Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp6634397rwd; Mon, 19 Jun 2023 09:56:21 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ63eoLUjAMm8228kKDXTySDlwsB3KxlLgb8ewweuqWso4UWvL7JkZw2DAuCAYDBu0vnzBIa X-Received: by 2002:a05:6a00:1343:b0:663:5fbe:c695 with SMTP id k3-20020a056a00134300b006635fbec695mr16431811pfu.16.1687193780723; Mon, 19 Jun 2023 09:56:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687193780; cv=none; d=google.com; s=arc-20160816; b=jp3rNL8X4toAjyF/IHoCx14gNcT9yOBYDdkYi0VM2b6iRDqrP3lPlERuw1ssvM9Om9 3g8r2TH+jQKWq5A4rgKkxvdVhz0YgPkhgNIy0OnZ21EVcSOyKDQ00AAtlWQUEqj6oIfC HKAyRA/9QPQffepV0eDgFqDQ/xnqotfPEiBzxLkGdLKFDVuqyf7u2rt/KMmgmkCGzqB9 AoJf0oH2/bA07YmhanQhYnvWNfXBNRns3KWq0WpH8C6UwgBUfqENW3OgRzLTiB2LbwtE ncaVMpj091WPVjSUhhS6592SkJk4utTq9PVm2zfpoTNGpDr0kbxm4HKl9931RPY0/3Ib 6sPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=ibNl8hagn3rTly8LUTpZEDxxRnM23ysNCd6OX53mne8=; b=OL7eW4zx+rBd3iiDP+1FUg//X3Q0xjdZn/TgJvvWpDNNF6yg0zfWdJPGqeTupnXQff Xj/qUJUZUvSM6hCtOTLEDZDa11kE5deFkm87aYGO18l4umqAm3U/ByteNylz24eTrv1T ny35+IQGHBEd1LksncDsST9YpzDZOTm1GEyrH1Cgnpsu+SrxT1LLOJWZkZVvlwQO/TXd hu2l0A54CCn+NMRpL+S631/sQLILLCMyjHUBR+qU82ju+VxlGD2QlTn6FPiXCua0GrPY 05PlK6Pnkwq6YPsbimVi6ynnV+igN+rguftKhqNwREAma1eczgpjPrbXwbK1W9QMuUAx r8nA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=kPezCUnV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u66-20020a627945000000b00666ee6bd07bsi6100612pfc.284.2023.06.19.09.55.57; Mon, 19 Jun 2023 09:56:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=kPezCUnV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232321AbjFSQlz (ORCPT + 99 others); Mon, 19 Jun 2023 12:41:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43120 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231636AbjFSQlx (ORCPT ); Mon, 19 Jun 2023 12:41:53 -0400 Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 46022DD for ; Mon, 19 Jun 2023 09:41:52 -0700 (PDT) Received: by mail-wm1-x332.google.com with SMTP id 5b1f17b1804b1-3f9083d8849so29471705e9.0 for ; Mon, 19 Jun 2023 09:41:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1687192911; x=1689784911; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=ibNl8hagn3rTly8LUTpZEDxxRnM23ysNCd6OX53mne8=; b=kPezCUnVg3j3Fk/Uq6JUrVFKWzbGW0Ll1GLgoW75fYv7O7ORrpHKAOsmnXohdQ8auu vjOZvJTe/A1C63Z2PX4W56gGJs7dtF3urgNos6T1fqfLXqxrkdUDzAkxPPCWcnS8OTgs TyYJKnOiu6P08SHtX1spdj7HxAOyu9KuLjV11E+od3lm66RbWTwsN66KjsQuRZTuOuCv agl2UYrFCg3TiV4NvhX0CQkvWHdI5qlq4z2P84XyaVM+bWAg1UfNmQuqKfeBiCJgEZg2 XGWpHyOovrfhUHkqN2qftnVxpIqAl403XTtAbjOlvnnDGKAZXo6CWWOJ73rTFyBGjqtZ rIig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687192911; x=1689784911; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ibNl8hagn3rTly8LUTpZEDxxRnM23ysNCd6OX53mne8=; b=AaPWMqTHBg3+rn0luvmceJoZTXfZbXbuNy+y7IgOmNaauz94+Ua2r/NVg3CGLVtnm+ nphGj3tVkvMOY6qs7S4NzIEaTMW58o+Xyo4+PuU7H3TutSnG1tSyHIBuvFTFfpKc9HO4 K771wzAYEZZ2CyjsB5mRK/BDe0lUYU7p7RYZW0q2QPGpuqjveMmcD6e5Df+14MLtgNhQ /5XtUB0L3wu3Y9lagl531mradXyCP5RGNhuEH69146+daYbJaNdeEGiPbIzJCRGJUHHj 5X8x2mz3PP+8hFHhISUstzHJ7/yCrUkFZEfDi+lKN4N77gEQEl3waebTAFkq0m+o7Pdu 4xPw== X-Gm-Message-State: AC+VfDxzliXBw2xP+m6PfiiVQ9cGGo5TaJWUc2c8fa7GEYgYYG7dPZM7 IKBhCfY5VJSZQkg8MASD1NX4GA== X-Received: by 2002:a1c:f709:0:b0:3f6:9634:c8d6 with SMTP id v9-20020a1cf709000000b003f69634c8d6mr9034792wmh.18.1687192910721; Mon, 19 Jun 2023 09:41:50 -0700 (PDT) Received: from [10.83.37.24] ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id z8-20020a05600c220800b003f9b12b1598sm3232781wml.22.2023.06.19.09.41.49 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 19 Jun 2023 09:41:50 -0700 (PDT) Message-ID: <9ae5c977-ff9c-591d-3a32-ca9dd00d531e@arista.com> Date: Mon, 19 Jun 2023 17:41:48 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Subject: Re: [PATCH v7 04/22] net/tcp: Prevent TCP-MD5 with TCP-AO being set Content-Language: en-US To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , Dan Carpenter , David Laight , Dmitry Safonov <0x7f454c46@gmail.com>, Donald Cassidy , Eric Biggers , "Eric W. Biederman" , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Leonard Crestez , Salam Noureddine , netdev@vger.kernel.org References: <20230614230947.3954084-1-dima@arista.com> <20230614230947.3954084-5-dima@arista.com> <85077827-d11d-d3e6-0d23-9e60974cad0f@kernel.org> <1c2537d0-cf64-c010-fec6-9fa9ad758f42@arista.com> From: Dmitry Safonov In-Reply-To: <1c2537d0-cf64-c010-fec6-9fa9ad758f42@arista.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 6/19/23 17:31, Dmitry Safonov wrote: > Hi David, > > On 6/18/23 18:50, David Ahern wrote: >> On 6/14/23 4:09 PM, Dmitry Safonov wrote: >>> Be as conservative as possible: if there is TCP-MD5 key for a given peer >>> regardless of L3 interface - don't allow setting TCP-AO key for the same >>> peer. According to RFC5925, TCP-AO is supposed to replace TCP-MD5 and >>> there can't be any switch between both on any connected tuple. >>> Later it can be relaxed, if there's a use, but in the beginning restrict >>> any intersection. >>> >>> Note: it's still should be possible to set both TCP-MD5 and TCP-AO keys >>> on a listening socket for *different* peers. >> >> Does the testsuite cover use of both MD5 and AO for a single listening >> socket with different peers and then other tests covering attempts to >> use both for a same peer? > > Thanks for the question, I have written the following tests for > AO/MD5/unsigned listening socket [1]: > > 1. Listener with TCP-AO key, which has addr = INADDR_ANY > 2. Listener with TCP-MD5 key, which has tcpm_addr = INADDR_ANY > 3. Listener without any key > > Then there's AO_REQUIRED thing, which BGP folks asked to introduce, > which is (7.3) from RFC5925, an option that is per-ao_info, which makes > such socket accepting only TCP-AO enabled segments. > > So, 4. Listener with TCP-AO, AO_REQUIRED flag. > > And then, going to non-INADDR_ANY: > 5. Listener with TCP-AO and TCP-MD5 keys for different peers. > > Here again, for each of AO/MD5/unsigned methods, attempt to connect: > 6. outside of both key peers > 7. inside correct key: i.e. TCP-MD5 client to TCP-MD5 matching key > 8. to a wrong key: i.e. TCP-AO client to TCP-MD5 matching key > > And another type of checks are the ones expecting *setsockopt()* to fail: > 9. Adding TCP-AO key that matches the same peer as TCP-MD5 key > 10. The reverse situation > 11. Adding TCP-MD5 key to AO_REQUIRED socket > 12. Setting AO_REQUIRED on a socket with TCP-MD5 key > 13. Adding TCP-AO key on already established connection without any key Oh, yeah, forgot to mention, there are another 2 tests for TCP_CLOSE socket (just a new one), that has both TCP-AO and TCP-MD5 keys and tries to call connect(). In discussion with the team, it seems really unexpected situation and better to force userspace to remove either AO or MD5 key before calling connect(). Those from the output in [1] are: > ok 39 AO+MD5 server: client with both [TCP-MD5] and TCP-AO keys: connect() was prevented > ok 40 AO+MD5 server: client with both TCP-MD5 and [TCP-AO] keys: connect() was prevented > > And then another bunch of tests that check TCP-AO/TCP-MD5/unsigned > interaction in non/default VRFs. > I think the output of selftest [1] is more-or-less self-descriptive, > correct me if I could improve that. > > [1] > https://github.com/0x7f454c46/linux/commit/d7b321f2b5a481e5ff0e80e2e0b3503b1ddb9817 Thanks, Dmitry