From: Hans Schultz <schultz.hans@gmail.com>
To: Vladimir Oltean <olteanv@gmail.com>,
Hans Schultz <schultz.hans@gmail.com>
Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org,
Andrew Lunn <andrew@lunn.ch>,
Vivien Didelot <vivien.didelot@gmail.com>,
Florian Fainelli <f.fainelli@gmail.com>,
Jiri Pirko <jiri@resnulli.us>, Ivan Vecera <ivecera@redhat.com>,
Roopa Prabhu <roopa@nvidia.com>,
Nikolay Aleksandrov <razor@blackwall.org>,
Shuah Khan <shuah@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Ido Schimmel <idosch@nvidia.com>,
linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org,
linux-kselftest@vger.kernel.org
Subject: Re: [PATCH v2 net-next 2/4] net: switchdev: add support for offloading of fdb locked flag
Date: Fri, 25 Mar 2022 17:01:59 +0100 [thread overview]
Message-ID: <86tubmt408.fsf@gmail.com> (raw)
In-Reply-To: <20220325140003.a4w4hysqbzmrcxbq@skbuf>
On fre, mar 25, 2022 at 16:00, Vladimir Oltean <olteanv@gmail.com> wrote:
> On Fri, Mar 25, 2022 at 02:48:36PM +0100, Hans Schultz wrote:
>> > If you'd cache the locked ATU entry in the mv88e6xxx driver, and you'd
>> > notify switchdev only if the entry is new to the cache, then you'd
>> > actually still achieve something major. Yes, the bridge FDB will contain
>> > locked FDB entries that aren't in the ATU. But that's because your
>> > printer has been silent for X seconds. The policy for the printer still
>> > hasn't changed, as far as the mv88e6xxx, or bridge, software drivers are
>> > concerned. If the unauthorized printer says something again after the
>> > locked ATU entry expires, the mv88e6xxx driver will find its MAC SA
>> > in the cache of denied addresses, and reload the ATU. What this
>> > achieves
>>
>> The driver will in this case just trigger a new miss violation and add
>> the entry again I think.
>> The problem with all this is that a malicious attack that spams the
>> switch with random mac addresses will be able to DOS the device as any
>> handling of the fdb will be too resource demanding. That is why it is
>> needed to remove those fdb entries after a time out, which dynamic
>> entries would serve.
>
> An attacker sweeping through the 2^47 source MAC address range is a
> problem regardless of the implementations proposed so far, no?
The idea is to have a count on the number of locked entries in both the
ATU and the FDB, so that a limit on entries can be enforced.
> If unlimited growth of the mv88e6xxx locked ATU entry cache is a
> concern (which it is), we could limit its size, and when we purge a
> cached entry in software is also when we could emit a
> SWITCHDEV_FDB_DEL_TO_BRIDGE for it, right?
I think the best would be dynamic entries in both the ATU and the FDB
for locked entries. How the two are kept in sync is another question,
but if there is a switchcore, it will be the 'master', so I don't think
the bridge module will need to tell the switchcore to remove entries in
that case. Or?
next prev parent reply other threads:[~2022-03-25 16:02 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-17 9:38 [PATCH v2 net-next 0/4] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Hans Schultz
2022-03-17 9:38 ` [PATCH v2 net-next 1/4] net: bridge: add fdb flag to extent locked port feature Hans Schultz
2022-03-17 9:47 ` Nikolay Aleksandrov
2022-03-17 13:44 ` Ido Schimmel
2022-03-17 13:54 ` Nikolay Aleksandrov
2022-03-17 14:50 ` Hans Schultz
2022-03-17 14:59 ` Ido Schimmel
2022-03-17 9:39 ` [PATCH v2 net-next 2/4] net: switchdev: add support for offloading of fdb locked flag Hans Schultz
2022-03-23 12:29 ` Hans Schultz
2022-03-23 12:35 ` Vladimir Oltean
2022-03-23 12:49 ` Hans Schultz
2022-03-23 14:43 ` Vladimir Oltean
2022-03-23 15:03 ` Hans Schultz
2022-03-24 10:32 ` Hans Schultz
2022-03-24 11:09 ` Vladimir Oltean
2022-03-24 11:23 ` Hans Schultz
2022-03-24 14:27 ` Vladimir Oltean
2022-03-25 7:50 ` Hans Schultz
2022-03-25 13:21 ` Vladimir Oltean
2022-03-25 13:48 ` Hans Schultz
2022-03-25 14:00 ` Vladimir Oltean
2022-03-25 16:01 ` Hans Schultz [this message]
2022-03-25 20:30 ` Vladimir Oltean
2022-03-28 7:38 ` Hans Schultz
2022-03-28 8:48 ` Vladimir Oltean
2022-03-28 9:31 ` Hans Schultz
2022-03-28 15:12 ` Vladimir Oltean
2022-03-25 9:24 ` Hans Schultz
2022-03-23 14:42 ` Hans Schultz
2022-03-17 9:39 ` [PATCH v2 net-next 3/4] net: dsa: mv88e6xxx: mac-auth/MAB implementation Hans Schultz
2022-03-17 15:26 ` Jakub Kicinski
2022-03-17 19:27 ` Vladimir Oltean
2022-03-17 9:39 ` [PATCH v2 net-next 4/4] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests Hans Schultz
2022-03-17 14:57 ` Ido Schimmel
2022-03-18 15:45 ` Hans Schultz
2022-03-20 7:52 ` Ido Schimmel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86tubmt408.fsf@gmail.com \
--to=schultz.hans@gmail.com \
--cc=andrew@lunn.ch \
--cc=bridge@lists.linux-foundation.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=f.fainelli@gmail.com \
--cc=idosch@nvidia.com \
--cc=ivecera@redhat.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=shuah@kernel.org \
--cc=vivien.didelot@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).