Re: [PATCH net-next] Reduce IP_FRAG_TIME fragment-reassembly timeout to 1s, from 30s

From: Matt Corallo <netdev-list@mattcorallo.com>
To: Eric Dumazet <edumazet@google.com>
Cc: Willy Tarreau <w@1wt.eu>, "David S. Miller" <davem@davemloft.net>,
	netdev <netdev@vger.kernel.org>,
	Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
	Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
	Keyu Man <kman001@ucr.edu>
Subject: Re: [PATCH net-next] Reduce IP_FRAG_TIME fragment-reassembly timeout to 1s, from 30s
Date: Fri, 30 Apr 2021 13:42:26 -0400	[thread overview]
Message-ID: <c8ad9235-5436-8418-69a9-6c525fd254a4@bluematt.me> (raw)
In-Reply-To: <CANn89iKJDUQuXBueuZWdi17LgFW3yb4LUsH3hzY08+ytJ9QgeA@mail.gmail.com>

On 4/30/21 13:09, Eric Dumazet wrote:
> On Fri, Apr 30, 2021 at 5:52 PM Matt Corallo
> <netdev-list@mattcorallo.com> wrote:
>>
>> Following up - is there a way forward here?
>>
> 
> Tune the sysctls to meet your goals ?
> 
> I did the needed work so that you can absolutely decide to use 256GB
> of ram per host for frags if you want.
> (Although I have not tested with crazy values like that, maybe some
> kind of bottleneck will be hit)

Again, this is not a solution universally because this issue appears when transiting a Linux router. This isn't only 
about end-hosts (or I wouldn't have even bothered with any of this). Sometimes packets flow over a Linux router that you 
don't have control over, which is true in my case.

>> I think the current ease of hitting the black-hole-ing behavior is unacceptable (and often not something that can be
>> changed even with the sysctl knobs due to intermediate hosts), and am happy to do some work to fix it.
>>
>> Someone mentioned in a previous thread randomly evicting fragments instead of dropping all new fragments when we reach
>> saturation, which may be an option. We could also do something in between 1s and 30s, preserving behavior for hosts
>> which see fragments delivered out-of-order by seconds while still reducing the ease of accidentally just black-holing
>> all fragments entirely in more standard internet access deployments.
>>
> 
> Give me one implementation, I will give you a DDOS program to defeat it.
> linux code is public, attackers will simply change their attacks.
> 
> There is no generic solution, they are all bad.
> 
> If you evict randomly, it will also fail. So why bother ?

This was never about DDoS attacks - as noted several times this is about it being trivial to have all your fragments 
blackholed for 30 seconds at a time just because you have some normal run-of-the-mill packet loss.

I agree with you wholeheartedly that there isn't a solution to the DDoS attack issue, I'm not trying to address it. On 
the other hand, in the face of no attacks or otherwise malicious behavior, I'd expect Linux to not exhibit the complete 
blackholing of fragments that it does today.

Matt