Re: [PATCH v9] virtio-net: support inner header hash

["Michael S. Tsirkin" <mst@redhat.com>]

On Tue, Feb 21, 2023 at 07:29:20PM +0000, Parav Pandit wrote:
> > > When a specific receive queue is shared to receive packets of multiple
> > tunnels, there is no quality of service for packets of multiple tunnels.
> > 
> > "shared to receive" is not grammatical either :)
> > 
> "Shared by multiple tunnels" will make it grammatical?

I think so, yes.

> > If you are talking about a security risk you need to explain
> > 1- what is the threat, what configurations are affected.
> > 2- what is the attack type: DOS, information leak, etc.
> > 3- how to mitigate it
> > 
> > This text touches a bit on 1 and 2 but not in an ordererly way.
> > 
> > 
> it is best effort based.
> 
> #3 is outside the scope of this patch set.

Scope is from greek for "target". It's what we are aiming for.
If we document a security risk then I would say yes we should aim
to provide not just problems but solutions too.

> > > +
> > > > +This can pose several security risks:
> > > > +\begin{itemize}
> > > > +\item  Encapsulated packets in the normal tunnels cannot be
> > > > +enqueued due to
> > > > queue
> > > > +       overflow, resulting in a large amount of packet loss.
> > > > +\item  The delay and retransmission of packets in the normal
> > > > +tunnels are
> > > > extremely increased.
> > > This is something very protocol specific and doesn't belong here.
> > 
> > I don't see how it's specific - many protocols have retransmission and are
> > affected by delays. "extremely increased" sounds unrammatical to me though.
> > 
> > 
> I am not sure where you want to lead this discussion.

I just disagree that documenting timing effects does not belong in the
spec.

> I am trying to help the spec and feature definition to be compact enough to progress.
> 
> It is specific to a protocol(s) and somehow arbitrarily concluded with a large number of packet losses.
> Maybe only one ICMP packet got dropped and retransmit was just one packet.
> Maybe it was TCP with selective retransmit enabled/disabled.
> 
> As far as receive side is concerned, it should say that there is no QoS among different tunnels.
> The user will figure out how to mitigate when such QoS is not available. Either to run in best-effort mode or mitigate differently.

So you are saying either live with the problem (this is best effort yes?)
or find your own solutions? Such as?


> > > > +\item  The user can observe the traffic information and enqueue
> > > > +information
> > > > of other normal
> > > > +       tunnels, and conduct targeted DoS attacks.
> > > Once hash_report_tunnel_types is removed, this second attack is no longer
> > applicable.
> > > Hence, please remove this too.
> > 
> > 
> > ?
> > I don't get how removing a field helps DoS.
> > 
> I meant for the "observe and enqueue" part of the tunnel as not applicable. 

Sorry still don't get it :( I don't know what is the "observe and enqueue" part of the tunnel
and what is not applicable. But maybe Heng Qi does.

> > \begin{lstlisting}  struct virtio_net_rss_config {
> > > >      le32 hash_types;
> > > > +    le32 hash_tunnel_types;
> > > This field is not needed as device config space advertisement for the support
> > is enough.
> > >
> > > If the intent is to enable hashing for the specific tunnel(s), an individual
> > command is better.
> > 
> > new command? I am not sure why we want that. why not handle tunnels like
> > we do other protocols?
> 
> I didn't follow.
> We probably discussed in another thread that to set M bits, it is wise to avoid setting N other bits just to keep the command happy, where N >>> M and these N have a very strong relation in hw resource setup and packet steering.
> Any examples of 'other protocols'?

#define VIRTIO_NET_HASH_TYPE_IPv4              (1 << 0)
#define VIRTIO_NET_HASH_TYPE_TCPv4             (1 << 1)
#define VIRTIO_NET_HASH_TYPE_UDPv4             (1 << 2)

this kind of thing.

I don't see how a tunnel is different fundamentally. Why does it need
its own field?

-- 
MST