Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp1348407pxp; Sun, 20 Mar 2022 14:04:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyGzECASLcI5uw3Gmzk1JHNTuwQkgZAw2Q3LmuqjbryVyQBdV31g1uVUIMfNNn2f3dEAwcQ X-Received: by 2002:a17:907:9812:b0:6da:aaaf:7713 with SMTP id ji18-20020a170907981200b006daaaaf7713mr17819025ejc.163.1647810263066; Sun, 20 Mar 2022 14:04:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647810263; cv=none; d=google.com; s=arc-20160816; b=RRnSfcAbGdPnu0mYKld1qiUZA/LYWG4l+MSj5fNy7M/nmHNUAgPhEG0p7DY104Y+8B re1RAjl1kbi0yeE5zAqT6fhW4bOhQrnPnWvt8xESZ4hQl38lSvAMgZAFFOncAA3fLd+r ng1y9NVm7rj48n6+I9I8DjkLa6zE3iRHbXfizJj+Ersm8N1Cjlm4KBxYFLiPdhw7J6k+ nCUiPzV9tU6qYjR//j8cvsPiDuFVBeeoGV0KegzzHiv5mulPnMhstkwg2gusxoYmPNHg ms68MhK7vj4BEH9DTawA2Ekve/VuVFc1chuWVxp28Bb3FUV1Ff6MdVJM5TtCMQNr8gsS PUQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Rac/T1uCgRkKdVo18Y1asxDHBvA6nYHko+ROAHe2fSM=; b=jchWa4x3D22PO+1x3ZZwdRY28JVJmaD8yl/YGL+wxkdeh85+No+ncyoCjYYfs/c5K/ S5T6Afm+8dWtqzDWDy8W6R1yKj4RxpVSh4RG6Y8M0o93KpOdO26Gx4/tZVoS9seM4mPY IUyGwkAYPn/qOWnmai0IsiZWnqx08kBC0u1LwTEq3DwSjtEusvNMhR2VnOAwyVx8vD3I hkBywQjj4pvUd1XMoYQNkLfaEJV4Tl7vk4JXNjVoBpLTX+gLlNjMUK990Ph2N2Exd8WV /hWE7hqgsh/3i4f4crrhtP5oeuuGiYhbq0fv/SHauEgrkF8RguaQYRw8gtbA3fADRdmm uDRg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=U7q84Tbf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z25-20020a50cd19000000b00418c2b5be6dsi7777625edi.335.2022.03.20.14.03.57; Sun, 20 Mar 2022 14:04:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=U7q84Tbf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243094AbiCSN7I (ORCPT + 99 others); Sat, 19 Mar 2022 09:59:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44180 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229470AbiCSN7G (ORCPT ); Sat, 19 Mar 2022 09:59:06 -0400 Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9C0A840E6A for ; Sat, 19 Mar 2022 06:57:45 -0700 (PDT) Received: by mail-qk1-x72c.google.com with SMTP id b67so8737419qkc.6 for ; Sat, 19 Mar 2022 06:57:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Rac/T1uCgRkKdVo18Y1asxDHBvA6nYHko+ROAHe2fSM=; b=U7q84Tbf4G3V8V++ECB85fFy8IR3FJ/HYRcJOeRqDuJWWAs+O60IvqQnZ006w6S7W2 pssocQszERkhx3B8tEh/j1alr9DydBSqcZKoNH0zHralT6o+oCtBo1Ms4hA0uPIhAmtW OZNtlXP/JUP4r/S0MvBzyfNH/98lokgy3JQ6I1Nmd2I+i7C0yYGo5LBuAPpWW13ezmND eFNthG6p0Ws9ZGCFXXnelH+x2RHiz38wkv1fUtTgUxe5QE/zam3nTxHeh25ZQ2Feertk sGG5TQqdp3y8eT9wEWK/pkAd39JBRuHaDk4/AYz0khCBbLSV3PFtQJynL2JAi0GrefnE cInQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Rac/T1uCgRkKdVo18Y1asxDHBvA6nYHko+ROAHe2fSM=; b=GFVabMORoMyWOKG6IoFn0j1QHlOZ8mmYR9fqOP3gTPmlT6W2SovAnqzsIaLZMAtOiV ZP5QTRkPuo9bitSWlkRXYCI9PDca7RNrJWURAc/KPFevT6Ys9NC/0V38T9+F0Vt3Tvat wwdg8hYkS47idWa9y70fjdZbBeuADPUGox3mp0n0Zb7zrAs5IaktWn3a6HN0jLgyNest O9Z9w6PiLWws4mnV7x1NYHGOMU7IqKhzdazNzVc8jAUcxlF3Pp8SqipfXcbEyCx27HjK 7wffuG9FnfOjOYi+ip9fcYzm3pSEBKV0zaW+9tY5h/DpqylAvDq5xgulWZd4XHcKZy/K 2mgQ== X-Gm-Message-State: AOAM530wOHEawMg/KwLxk4FUN10QZPN25pdBMDCO83Swz24LJkvVziIU o5fHzEPugKW2T92crMkPFZMm7E5h6zDrWzFtuFu7ew== X-Received: by 2002:a05:620a:288a:b0:67b:3250:ada2 with SMTP id j10-20020a05620a288a00b0067b3250ada2mr8367002qkp.358.1647698264502; Sat, 19 Mar 2022 06:57:44 -0700 (PDT) MIME-Version: 1.0 References: <20220319110422.8261-1-zhouzhouyi@gmail.com> In-Reply-To: From: Neal Cardwell Date: Sat, 19 Mar 2022 09:57:28 -0400 Message-ID: Subject: Re: [PATCH v2] net:ipv4: send an ack when seg.ack > snd.nxt To: Zhouyi Zhou Cc: Eric Dumazet , Florian Westphal , David Miller , yoshfuji@linux-ipv6.org, dsahern@kernel.org, Jakub Kicinski , pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel , Wei Xu Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Mar 19, 2022 at 7:34 AM Zhouyi Zhou wrote: > > Thanks for reviewing my patch > > On Sat, Mar 19, 2022 at 7:14 PM Eric Dumazet wrote: > > > > On Sat, Mar 19, 2022 at 4:04 AM wrote: > > > > > > From: Zhouyi Zhou > > > > > > In RFC 793, page 72: "If the ACK acks something not yet sent > > > (SEG.ACK > SND.NXT) then send an ACK, drop the segment, > > > and return." > > > > > > Fix Linux's behavior according to RFC 793. > > > > > > Reported-by: Wei Xu > > > Signed-off-by: Wei Xu > > > Signed-off-by: Zhouyi Zhou > > > --- > > > Thank Florian Westphal for pointing out > > > the potential duplicated ack bug in patch version 1. > > > > I am travelling this week, but I think your patch is not necessary and > > might actually be bad. > > > > Please provide more details of why nobody complained of this until today. > > > > Also I doubt you actually fully tested this patch, sending a V2 30 > > minutes after V1. > > > > If yes, please provide a packetdrill test. > I am a beginner to TCP, although I have submitted once a patch to > netdev in 2013 (aaa0c23cb90141309f5076ba5e3bfbd39544b985), this is > first time I learned packetdrill test. > I think I should do the packetdrill test in the coming days, and > provide more details of how this (RFC793 related) can happen. In addition to a packetdrill test and a more detailed analysis of how this can happen, and the implications, I think there are at least a few other issues that need to be considered: (1) AFAICT, adding an unconditional ACK if (after(ack, tp->snd_nxt)) seems to open the potential for attackers to cause DoS attacks with something like the following: (a) attacker injects one data packet in the A->B direction and one data packet in the B->A direction (b) endpoint A sends an ACK for the forged data sent to it, which will have an ACK beyond B's snd_nxt (c) endpoint B sends an ACK for the forged data sent to it, which will have an ACK beyond A's snd_nxt (d) endpoint B receives the ACK sent by A, causing B to send another ACK beyond A's snd_nxt (e) endpoint A receives the ACK sent by B, causing A to send another ACK beyond B's snd_nxt (f) repeat (d) and (e) ad infinitum So AFAICT an attacker could send two data packets with 1 byte of data and cause the two endpoints to use up an unbounded amount of CPU and bandwidth sending ACKs in an "infinite loop". To avoid this "infinite loop" of packets, if we really need to add an ACK in this case then the code should use the tcp_oow_rate_limited() helper to ensure that such ACKs are rate-limited. For more context on tcp_oow_rate_limited(), see: f06535c599354 Merge branch 'tcp_ack_loops' 4fb17a6091674 tcp: mitigate ACK loops for connections as tcp_timewait_sock f2b2c582e8242 tcp: mitigate ACK loops for connections as tcp_sock a9b2c06dbef48 tcp: mitigate ACK loops for connections as tcp_request_sock 032ee4236954e tcp: helpers to mitigate ACK loops by rate-limiting out-of-window dupacks Note that f06535c599354 in particular mentions the case discussed in this patch: (2) RFC 793 (section 3.9, page 72) says: "If the ACK acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an ACK". (2) Please consider the potential that adding a new ACK in this scenario may introduce new, unanticipated side channels. For more on side channels, see: https://lwn.net/Articles/696868/ The TCP "challenge ACK" side channel Principled Unearthing of TCP Side Channel Vulnerabilities https://dl.acm.org/doi/10.1145/3319535.3354250 best regards, neal