From: Ido Schimmel <idosch@nvidia.com>
To: Vladimir Oltean <olteanv@gmail.com>
Cc: netdev@kapio-technology.com, davem@davemloft.net,
kuba@kernel.org, netdev@vger.kernel.org,
Andrew Lunn <andrew@lunn.ch>,
Vivien Didelot <vivien.didelot@gmail.com>,
Florian Fainelli <f.fainelli@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Jiri Pirko <jiri@resnulli.us>,
Ivan Vecera <ivecera@redhat.com>, Roopa Prabhu <roopa@nvidia.com>,
Nikolay Aleksandrov <razor@blackwall.org>,
Shuah Khan <shuah@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org,
linux-kselftest@vger.kernel.org
Subject: Re: [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers
Date: Thu, 21 Jul 2022 16:27:52 +0300 [thread overview]
Message-ID: <YtlUWGdgViyjF6MK@shredder> (raw)
In-Reply-To: <20220721115935.5ctsbtoojtoxxubi@skbuf>
On Thu, Jul 21, 2022 at 02:59:35PM +0300, Vladimir Oltean wrote:
> On Sun, Jul 17, 2022 at 05:53:22PM +0200, netdev@kapio-technology.com wrote:
> > > 3. What happens to packets with a DA matching the zero-DPV entry, are
> > > they also discarded in hardware? If so, here we differ from the bridge
> > > driver implementation where such packets will be forwarded according to
> > > the locked entry and egress the locked port
> >
> > I understand that egress will follow what is setup with regard to UC, MC and
> > BC, though I haven't tested that. But no replies will get through of course
> > as long as the port hasn't been opened for the iface behind the locked port.
>
> Here, should we be rather fixing the software bridge, if the current
> behavior is to forward packets towards locked FDB entries?
I think the bridge needs to be fixed, but not to discard packets. If I
decided to lock a port, it means I do not blindly trust whoever who
is behind the port, but instead want to authorize them first. Since an
unauthorized user is able to create locked FDB entries we need to
carefully define what they mean. I tried looking information about MAB
online, but couldn't find detailed material that answers my questions,
so my answers are based on what I believe is logical, which might be
wrong.
Currently, the bridge will forward packets to a locked entry which
effectively means that an unauthorized host can cause the bridge to
direct packets to it and sniff them. Yes, the host can't send any
packets through the port (while locked) and can't overtake an existing
(unlocked) FDB entry, but it still seems like an odd decision. IMO, the
situation in mv88e6xxx is even worse because there an unauthorized host
can cause packets to a certain DMAC to be blackholed via its zero-DPV
entry.
Another (minor?) issue is that locked entries cannot roam between locked
ports. Lets say that my user space MAB policy is to authorize MAC X if
it appears behind one of the locked ports swp1-swp4. An unauthorized
host behind locked port swp5 can generate packets with SMAC X,
preventing the true owner of this MAC behind swp1 from ever being
authorized.
It seems like the main purpose of these locked entries is to signal to
user space the presence of a certain MAC behind a locked port, but they
should not be able to affect packet forwarding in the bridge, unlike
regular entries.
Regarding a separate knob for MAB, I tend to agree we need it. Otherwise
we cannot control which locked ports are able to populate the FDB with
locked entries. I don't particularly like the fact that we overload an
existing flag ("learning") for that. Any reason not to add an explicit
flag ("mab")? At least with the current implementation, locked entries
cannot roam between locked ports and cannot be refreshed, which differs
from regular learning.
WARNING: multiple messages have this Message-ID (diff)
From: Ido Schimmel <idosch@nvidia.com>
To: Vladimir Oltean <olteanv@gmail.com>
Cc: Ivan Vecera <ivecera@redhat.com>, Andrew Lunn <andrew@lunn.ch>,
Florian Fainelli <f.fainelli@gmail.com>,
Jiri Pirko <jiri@resnulli.us>,
Daniel Borkmann <daniel@iogearbox.net>,
bridge@lists.linux-foundation.org, netdev@vger.kernel.org,
Nikolay Aleksandrov <razor@blackwall.org>,
Roopa Prabhu <roopa@nvidia.com>,
linux-kernel@vger.kernel.org,
Vivien Didelot <vivien.didelot@gmail.com>,
Eric Dumazet <edumazet@google.com>,
linux-kselftest@vger.kernel.org, netdev@kapio-technology.com,
kuba@kernel.org, Paolo Abeni <pabeni@redhat.com>,
Shuah Khan <shuah@kernel.org>,
davem@davemloft.net
Subject: Re: [Bridge] [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers
Date: Thu, 21 Jul 2022 16:27:52 +0300 [thread overview]
Message-ID: <YtlUWGdgViyjF6MK@shredder> (raw)
In-Reply-To: <20220721115935.5ctsbtoojtoxxubi@skbuf>
On Thu, Jul 21, 2022 at 02:59:35PM +0300, Vladimir Oltean wrote:
> On Sun, Jul 17, 2022 at 05:53:22PM +0200, netdev@kapio-technology.com wrote:
> > > 3. What happens to packets with a DA matching the zero-DPV entry, are
> > > they also discarded in hardware? If so, here we differ from the bridge
> > > driver implementation where such packets will be forwarded according to
> > > the locked entry and egress the locked port
> >
> > I understand that egress will follow what is setup with regard to UC, MC and
> > BC, though I haven't tested that. But no replies will get through of course
> > as long as the port hasn't been opened for the iface behind the locked port.
>
> Here, should we be rather fixing the software bridge, if the current
> behavior is to forward packets towards locked FDB entries?
I think the bridge needs to be fixed, but not to discard packets. If I
decided to lock a port, it means I do not blindly trust whoever who
is behind the port, but instead want to authorize them first. Since an
unauthorized user is able to create locked FDB entries we need to
carefully define what they mean. I tried looking information about MAB
online, but couldn't find detailed material that answers my questions,
so my answers are based on what I believe is logical, which might be
wrong.
Currently, the bridge will forward packets to a locked entry which
effectively means that an unauthorized host can cause the bridge to
direct packets to it and sniff them. Yes, the host can't send any
packets through the port (while locked) and can't overtake an existing
(unlocked) FDB entry, but it still seems like an odd decision. IMO, the
situation in mv88e6xxx is even worse because there an unauthorized host
can cause packets to a certain DMAC to be blackholed via its zero-DPV
entry.
Another (minor?) issue is that locked entries cannot roam between locked
ports. Lets say that my user space MAB policy is to authorize MAC X if
it appears behind one of the locked ports swp1-swp4. An unauthorized
host behind locked port swp5 can generate packets with SMAC X,
preventing the true owner of this MAC behind swp1 from ever being
authorized.
It seems like the main purpose of these locked entries is to signal to
user space the presence of a certain MAC behind a locked port, but they
should not be able to affect packet forwarding in the bridge, unlike
regular entries.
Regarding a separate knob for MAB, I tend to agree we need it. Otherwise
we cannot control which locked ports are able to populate the FDB with
locked entries. I don't particularly like the fact that we overload an
existing flag ("learning") for that. Any reason not to add an explicit
flag ("mab")? At least with the current implementation, locked entries
cannot roam between locked ports and cannot be refreshed, which differs
from regular learning.
next prev parent reply other threads:[~2022-07-21 13:28 UTC|newest]
Thread overview: 137+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-07 15:29 [PATCH v4 net-next 0/6] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Hans Schultz
2022-07-07 15:29 ` [Bridge] " Hans Schultz
2022-07-07 15:29 ` [PATCH v4 net-next 1/6] net: bridge: add locked entry fdb flag to extend locked port feature Hans Schultz
2022-07-07 15:29 ` [Bridge] " Hans Schultz
2022-07-10 8:20 ` Ido Schimmel
2022-07-10 8:20 ` [Bridge] " Ido Schimmel
2022-07-07 15:29 ` [PATCH v4 net-next 2/6] net: switchdev: add support for offloading of fdb locked flag Hans Schultz
2022-07-07 15:29 ` [Bridge] " Hans Schultz
2022-07-08 8:54 ` Vladimir Oltean
2022-07-08 8:54 ` [Bridge] " Vladimir Oltean
2022-08-02 8:27 ` netdev
2022-08-02 8:27 ` [Bridge] " netdev
2022-08-02 10:13 ` netdev
2022-08-02 10:13 ` [Bridge] " netdev
2022-07-07 15:29 ` [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers Hans Schultz
2022-07-07 15:29 ` [Bridge] " Hans Schultz
2022-07-08 7:12 ` kernel test robot
2022-07-08 8:49 ` Vladimir Oltean
2022-07-08 8:49 ` [Bridge] " Vladimir Oltean
2022-07-08 9:06 ` netdev
2022-07-08 9:06 ` [Bridge] " netdev
2022-07-08 9:15 ` Vladimir Oltean
2022-07-08 9:15 ` [Bridge] " Vladimir Oltean
2022-07-08 9:27 ` netdev
2022-07-08 9:27 ` [Bridge] " netdev
2022-07-08 9:50 ` netdev
2022-07-08 9:50 ` [Bridge] " netdev
2022-07-08 11:56 ` Vladimir Oltean
2022-07-08 11:56 ` [Bridge] " Vladimir Oltean
2022-07-08 12:34 ` netdev
2022-07-08 12:34 ` [Bridge] " netdev
2022-07-10 8:35 ` Ido Schimmel
2022-07-10 8:35 ` [Bridge] " Ido Schimmel
2022-07-13 7:09 ` netdev
2022-07-13 7:09 ` [Bridge] " netdev
2022-07-13 12:39 ` Ido Schimmel
2022-07-13 12:39 ` [Bridge] " Ido Schimmel
2022-07-17 12:21 ` netdev
2022-07-17 12:21 ` [Bridge] " netdev
2022-07-17 12:57 ` Vladimir Oltean
2022-07-17 12:57 ` [Bridge] " Vladimir Oltean
2022-07-17 13:09 ` netdev
2022-07-17 13:09 ` [Bridge] " netdev
2022-07-17 13:59 ` Vladimir Oltean
2022-07-17 13:59 ` [Bridge] " Vladimir Oltean
2022-07-17 14:57 ` netdev
2022-07-17 14:57 ` [Bridge] " netdev
2022-07-17 15:08 ` Vladimir Oltean
2022-07-17 15:08 ` [Bridge] " Vladimir Oltean
2022-07-17 16:10 ` netdev
2022-07-17 16:10 ` [Bridge] " netdev
2022-07-21 11:54 ` Vladimir Oltean
2022-07-21 11:54 ` [Bridge] " Vladimir Oltean
2022-07-17 15:20 ` Ido Schimmel
2022-07-17 15:20 ` [Bridge] " Ido Schimmel
2022-07-17 15:53 ` netdev
2022-07-17 15:53 ` [Bridge] " netdev
2022-07-21 11:59 ` Vladimir Oltean
2022-07-21 11:59 ` [Bridge] " Vladimir Oltean
2022-07-21 13:27 ` Ido Schimmel [this message]
2022-07-21 13:27 ` Ido Schimmel
2022-07-21 14:20 ` Vladimir Oltean
2022-07-21 14:20 ` [Bridge] " Vladimir Oltean
2022-07-24 11:10 ` Ido Schimmel
2022-07-24 11:10 ` [Bridge] " Ido Schimmel
2022-08-01 11:57 ` netdev
2022-08-01 11:57 ` [Bridge] " netdev
2022-08-01 13:14 ` netdev
2022-08-01 13:14 ` [Bridge] " netdev
2022-08-02 12:54 ` netdev
2022-08-02 12:54 ` [Bridge] " netdev
2022-08-01 15:33 ` netdev
2022-08-01 15:33 ` [Bridge] " netdev
2022-08-09 9:20 ` Ido Schimmel
2022-08-09 9:20 ` [Bridge] " Ido Schimmel
2022-08-09 20:00 ` netdev
2022-08-09 20:00 ` [Bridge] " netdev
2022-08-10 7:21 ` Ido Schimmel
2022-08-10 7:21 ` [Bridge] " Ido Schimmel
2022-08-10 8:40 ` netdev
2022-08-10 8:40 ` [Bridge] " netdev
2022-08-11 11:28 ` Ido Schimmel
2022-08-11 11:28 ` [Bridge] " Ido Schimmel
2022-08-12 15:33 ` netdev
2022-08-12 15:33 ` [Bridge] " netdev
2022-08-16 7:51 ` netdev
2022-08-16 7:51 ` [Bridge] " netdev
2022-08-17 6:21 ` Ido Schimmel
2022-08-17 6:21 ` [Bridge] " Ido Schimmel
2022-07-21 11:51 ` Vladimir Oltean
2022-07-21 11:51 ` [Bridge] " Vladimir Oltean
2022-07-08 20:39 ` kernel test robot
2022-07-07 15:29 ` [PATCH v4 net-next 4/6] net: dsa: mv88e6xxx: allow reading FID when handling ATU violations Hans Schultz
2022-07-07 15:29 ` [Bridge] " Hans Schultz
2022-07-07 15:29 ` [PATCH v4 net-next 5/6] net: dsa: mv88e6xxx: mac-auth/MAB implementation Hans Schultz
2022-07-07 15:29 ` [Bridge] " Hans Schultz
2022-07-08 9:46 ` kernel test robot
2022-07-17 0:47 ` Vladimir Oltean
2022-07-17 0:47 ` [Bridge] " Vladimir Oltean
2022-07-17 12:34 ` netdev
2022-07-17 12:34 ` [Bridge] " netdev
2022-07-21 12:04 ` Vladimir Oltean
2022-07-21 12:04 ` [Bridge] " Vladimir Oltean
2022-08-19 8:28 ` netdev
2022-08-19 8:28 ` [Bridge] " netdev
2022-07-07 15:29 ` [PATCH v4 net-next 6/6] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests Hans Schultz
2022-07-07 15:29 ` [Bridge] " Hans Schultz
2022-07-10 7:29 ` Ido Schimmel
2022-07-10 7:29 ` [Bridge] " Ido Schimmel
2022-07-12 12:28 ` netdev
2022-07-12 12:28 ` [Bridge] " netdev
2022-07-08 1:00 ` [PATCH v4 net-next 0/6] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Jakub Kicinski
2022-07-08 1:00 ` [Bridge] " Jakub Kicinski
2022-08-11 5:09 ` Benjamin Poirier
2022-08-11 5:09 ` [Bridge] " Benjamin Poirier
-- strict thread matches above, loose matches on Subject: below --
2022-08-12 12:29 [PATCH v4 net-next 3/6] drivers: net: dsa: add locked fdb entry flag to drivers netdev
2022-08-14 14:55 ` Ido Schimmel
2022-08-19 9:51 ` netdev
2022-08-21 7:08 ` Ido Schimmel
2022-08-21 13:43 ` netdev
2022-08-22 5:40 ` Ido Schimmel
2022-08-22 7:49 ` netdev
2022-08-23 6:48 ` Ido Schimmel
2022-08-23 7:13 ` netdev
2022-08-23 7:24 ` Ido Schimmel
2022-08-23 7:37 ` netdev
2022-08-23 12:36 ` Ido Schimmel
2022-08-24 7:07 ` netdev
2022-08-23 11:41 ` netdev
2022-08-25 9:36 ` Ido Schimmel
2022-08-25 10:28 ` netdev
2022-08-25 15:14 ` netdev
2022-08-24 20:29 ` netdev
2022-08-25 9:23 ` Ido Schimmel
2022-08-25 10:27 ` netdev
2022-08-25 11:58 ` Ido Schimmel
2022-08-25 13:41 ` netdev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YtlUWGdgViyjF6MK@shredder \
--to=idosch@nvidia.com \
--cc=andrew@lunn.ch \
--cc=bridge@lists.linux-foundation.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=f.fainelli@gmail.com \
--cc=ivecera@redhat.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@kapio-technology.com \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=pabeni@redhat.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=shuah@kernel.org \
--cc=vivien.didelot@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.