From: David Woodhouse <dwmw2@infradead.org>
To: Phil Sutter <phil@nwl.cc>
Cc: David Miller <davem@davemloft.net>,
mst@redhat.com, herbert@gondor.apana.org.au,
eric.dumazet@gmail.com, jan.kiszka@siemens.com,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
qemu-devel@nongnu.org
Subject: Re: [PATCH] tun: orphan an skb on tx
Date: Mon, 02 Feb 2015 15:47:00 +0000 [thread overview]
Message-ID: <1422892020.5293.272.camel@infradead.org> (raw)
In-Reply-To: <20150202152343.GA15880@orbit.nwl.cc>
[-- Attachment #1: Type: text/plain, Size: 3552 bytes --]
On Mon, 2015-02-02 at 16:23 +0100, Phil Sutter wrote:
> Since you want to provide connectivity over HTTPS which is not possible
> in kernel space, you are stuck with keeping the tun device. So the
> packet flow in that case is identical to how e.g. OpenVPN does it:
>
> - tunX holds default route
> - OpenConnect then:
> - receives packets on /dev/tun
> - holds TCP socket to VPN concentrator
> - does encapsulation into TLS
>
> Speaking of optimisation, the interesting part is the alternative flow
> via IPsec in UDP.
Right. The packet flow you describe is what we already have. Except of
course we already *do* establish the UDP connection (which is DTLS when
we're talking to a Cisco AnyConnect server, and ESP in UDP when we're
talking to Juniper). If we get responses to keepalive packets, we'll
send outbound packets over the UDP connection. If the UDP connectivity
goes AWOL, we'll fall back to sending on TCP. Rekeying of the UDP
connection is handled over the TCP control connection too. Even in the
DTLS case, the master secret and session ID are exchanged over TCP and
the DTLS is actually done as a 'session resume', without the normal DTLS
handshake ever happening.
As you say, I'm stuck with keeping the tun device (or something very
much like it). This *isn't* like vpnc where I can set up an IPSec config
and just let it run.
> AFAICT, it should be possible to setup an ESP in UDP
> tunnel using XFRM (see ip-xfrm(8) for reference), although I didn't try
> that myself. The funny thing with XFRM is, it applies before the routing
> decision does: If my IPsec policy matches, the packet goes that way no
> matter what the routing table says about the original destination. This
> can be used to override the default route provided via tun0 in the above
> case.
Except it isn't even the default route. We get given a bunch of split
includes or split excludes from the VPN server. We pass them to
vpnc-script or NetworkManager to actually set the routes up, and those
tools may make their own tweaks to what the server requested — denying
the default route and setting up explicit routes, or adding firewall
rules or NAT to incoming/outgoing packets on the tun device.
If it is no longer *just* the single tun device, everything gets really
complicated. Even *before* we talk about changing it on the fly during
normal operation.
> Of course, OpenConnect has to manage all the XFRM/policy stuff on it's
> own, since switching from ESP in UDP back to TLS would mean to tear down
> the XFRM tunnel. OpenConnect would have to setup (a limited) XFRM and
> send test traffic to decide whether to set it up fully (if limited) or
> tear it down (if unlimited) again so traffic arrives at tunX again.
Right. And ideally without CAP_NET_ADMIN.
> In my opinion, this might work. The whole setup is probably about as
> intuitive as the fact that kernel IPsec tunnel mode does not naturally
> provide an own interface. Firewall setup on top of that might become a
> matter of try-and-error. Maybe having a VTI interface and merely moving
> the default route instead of fiddling with policies all the time might
> make things a little easier to comprehend, but surely adds some
> performance overhead.
I think even the latter is sufficiently complex to manage that it's not
worth pursuing. I may throw together my suggested hack using
tun_get_socket() and see how much it makes *me* barf before deciding
whether to show it here for more feedback :)
--
dwmw2
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5745 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: David Woodhouse <dwmw2@infradead.org>
To: Phil Sutter <phil@nwl.cc>
Cc: herbert@gondor.apana.org.au, eric.dumazet@gmail.com,
mst@redhat.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, qemu-devel@nongnu.org,
jan.kiszka@siemens.com, David Miller <davem@davemloft.net>
Subject: Re: [Qemu-devel] [PATCH] tun: orphan an skb on tx
Date: Mon, 02 Feb 2015 15:47:00 +0000 [thread overview]
Message-ID: <1422892020.5293.272.camel@infradead.org> (raw)
In-Reply-To: <20150202152343.GA15880@orbit.nwl.cc>
[-- Attachment #1: Type: text/plain, Size: 3552 bytes --]
On Mon, 2015-02-02 at 16:23 +0100, Phil Sutter wrote:
> Since you want to provide connectivity over HTTPS which is not possible
> in kernel space, you are stuck with keeping the tun device. So the
> packet flow in that case is identical to how e.g. OpenVPN does it:
>
> - tunX holds default route
> - OpenConnect then:
> - receives packets on /dev/tun
> - holds TCP socket to VPN concentrator
> - does encapsulation into TLS
>
> Speaking of optimisation, the interesting part is the alternative flow
> via IPsec in UDP.
Right. The packet flow you describe is what we already have. Except of
course we already *do* establish the UDP connection (which is DTLS when
we're talking to a Cisco AnyConnect server, and ESP in UDP when we're
talking to Juniper). If we get responses to keepalive packets, we'll
send outbound packets over the UDP connection. If the UDP connectivity
goes AWOL, we'll fall back to sending on TCP. Rekeying of the UDP
connection is handled over the TCP control connection too. Even in the
DTLS case, the master secret and session ID are exchanged over TCP and
the DTLS is actually done as a 'session resume', without the normal DTLS
handshake ever happening.
As you say, I'm stuck with keeping the tun device (or something very
much like it). This *isn't* like vpnc where I can set up an IPSec config
and just let it run.
> AFAICT, it should be possible to setup an ESP in UDP
> tunnel using XFRM (see ip-xfrm(8) for reference), although I didn't try
> that myself. The funny thing with XFRM is, it applies before the routing
> decision does: If my IPsec policy matches, the packet goes that way no
> matter what the routing table says about the original destination. This
> can be used to override the default route provided via tun0 in the above
> case.
Except it isn't even the default route. We get given a bunch of split
includes or split excludes from the VPN server. We pass them to
vpnc-script or NetworkManager to actually set the routes up, and those
tools may make their own tweaks to what the server requested — denying
the default route and setting up explicit routes, or adding firewall
rules or NAT to incoming/outgoing packets on the tun device.
If it is no longer *just* the single tun device, everything gets really
complicated. Even *before* we talk about changing it on the fly during
normal operation.
> Of course, OpenConnect has to manage all the XFRM/policy stuff on it's
> own, since switching from ESP in UDP back to TLS would mean to tear down
> the XFRM tunnel. OpenConnect would have to setup (a limited) XFRM and
> send test traffic to decide whether to set it up fully (if limited) or
> tear it down (if unlimited) again so traffic arrives at tunX again.
Right. And ideally without CAP_NET_ADMIN.
> In my opinion, this might work. The whole setup is probably about as
> intuitive as the fact that kernel IPsec tunnel mode does not naturally
> provide an own interface. Firewall setup on top of that might become a
> matter of try-and-error. Maybe having a VTI interface and merely moving
> the default route instead of fiddling with policies all the time might
> make things a little easier to comprehend, but surely adds some
> performance overhead.
I think even the latter is sufficiently complex to manage that it's not
worth pursuing. I may throw together my suggested hack using
tun_get_socket() and see how much it makes *me* barf before deciding
whether to show it here for more feedback :)
--
dwmw2
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5745 bytes --]
next prev parent reply other threads:[~2015-02-02 15:47 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-13 14:59 [PATCH] tun: orphan an skb on tx Michael S. Tsirkin
2010-04-13 14:59 ` [Qemu-devel] " Michael S. Tsirkin
2010-04-13 15:12 ` Herbert Xu
2010-04-13 15:12 ` [Qemu-devel] " Herbert Xu
2010-04-13 15:12 ` Herbert Xu
2010-04-13 15:36 ` Jan Kiszka
2010-04-13 15:36 ` [Qemu-devel] " Jan Kiszka
2010-04-13 16:40 ` Eric Dumazet
2010-04-13 16:40 ` [Qemu-devel] " Eric Dumazet
2010-04-13 16:52 ` Jan Kiszka
2010-04-13 16:52 ` [Qemu-devel] " Jan Kiszka
2010-04-13 17:39 ` Michael S. Tsirkin
2010-04-13 17:39 ` [Qemu-devel] " Michael S. Tsirkin
2010-04-13 18:31 ` Eric Dumazet
2010-04-13 18:31 ` [Qemu-devel] " Eric Dumazet
2010-04-13 20:25 ` Michael S. Tsirkin
2010-04-13 20:25 ` [Qemu-devel] " Michael S. Tsirkin
2010-04-13 20:38 ` Eric Dumazet
2010-04-13 20:38 ` [Qemu-devel] " Eric Dumazet
2010-04-13 20:43 ` Michael S. Tsirkin
2010-04-13 20:43 ` [Qemu-devel] " Michael S. Tsirkin
2010-04-14 0:58 ` Herbert Xu
2010-04-14 0:58 ` [Qemu-devel] " Herbert Xu
2010-04-14 0:58 ` Herbert Xu
2010-04-14 11:55 ` David Miller
2010-04-14 11:55 ` [Qemu-devel] " David Miller
2010-04-14 11:55 ` David Miller
2015-02-01 11:20 ` David Woodhouse
2015-02-01 11:20 ` [Qemu-devel] " David Woodhouse
2015-02-01 12:26 ` Michael S. Tsirkin
2015-02-01 12:26 ` [Qemu-devel] " Michael S. Tsirkin
2015-02-01 13:33 ` David Woodhouse
2015-02-01 13:33 ` [Qemu-devel] " David Woodhouse
2015-02-01 20:19 ` David Miller
2015-02-01 20:19 ` [Qemu-devel] " David Miller
2015-02-01 21:29 ` David Woodhouse
2015-02-01 21:29 ` [Qemu-devel] " David Woodhouse
2015-02-02 5:07 ` David Miller
2015-02-02 5:07 ` [Qemu-devel] " David Miller
2015-02-02 5:07 ` David Miller
2015-02-02 7:27 ` David Woodhouse
2015-02-02 7:27 ` [Qemu-devel] " David Woodhouse
2015-02-02 8:24 ` Steffen Klassert
2015-02-02 8:24 ` [Qemu-devel] " Steffen Klassert
2015-02-02 15:30 ` David Woodhouse
2015-02-02 15:30 ` [Qemu-devel] " David Woodhouse
2015-02-02 15:23 ` Phil Sutter
2015-02-02 15:23 ` [Qemu-devel] " Phil Sutter
2015-02-02 15:47 ` David Woodhouse [this message]
2015-02-02 15:47 ` David Woodhouse
2015-02-04 0:19 ` David Miller
2015-02-04 0:19 ` [Qemu-devel] " David Miller
2015-02-04 6:35 ` David Woodhouse
2015-02-04 6:35 ` [Qemu-devel] " David Woodhouse
2021-06-25 15:56 ` Bringing the SSL VPN data path back in-kernel David Woodhouse
2010-04-21 11:35 ` [PATCH] tun: orphan an skb on tx Michael S. Tsirkin
2010-04-21 11:35 ` [Qemu-devel] " Michael S. Tsirkin
2010-04-21 11:46 ` Jan Kiszka
2010-04-21 11:46 ` [Qemu-devel] " Jan Kiszka
2010-04-21 11:45 ` Michael S. Tsirkin
2010-04-21 11:45 ` [Qemu-devel] " Michael S. Tsirkin
2010-04-21 19:16 ` [stable] " Greg KH
2010-04-21 19:16 ` [Qemu-devel] " Greg KH
2010-09-14 15:20 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1422892020.5293.272.camel@infradead.org \
--to=dwmw2@infradead.org \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=jan.kiszka@siemens.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=phil@nwl.cc \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.