Thread (71 messages) 71 messages, 4 authors, 2024-07-19

Re: [PATCH net-next v5 22/25] ovpn: kill key and notify userspace in case of IV exhaustion

From: Antonio Quartulli <antonio@openvpn.net>
Date: 2024-07-17 13:36:15

On 17/07/2024 15:26, Sabrina Dubroca wrote:
2024-07-17, 13:03:11 +0200, Antonio Quartulli wrote:
quoted
On 17/07/2024 12:42, Sabrina Dubroca wrote:
quoted
I don't see any way for userspace to know the current IV state (no
notification for when the packetid gets past some threshold, and
pid_xmit isn't getting dumped via netlink), so no chance for userspace
to swap keys early and avoid running out of IVs. And then, since we
don't have a usable primary key anymore, we will have to drop packets
until userspace tells the kernel to swap the keys (or possibly install
a secondary).

Am I missing something in the kernel/userspace interaction?
There are two events triggering userspace to generate a new key:
1) time based
2) packet count based

1) is easy: after X seconds/minutes generate a new key and send it to the
kernel. It's obviously based on guestimate and normally our default works
well.

2) after X packets/bytes generate a new key. Here userspace keeps track of
the amount of traffic by periodically polling GET_PEER and fetching the
VPN/LINK stats.
Oh right, that's what I was missing. TX packet count should be
equivalent to packetid. Thanks.
np!
quoted
A future improvement could be to have ovpn proactively notifying userspace
after reaching a certain threshold, but for now this mechanism does not
exist.
If it's not there from the start, you won't be able to rely on it
(because the userspace client may run on a kernel that does not
provide the notification), so you would still have to fetch the stats,
unless you have a way to poll for the threshold notification feature
being present.
You're right. Then scratch that because userspace is not ready for this.
quoted
I hope it helps.
Yup, thanks. Can you add this explanation to the commit message for
this patch in the next version? Documenting a bit the expectations of
the kernel/userspace interactions would be helpful, also for the
sequencing of key installation/key swap operations. I'm guessing it
goes something like this:
Sure, will document how this works.
  1. client sets up a primary key (key#1) and uses it
  2. at some point, it sets up a secondary key (key#2)
  3. later, keys are swapped (key#2 is now primary)
  4. after some more time, the secondary (key#1) is removed and a new
     secondary (key#3) is installed
  [steps 3 and 4 keep repeating]

And from reading patch 21, both the TX and RX key seem to be changed
together (swap and delete operate on the whole keyslot, and set
requires both the ENCRYPT_DIR and DECRYPT_DIR attributes).
You are correct. Encryption and decryption keys are derived from the 
same key material that is exchanged/generated upon each "renegotiation".
A rough description of the overall life of a client (opening sockets
and setting up the ovpn device/peers) could also be useful alongside
the code.
ok, will add it too!

Thanks!


-- 
Antonio Quartulli
OpenVPN Inc.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help