Thread (33 messages) 33 messages, 5 authors, 2023-06-19

Re: [PATCH v7 04/22] net/tcp: Prevent TCP-MD5 with TCP-AO being set

From: Dmitry Safonov <hidden>
Date: 2023-06-19 17:00:14
Also in: lkml

On 6/19/23 17:41, Dmitry Safonov wrote:
On 6/19/23 17:31, Dmitry Safonov wrote:
quoted
Hi David,

On 6/18/23 18:50, David Ahern wrote:
quoted
On 6/14/23 4:09 PM, Dmitry Safonov wrote:
quoted
Be as conservative as possible: if there is TCP-MD5 key for a given peer
regardless of L3 interface - don't allow setting TCP-AO key for the same
peer. According to RFC5925, TCP-AO is supposed to replace TCP-MD5 and
there can't be any switch between both on any connected tuple.
Later it can be relaxed, if there's a use, but in the beginning restrict
any intersection.

Note: it's still should be possible to set both TCP-MD5 and TCP-AO keys
on a listening socket for *different* peers.
Does the testsuite cover use of both MD5 and AO for a single listening
socket with different peers and then other tests covering attempts to
use both for a same peer?
Thanks for the question, I have written the following tests for
AO/MD5/unsigned listening socket [1]:

1. Listener with TCP-AO key, which has addr = INADDR_ANY
2. Listener with TCP-MD5 key, which has tcpm_addr = INADDR_ANY
3. Listener without any key

Then there's AO_REQUIRED thing, which BGP folks asked to introduce,
which is (7.3) from RFC5925, an option that is per-ao_info, which makes
such socket accepting only TCP-AO enabled segments.

So, 4. Listener with TCP-AO, AO_REQUIRED flag.

And then, going to non-INADDR_ANY:
5. Listener with TCP-AO and TCP-MD5 keys for different peers.

Here again, for each of AO/MD5/unsigned methods, attempt to connect:
6. outside of both key peers
7. inside correct key: i.e. TCP-MD5 client to TCP-MD5 matching key
8. to a wrong key: i.e. TCP-AO client to TCP-MD5 matching key

And another type of checks are the ones expecting *setsockopt()* to fail:
9. Adding TCP-AO key that matches the same peer as TCP-MD5 key
10. The reverse situation
11. Adding TCP-MD5 key to AO_REQUIRED socket
12. Setting AO_REQUIRED on a socket with TCP-MD5 key
13. Adding TCP-AO key on already established connection without any key
Oh, yeah, forgot to mention, there are another 2 tests for TCP_CLOSE
socket (just a new one), that has both TCP-AO and TCP-MD5 keys and tries
to call connect(). In discussion with the team, it seems really
unexpected situation and better to force userspace to remove either AO
or MD5 key before calling connect(). Those from the output in [1] are:
quoted
ok 39 AO+MD5 server: client with both [TCP-MD5] and TCP-AO keys:
connect() was prevented
quoted
ok 40 AO+MD5 server: client with both TCP-MD5 and [TCP-AO] keys:
connect() was prevented
And while starring at the selftest results, I noticed in the output
sample a copy-n-paste typo for VRFs, this:
ok 60 VRF: TCP-AO key (l3index=0) + TCP-MD5 key (no l3index)
ok 61 VRF: TCP-MD5 key (no l3index) + TCP-AO key (l3index=0)
Should be read as
ok 60 VRF: TCP-AO key (l3index=0) + TCP-MD5 key (l3index=N)
ok 61 VRF: TCP-MD5 key (l3index=N) + TCP-AO key (l3index=0)
(those checks are corresponding to the table in VRF-support commit [2])

quoted
And then another bunch of tests that check TCP-AO/TCP-MD5/unsigned
interaction in non/default VRFs.
I think the output of selftest [1] is more-or-less self-descriptive,
correct me if I could improve that.

[1]
https://github.com/0x7f454c46/linux/commit/d7b321f2b5a481e5ff0e80e2e0b3503b1ddb9817
[2]
https://lore.kernel.org/all/20230614230947.3954084-22-dima@arista.com/T/#u (local)

Thanks,
             Dmitry
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help