Received: by 2002:ac2:464d:0:0:0:0:0 with SMTP id s13csp1996780lfo; Sat, 28 May 2022 13:09:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwT4WJBKRpx5VYr4xjsU2A2UiTIK2QvbLaoTN5Ccy2LLSuhGX3HBjbxVhiaLieE+6g51XZ4 X-Received: by 2002:a17:90b:4f85:b0:1df:feb1:e27a with SMTP id qe5-20020a17090b4f8500b001dffeb1e27amr15110158pjb.66.1653768583472; Sat, 28 May 2022 13:09:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1653768583; cv=none; d=google.com; s=arc-20160816; b=oe9IpTOTXbmOMmNU9DohahwJ5mPjYBlV47xnHLrTpqt4F7zhOs44h4SyArqyjaKmRC sTbgN0oH7xQOgJCTbIu/rVmXDPSB47UX4r8DlrlcGqx4/PAPusbeuK2tO+aa2CsCXuNW jG/aoxWrH7y/PatzG4nom3R7cYrp2F/k++iuODh/0C91jckBabHky9cVCzYuoCrOw2qZ OIY+Hn6j05imVRY2GbR2dw/mM9aAh+gPR5AuHf3U+wx3MkI6aLihWu5VrTtJCUo/Sy4u zQs4ZqtQuOeo1BvVDvtnYVB3ltQi/+7FIVrSulvOJqDuWOZZWNnkfgbMZNGBw62H6ei+ XjAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:dkim-signature; bh=d50SivsluZ6NgKs+usTsgrAsMJ0dcEpxRZNyKV1rSXs=; b=VuG+WNd/iNJ5M4CX7dg0zbQ9vO/SPg36FqZHtCz/NT0ekwaBJZL157iVGGy1PbiAY2 J0L4rhHDCAF8MWUmoQ3TjWZMtETVQWxLwnZPwKPOK/Hlrm4N5uAAGvM+RCe8MoMT1Z7w uCWyxKgENAEPtA1zsm389N/VPZJdR1um+qg5/BC1RoLrggVt8hSMJkbq5HbTOPIFO5fd rudXWynFH1KdgcY6xSZ11Chw9y2zR29BwxlFM/S61V/g4PDTJ5IeSK8QcjcS7KaUP8qy 6vDsg99OfDk+Y6PpoJQogoPp4PIRR+VjoZXPYB1GMtP6ANu1jVqFSNdkrMcyZyJ0DOSM XTYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=KEjqvKVg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id l18-20020a170903121200b0015eb226901csi10369676plh.595.2022.05.28.13.09.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 May 2022 13:09:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=KEjqvKVg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 1A7961207C1; Sat, 28 May 2022 12:23:31 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350153AbiE0Ixy (ORCPT + 99 others); Fri, 27 May 2022 04:53:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58324 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1350152AbiE0Iwz (ORCPT ); Fri, 27 May 2022 04:52:55 -0400 Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0A3645C36B; Fri, 27 May 2022 01:52:31 -0700 (PDT) Received: by mail-lf1-x132.google.com with SMTP id w14so5820426lfl.13; Fri, 27 May 2022 01:52:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:in-reply-to:references:date:message-id :mime-version; bh=d50SivsluZ6NgKs+usTsgrAsMJ0dcEpxRZNyKV1rSXs=; b=KEjqvKVgBn8GA2gtH494LAiAmb/ydkqhE0qixQQg7udNkBMreayccOL8QGT4+9jwAo t8kZxqgSZGtl09ng5HwGDPmcUrry5qYWoQjVCfjWq2U9abNeAOXw82YhtjH3SLyTERU+ B/N0eFWNvI/SmJsWRZULqMzx8dgQrlM6Bo51fssmhbBIauoZtu3j8cZXvtsOpge73XXu tzpAH6CVtudOd4a3v8R0kMgO+jBiyzDf9eFQ693ZBSzocZJwyCE9hTjpmDZsc0qfC9eJ 8/fP8fRmLPWGAkTswoDCLFgUX9xDlMKhAQOomAKqOWkV12euJV61I3dShddEfEn7HxoV qnIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date :message-id:mime-version; bh=d50SivsluZ6NgKs+usTsgrAsMJ0dcEpxRZNyKV1rSXs=; b=0beuBWOtabW2i+M5/asfIvdfjCtfHyAMlLsWz0WOVaKKuo8r7tuWr2xSofIib7QG9q s1tXtaZVf+DJh5EkPOTm6HJMOnc17EHshmFP3Amkb4xtRPylW+hCRtip1dK/IBMKykjH O4k2qa5Qy4pdAQ8DgBamrqsUJLHtkmpe9Ca1StyJoERznZ18BNdRnZgo9D+D1VhOgNPX 5a9s1IbFP2hiat/cEeOjkUbYjgt1yXmDEKTqAQzMi33vmuYdyQp+Epyb2USfgcJruiuv 2JZ9x/hhweKGXYQq7fli2HkGprnO/ZtJ4MPRjfDbsP5bLBCTuH2Lgqj7mYW9qyyPMl1i Hubw== X-Gm-Message-State: AOAM530wqEKPWEfUbPemgW281F1tzZ11B8e9+UWWYpFRVQ+JEw/64BJX NwvEltBmOnKh7RkAzerO5M0CR7WXEP1Uxg== X-Received: by 2002:a05:6512:3f8c:b0:45d:cb2a:8779 with SMTP id x12-20020a0565123f8c00b0045dcb2a8779mr30514470lfa.499.1653641549871; Fri, 27 May 2022 01:52:29 -0700 (PDT) Received: from wse-c0127 (2-104-116-184-cable.dk.customer.tdc.net. [2.104.116.184]) by smtp.gmail.com with ESMTPSA id s15-20020a056512314f00b0047255d211fasm772938lfi.297.2022.05.27.01.52.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 27 May 2022 01:52:29 -0700 (PDT) From: Hans Schultz X-Google-Original-From: Hans Schultz To: Ido Schimmel , Hans Schultz Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org, Andrew Lunn , Vivien Didelot , Florian Fainelli , Vladimir Oltean , Eric Dumazet , Paolo Abeni , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Shuah Khan , Daniel Borkmann , Ido Schimmel , linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org, linux-kselftest@vger.kernel.org Subject: Re: [PATCH V3 net-next 1/4] net: bridge: add fdb flag to extent locked port feature In-Reply-To: References: <20220524152144.40527-1-schultz.hans+netdev@gmail.com> <20220524152144.40527-2-schultz.hans+netdev@gmail.com> Date: Fri, 27 May 2022 10:52:27 +0200 Message-ID: <86sfov2w8k.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On tor, maj 26, 2022 at 17:13, Ido Schimmel wrote: > On Tue, May 24, 2022 at 05:21:41PM +0200, Hans Schultz wrote: >> Add an intermediate state for clients behind a locked port to allow for >> possible opening of the port for said clients. This feature corresponds >> to the Mac-Auth and MAC Authentication Bypass (MAB) named features. The >> latter defined by Cisco. >> Locked FDB entries will be limited in number, so as to prevent DOS >> attacks by spamming the port with random entries. The limit will be >> a per port limit as it is a port based feature and that the port flushes >> all FDB entries on link down. > > Why locked FDB entries need a special treatment compared to regular > entries? A port that has learning enabled can be spammed with random > source MACs just as well. > > The authorization daemon that is monitoring FDB notifications can have a > policy to shut down a port if the rate / number of locked entries is > above a given threshold. > > I don't think this kind of policy belongs in the kernel. If it resides > in user space, then the threshold can be adjusted. Currently it's hard > coded to 64 and I don't see how user space can change or monitor it. In the Mac-Auth/MAB context, the locked port feature is really a form of CPU based learning, and on mv88e6xxx switchcores, this is facilitated by violation interrupts. Based on miss violation interrupts, the locked entries are then added to a list with a timer to remove the entries according to the bridge timeout. As this is very CPU intensive compared to normal operation, the assessment is that all this will jam up most devices if bombarded with random entries at link speed, and my estimate is that any userspace daemon that listens to the ensuing fdb events will never get a chance to stop this flood and eventually the device will lock down/reset. To prevent this, the limit is introduced. Ideally this limit could be adjustable from userspace, but in real use-cases a cap like 64 should be more than enough, as that corresponds to 64 possible devices behind a port that cannot authenticate by other means (printers etc.) than having their mac addresses white-listed. The software bridge behavior was then just set to correspond to the offloaded behavior, but after correspondence with Nik, the software bridge locked entries limit will be removed.