest]
Thread overview: 137+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-07 15:29 [PATCH v4 net-next 0/6] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Hans Schultz
2022-07-07 15:29 ` [Bridge] " Hans Schultz
2022-07-07 15:29 ` [PATCH v4 net-next 1/6] net: bridge: add locked entry fdb flag to extend locked port feature Hans Schultz
2022-07-07 15:29 ` [Bridge] " Hans Schultz
2022-07-10 8:20 ` Ido Schimmel
2022-07-10 8:20 ` [Bridge] " Ido Schimmel
2022-07-07 15:29 ` [PATCH v4 net-next 2/6] net: switchdev: add support for offloading of fdb locked flag Hans Schultz
2022-07-07 15:29 ` [Bridge] " Hans Schultz
2022-07-08 8:54 ` Vladimir Oltean
2022-07-08 8:54 ` [Bridge] " Vladimir Oltean
2022-08-02 8:27 ` netdev
2022-08-02 8:27 ` [Bridge] " netdev
2022-08-02 10:13 ` netdev
2022-08-02 10:13 ` [Bridge] " netdev
2022-07-07 15:29 ` [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers Hans Schultz
2022-07-07 15:29 ` [Bridge] " Hans Schultz
2022-07-08 7:12 ` kernel test robot
2022-07-08 8:49 ` Vladimir Oltean
2022-07-08 8:49 ` [Bridge] " Vladimir Oltean
2022-07-08 9:06 ` netdev
2022-07-08 9:06 ` [Bridge] " netdev
2022-07-08 9:15 ` Vladimir Oltean
2022-07-08 9:15 ` [Bridge] " Vladimir Oltean
2022-07-08 9:27 ` netdev
2022-07-08 9:27 ` [Bridge] " netdev
2022-07-08 9:50 ` netdev
2022-07-08 9:50 ` [Bridge] " netdev
2022-07-08 11:56 ` Vladimir Oltean
2022-07-08 11:56 ` [Bridge] " Vladimir Oltean
2022-07-08 12:34 ` netdev
2022-07-08 12:34 ` [Bridge] " netdev
2022-07-10 8:35 ` Ido Schimmel
2022-07-10 8:35 ` [Bridge] " Ido Schimmel
2022-07-13 7:09 ` netdev
2022-07-13 7:09 ` [Bridge] " netdev
2022-07-13 12:39 ` Ido Schimmel
2022-07-13 12:39 ` [Bridge] " Ido Schimmel
2022-07-17 12:21 ` netdev
2022-07-17 12:21 ` [Bridge] " netdev
2022-07-17 12:57 ` Vladimir Oltean
2022-07-17 12:57 ` [Bridge] " Vladimir Oltean
2022-07-17 13:09 ` netdev
2022-07-17 13:09 ` [Bridge] " netdev
2022-07-17 13:59 ` Vladimir Oltean
2022-07-17 13:59 ` [Bridge] " Vladimir Oltean
2022-07-17 14:57 ` netdev
2022-07-17 14:57 ` [Bridge] " netdev
2022-07-17 15:08 ` Vladimir Oltean
2022-07-17 15:08 ` [Bridge] " Vladimir Oltean
2022-07-17 16:10 ` netdev
2022-07-17 16:10 ` [Bridge] " netdev
2022-07-21 11:54 ` Vladimir Oltean
2022-07-21 11:54 ` [Bridge] " Vladimir Oltean
2022-07-17 15:20 ` Ido Schimmel
2022-07-17 15:20 ` [Bridge] " Ido Schimmel
2022-07-17 15:53 ` netdev
2022-07-17 15:53 ` [Bridge] " netdev
2022-07-21 11:59 ` Vladimir Oltean
2022-07-21 11:59 ` [Bridge] " Vladimir Oltean
2022-07-21 13:27 ` Ido Schimmel
2022-07-21 13:27 ` [Bridge] " Ido Schimmel
2022-07-21 14:20 ` Vladimir Oltean
2022-07-21 14:20 ` [Bridge] " Vladimir Oltean
2022-07-24 11:10 ` Ido Schimmel
2022-07-24 11:10 ` [Bridge] " Ido Schimmel
2022-08-01 11:57 ` netdev
2022-08-01 11:57 ` [Bridge] " netdev
2022-08-01 13:14 ` netdev [this message]
2022-08-01 13:14 ` netdev
2022-08-02 12:54 ` netdev
2022-08-02 12:54 ` [Bridge] " netdev
2022-08-01 15:33 ` netdev
2022-08-01 15:33 ` [Bridge] " netdev
2022-08-09 9:20 ` Ido Schimmel
2022-08-09 9:20 ` [Bridge] " Ido Schimmel
2022-08-09 20:00 ` netdev
2022-08-09 20:00 ` [Bridge] " netdev
2022-08-10 7:21 ` Ido Schimmel
2022-08-10 7:21 ` [Bridge] " Ido Schimmel
2022-08-10 8:40 ` netdev
2022-08-10 8:40 ` [Bridge] " netdev
2022-08-11 11:28 ` Ido Schimmel
2022-08-11 11:28 ` [Bridge] " Ido Schimmel
2022-08-12 15:33 ` netdev
2022-08-12 15:33 ` [Bridge] " netdev
2022-08-16 7:51 ` netdev
2022-08-16 7:51 ` [Bridge] " netdev
2022-08-17 6:21 ` Ido Schimmel
2022-08-17 6:21 ` [Bridge] " Ido Schimmel
2022-07-21 11:51 ` Vladimir Oltean
2022-07-21 11:51 ` [Bridge] " Vladimir Oltean
2022-07-08 20:39 ` kernel test robot
2022-07-07 15:29 ` [PATCH v4 net-next 4/6] net: dsa: mv88e6xxx: allow reading FID when handling ATU violations Hans Schultz
2022-07-07 15:29 ` [Bridge] " Hans Schultz
2022-07-07 15:29 ` [PATCH v4 net-next 5/6] net: dsa: mv88e6xxx: mac-auth/MAB implementation Hans Schultz
2022-07-07 15:29 ` [Bridge] " Hans Schultz
2022-07-08 9:46 ` kernel test robot
2022-07-17 0:47 ` Vladimir Oltean
2022-07-17 0:47 ` [Bridge] " Vladimir Oltean
2022-07-17 12:34 ` netdev
2022-07-17 12:34 ` [Bridge] " netdev
2022-07-21 12:04 ` Vladimir Oltean
2022-07-21 12:04 ` [Bridge] " Vladimir Oltean
2022-08-19 8:28 ` netdev
2022-08-19 8:28 ` [Bridge] " netdev
2022-07-07 15:29 ` [PATCH v4 net-next 6/6] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests Hans Schultz
2022-07-07 15:29 ` [Bridge] " Hans Schultz
2022-07-10 7:29 ` Ido Schimmel
2022-07-10 7:29 ` [Bridge] " Ido Schimmel
2022-07-12 12:28 ` netdev
2022-07-12 12:28 ` [Bridge] " netdev
2022-07-08 1:00 ` [PATCH v4 net-next 0/6] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Jakub Kicinski
2022-07-08 1:00 ` [Bridge] " Jakub Kicinski
2022-08-11 5:09 ` Benjamin Poirier
2022-08-11 5:09 ` [Bridge] " Benjamin Poirier
-- strict thread matches above, loose matches on Subject: below --
2022-08-12 12:29 [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers netdev
2022-08-14 14:55 ` Ido Schimmel
2022-08-19 9:51 ` netdev
2022-08-21 7:08 ` Ido Schimmel
2022-08-21 13:43 ` netdev
2022-08-22 5:40 ` Ido Schimmel
2022-08-22 7:49 ` netdev
2022-08-23 6:48 ` Ido Schimmel
2022-08-23 7:13 ` netdev
2022-08-23 7:24 ` Ido Schimmel
2022-08-23 7:37 ` netdev
2022-08-23 12:36 ` Ido Schimmel
2022-08-24 7:07 ` netdev
2022-08-23 11:41 ` netdev
2022-08-25 9:36 ` Ido Schimmel
2022-08-25 10:28 ` netdev
2022-08-25 15:14 ` netdev
2022-08-24 20:29 ` netdev
2022-08-25 9:23 ` Ido Schimmel
2022-08-25 10:27 ` netdev
2022-08-25 11:58 ` Ido Schimmel
2022-08-25 13:41 ` netdev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2c95ec0a86674c598b5faf6d66410e1f@kapio-technology.com \
--to=netdev@kapio-technology.com \
--cc=andrew@lunn.ch \
--cc=bridge@lists.linux-foundation.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=f.fainelli@gmail.com \
--cc=idosch@nvidia.com \
--cc=ivecera@redhat.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=pabeni@redhat.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=shuah@kernel.org \
--cc=vivien.didelot@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.