From: Hans Schultz <schultz.hans@gmail.com>
To: Ido Schimmel <idosch@idosch.org>, Hans Schultz <schultz.hans@gmail.com>
Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org,
Andrew Lunn <andrew@lunn.ch>,
Vivien Didelot <vivien.didelot@gmail.com>,
Florian Fainelli <f.fainelli@gmail.com>,
Vladimir Oltean <olteanv@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Jiri Pirko <jiri@resnulli.us>,
Ivan Vecera <ivecera@redhat.com>, Roopa Prabhu <roopa@nvidia.com>,
Nikolay Aleksandrov <razor@blackwall.org>,
Shuah Khan <shuah@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Ido Schimmel <idosch@nvidia.com>,
linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org,
linux-kselftest@vger.kernel.org
Subject: Re: [PATCH V3 net-next 1/4] net: bridge: add fdb flag to extent locked port feature
Date: Fri, 27 May 2022 10:52:27 +0200 [thread overview]
Message-ID: <86sfov2w8k.fsf@gmail.com> (raw)
In-Reply-To: <Yo+LAj1vnjq0p36q@shredder>
On tor, maj 26, 2022 at 17:13, Ido Schimmel <idosch@idosch.org> wrote:
> On Tue, May 24, 2022 at 05:21:41PM +0200, Hans Schultz wrote:
>> Add an intermediate state for clients behind a locked port to allow for
>> possible opening of the port for said clients. This feature corresponds
>> to the Mac-Auth and MAC Authentication Bypass (MAB) named features. The
>> latter defined by Cisco.
>> Locked FDB entries will be limited in number, so as to prevent DOS
>> attacks by spamming the port with random entries. The limit will be
>> a per port limit as it is a port based feature and that the port flushes
>> all FDB entries on link down.
>
> Why locked FDB entries need a special treatment compared to regular
> entries? A port that has learning enabled can be spammed with random
> source MACs just as well.
>
> The authorization daemon that is monitoring FDB notifications can have a
> policy to shut down a port if the rate / number of locked entries is
> above a given threshold.
>
> I don't think this kind of policy belongs in the kernel. If it resides
> in user space, then the threshold can be adjusted. Currently it's hard
> coded to 64 and I don't see how user space can change or monitor it.
In the Mac-Auth/MAB context, the locked port feature is really a form of
CPU based learning, and on mv88e6xxx switchcores, this is facilitated by
violation interrupts. Based on miss violation interrupts, the locked
entries are then added to a list with a timer to remove the entries
according to the bridge timeout.
As this is very CPU intensive compared to normal operation, the
assessment is that all this will jam up most devices if bombarded with
random entries at link speed, and my estimate is that any userspace
daemon that listens to the ensuing fdb events will never get a chance
to stop this flood and eventually the device will lock down/reset. To
prevent this, the limit is introduced.
Ideally this limit could be adjustable from userspace, but in real
use-cases a cap like 64 should be more than enough, as that corresponds
to 64 possible devices behind a port that cannot authenticate by other
means (printers etc.) than having their mac addresses white-listed.
The software bridge behavior was then just set to correspond to the
offloaded behavior, but after correspondence with Nik, the software
bridge locked entries limit will be removed.
WARNING: multiple messages have this Message-ID (diff)
From: Hans Schultz <schultz.hans@gmail.com>
To: Ido Schimmel <idosch@idosch.org>, Hans Schultz <schultz.hans@gmail.com>
Cc: Ivan Vecera <ivecera@redhat.com>, Andrew Lunn <andrew@lunn.ch>,
Florian Fainelli <f.fainelli@gmail.com>,
Jiri Pirko <jiri@resnulli.us>,
Daniel Borkmann <daniel@iogearbox.net>,
netdev@vger.kernel.org, Nikolay Aleksandrov <razor@blackwall.org>,
bridge@lists.linux-foundation.org, linux-kernel@vger.kernel.org,
Ido Schimmel <idosch@nvidia.com>,
Vivien Didelot <vivien.didelot@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
linux-kselftest@vger.kernel.org, Roopa Prabhu <roopa@nvidia.com>,
kuba@kernel.org, Vladimir Oltean <olteanv@gmail.com>,
Shuah Khan <shuah@kernel.org>,
davem@davemloft.net
Subject: Re: [Bridge] [PATCH V3 net-next 1/4] net: bridge: add fdb flag to extent locked port feature
Date: Fri, 27 May 2022 10:52:27 +0200 [thread overview]
Message-ID: <86sfov2w8k.fsf@gmail.com> (raw)
In-Reply-To: <Yo+LAj1vnjq0p36q@shredder>
On tor, maj 26, 2022 at 17:13, Ido Schimmel <idosch@idosch.org> wrote:
> On Tue, May 24, 2022 at 05:21:41PM +0200, Hans Schultz wrote:
>> Add an intermediate state for clients behind a locked port to allow for
>> possible opening of the port for said clients. This feature corresponds
>> to the Mac-Auth and MAC Authentication Bypass (MAB) named features. The
>> latter defined by Cisco.
>> Locked FDB entries will be limited in number, so as to prevent DOS
>> attacks by spamming the port with random entries. The limit will be
>> a per port limit as it is a port based feature and that the port flushes
>> all FDB entries on link down.
>
> Why locked FDB entries need a special treatment compared to regular
> entries? A port that has learning enabled can be spammed with random
> source MACs just as well.
>
> The authorization daemon that is monitoring FDB notifications can have a
> policy to shut down a port if the rate / number of locked entries is
> above a given threshold.
>
> I don't think this kind of policy belongs in the kernel. If it resides
> in user space, then the threshold can be adjusted. Currently it's hard
> coded to 64 and I don't see how user space can change or monitor it.
In the Mac-Auth/MAB context, the locked port feature is really a form of
CPU based learning, and on mv88e6xxx switchcores, this is facilitated by
violation interrupts. Based on miss violation interrupts, the locked
entries are then added to a list with a timer to remove the entries
according to the bridge timeout.
As this is very CPU intensive compared to normal operation, the
assessment is that all this will jam up most devices if bombarded with
random entries at link speed, and my estimate is that any userspace
daemon that listens to the ensuing fdb events will never get a chance
to stop this flood and eventually the device will lock down/reset. To
prevent this, the limit is introduced.
Ideally this limit could be adjustable from userspace, but in real
use-cases a cap like 64 should be more than enough, as that corresponds
to 64 possible devices behind a port that cannot authenticate by other
means (printers etc.) than having their mac addresses white-listed.
The software bridge behavior was then just set to correspond to the
offloaded behavior, but after correspondence with Nik, the software
bridge locked entries limit will be removed.
next prev parent reply other threads:[~2022-05-27 8:53 UTC|newest]
Thread overview: 108+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-24 15:21 [PATCH V3 net-next 0/4] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Hans Schultz
2022-05-24 15:21 ` [Bridge] " Hans Schultz
2022-05-24 15:21 ` [PATCH V3 net-next 1/4] net: bridge: add fdb flag to extent locked port feature Hans Schultz
2022-05-24 15:21 ` [Bridge] " Hans Schultz
2022-05-24 15:39 ` Nikolay Aleksandrov
2022-05-24 15:39 ` [Bridge] " Nikolay Aleksandrov
2022-05-24 16:08 ` Hans Schultz
2022-05-24 16:08 ` [Bridge] " Hans Schultz
2022-05-24 16:21 ` Hans Schultz
2022-05-24 16:21 ` [Bridge] " Hans Schultz
2022-05-25 8:06 ` Nikolay Aleksandrov
2022-05-25 8:06 ` [Bridge] " Nikolay Aleksandrov
2022-05-25 8:34 ` Hans Schultz
2022-05-25 8:34 ` [Bridge] " Hans Schultz
2022-05-25 8:38 ` Nikolay Aleksandrov
2022-05-25 8:38 ` [Bridge] " Nikolay Aleksandrov
2022-05-25 9:11 ` Hans Schultz
2022-05-25 9:11 ` [Bridge] " Hans Schultz
2022-05-25 10:18 ` Nikolay Aleksandrov
2022-05-25 10:18 ` [Bridge] " Nikolay Aleksandrov
2022-07-06 18:13 ` Vladimir Oltean
2022-07-06 18:13 ` [Bridge] " Vladimir Oltean
2022-07-06 19:38 ` Nikolay Aleksandrov
2022-07-06 19:38 ` [Bridge] " Nikolay Aleksandrov
2022-07-06 20:21 ` Vladimir Oltean
2022-07-06 20:21 ` [Bridge] " Vladimir Oltean
2022-07-06 21:01 ` Nikolay Aleksandrov
2022-07-06 21:01 ` [Bridge] " Nikolay Aleksandrov
2022-07-07 14:08 ` Nikolay Aleksandrov
2022-07-07 14:08 ` [Bridge] " Nikolay Aleksandrov
2022-07-07 17:15 ` Vladimir Oltean
2022-07-07 17:15 ` [Bridge] " Vladimir Oltean
2022-07-07 17:26 ` Nikolay Aleksandrov
2022-07-07 17:26 ` [Bridge] " Nikolay Aleksandrov
2022-07-08 6:38 ` Hans S
2022-07-08 6:38 ` [Bridge] " Hans S
2022-05-26 14:13 ` Ido Schimmel
2022-05-26 14:13 ` [Bridge] " Ido Schimmel
2022-05-27 8:52 ` Hans Schultz [this message]
2022-05-27 8:52 ` Hans Schultz
2022-05-27 9:58 ` Ido Schimmel
2022-05-27 9:58 ` [Bridge] " Ido Schimmel
2022-05-27 16:00 ` Hans Schultz
2022-05-27 16:00 ` [Bridge] " Hans Schultz
2022-05-31 9:34 ` Hans Schultz
2022-05-31 9:34 ` [Bridge] " Hans Schultz
2022-05-31 14:23 ` Ido Schimmel
2022-05-31 14:23 ` [Bridge] " Ido Schimmel
2022-05-31 15:49 ` Hans Schultz
2022-05-31 15:49 ` [Bridge] " Hans Schultz
2022-06-02 9:17 ` Hans Schultz
2022-06-02 9:17 ` [Bridge] " Hans Schultz
2022-06-02 9:33 ` Nikolay Aleksandrov
2022-06-02 9:33 ` [Bridge] " Nikolay Aleksandrov
2022-06-02 10:17 ` Hans Schultz
2022-06-02 10:17 ` [Bridge] " Hans Schultz
2022-06-02 10:30 ` Nikolay Aleksandrov
2022-06-02 10:30 ` [Bridge] " Nikolay Aleksandrov
2022-06-02 10:39 ` Ido Schimmel
2022-06-02 10:39 ` [Bridge] " Ido Schimmel
2022-06-02 11:36 ` Hans Schultz
2022-06-02 11:36 ` [Bridge] " Hans Schultz
2022-06-02 11:55 ` Ido Schimmel
2022-06-02 11:55 ` [Bridge] " Ido Schimmel
2022-06-02 12:08 ` Hans Schultz
2022-06-02 12:08 ` [Bridge] " Hans Schultz
2022-06-02 12:18 ` Ido Schimmel
2022-06-02 12:18 ` [Bridge] " Ido Schimmel
2022-06-02 12:53 ` Hans S
2022-06-02 13:27 ` Hans S
2022-06-02 13:27 ` [Bridge] " Hans S
2022-05-24 15:21 ` [PATCH V3 net-next 2/4] net: switchdev: add support for offloading of fdb locked flag Hans Schultz
2022-05-24 15:21 ` [Bridge] " Hans Schultz
2022-06-27 16:06 ` Vladimir Oltean
2022-06-27 16:06 ` [Bridge] " Vladimir Oltean
2022-05-24 15:21 ` [PATCH V3 net-next 3/4] net: dsa: mv88e6xxx: mac-auth/MAB implementation Hans Schultz
2022-05-24 15:21 ` [Bridge] " Hans Schultz
2022-05-24 21:36 ` kernel test robot
2022-06-27 12:58 ` Hans S
2022-06-27 12:58 ` [Bridge] " Hans S
2022-06-27 18:05 ` Vladimir Oltean
2022-06-27 18:05 ` [Bridge] " Vladimir Oltean
2022-06-28 12:26 ` Hans S
2022-06-28 12:26 ` [Bridge] " Hans S
2022-07-05 15:05 ` Hans S
2022-07-05 15:05 ` [Bridge] " Hans S
2022-07-06 13:28 ` Vladimir Oltean
2022-07-06 13:28 ` [Bridge] " Vladimir Oltean
2022-07-06 13:48 ` Hans S
2022-07-06 13:48 ` [Bridge] " Hans S
2022-07-06 8:55 ` Vladimir Oltean
2022-07-06 8:55 ` [Bridge] " Vladimir Oltean
2022-07-06 10:12 ` Hans S
2022-07-06 10:12 ` [Bridge] " Hans S
2022-07-06 14:23 ` Hans S
2022-07-06 14:23 ` [Bridge] " Hans S
2022-07-06 14:33 ` Vladimir Oltean
2022-07-06 14:33 ` [Bridge] " Vladimir Oltean
2022-07-06 15:38 ` Hans S
2022-07-06 15:38 ` [Bridge] " Hans S
2022-07-07 6:54 ` Hans S
2022-07-07 6:54 ` [Bridge] " Hans S
2022-05-24 15:21 ` [PATCH V3 net-next 4/4] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests Hans Schultz
2022-05-24 15:21 ` [Bridge] " Hans Schultz
2022-05-26 14:27 ` Ido Schimmel
2022-05-26 14:27 ` [Bridge] " Ido Schimmel
2022-05-27 9:07 ` Hans Schultz
2022-05-27 9:07 ` [Bridge] " Hans Schultz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86sfov2w8k.fsf@gmail.com \
--to=schultz.hans@gmail.com \
--cc=andrew@lunn.ch \
--cc=bridge@lists.linux-foundation.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=f.fainelli@gmail.com \
--cc=idosch@idosch.org \
--cc=idosch@nvidia.com \
--cc=ivecera@redhat.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=pabeni@redhat.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=shuah@kernel.org \
--cc=vivien.didelot@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.