Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp6078298rdb; Mon, 18 Sep 2023 03:37:32 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG93zDOLcwgnOdTA8uDQMCI1kS9D2BzZyvqQzqjeadN5Ruxzvsi9O8e8/7kcoA1PSPK9+Un X-Received: by 2002:a05:6808:159c:b0:3ab:8272:b158 with SMTP id t28-20020a056808159c00b003ab8272b158mr13115022oiw.19.1695033452476; Mon, 18 Sep 2023 03:37:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695033452; cv=none; d=google.com; s=arc-20160816; b=RRTqmRj42NfdW8zuKPYYnXECJERbIiinTtJnqgvJdJsnM1JXJqds2z9yOSA4fkFfI8 NZI4a+GzhOaHasn8/SHsUH4cqN1Nouzhn8wt0fCf5s5qOdpp61E+ZQ9Vu91zN3l4oh2u w1LGYMlqYLdU0nJwfozdANzVM4+VPuiaNRW5BjR4jS9O92aGd371C+d/qZVnIHw4gLe2 AwXmy1JaLG+uu81FeO+QhBfAcEpCWyyFMOmZBnsHKUOdAtl20SgrBoXEZUuS0uXCASaG 6n/kky/u9D3MfiUQWc3MDSyjBq2GQUTPWdWGsAl1XMYm9JkrQ9nn3MJUi3Y2SzUb1UUg EhxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=PPWRnEDlmzjDvKCuAcepEH2uKQacvVIlU4RvOyhuSnA=; fh=24OcjiUOZIstDci/9jtljA0+Az7pTLGOaPHIdhNv1G0=; b=PdPCClH6xxwao8Ss7zGyrzT1xOK47vz9MSJ3AMkRLTEfuGf+0mxagGcybwIJRwRVWF 9QzWcSBjInWw7Tw5O6R34TUIYULRBVUjKzvzERkH4Zeq25Ex/SzWNe7dRfAF9Iw4SiKi SKQfCoHuyOvj6OzcwS7MoWCH6dA+o41lNysUKmRnVbVl1B8fLxtiLIsYq3LccEjwhvMW mdoUEaP7HrzE+yE6TCJNiunLdzt+Bk1Vn/DfEugI9mOV+nXN3n3cbjn+8mAx3pSuutFA fNGFn+o8MMjB7W/lPYXilFKuV60bangBKz4viq4yDnteedigYY7wRQ3zjJzcUCbJgO6z 2V4Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=GllnoLzg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id by14-20020a056a02058e00b005644a9be955si8483484pgb.179.2023.09.18.03.37.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Sep 2023 03:37:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=GllnoLzg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 9D2E480A0E2D; Mon, 18 Sep 2023 01:07:07 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240273AbjIRIGd (ORCPT + 99 others); Mon, 18 Sep 2023 04:06:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57448 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240682AbjIRIGK (ORCPT ); Mon, 18 Sep 2023 04:06:10 -0400 Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 84D5DCF9 for ; Mon, 18 Sep 2023 01:05:21 -0700 (PDT) Received: by mail-qt1-x834.google.com with SMTP id d75a77b69052e-41513d2cca7so420341cf.0 for ; Mon, 18 Sep 2023 01:05:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1695024320; x=1695629120; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=PPWRnEDlmzjDvKCuAcepEH2uKQacvVIlU4RvOyhuSnA=; b=GllnoLzg7aWr3e6VmVYQq8dkj6H7ipAuoWhjF0SUuytBFGUkhsQpzvh5bffYVy9N9Z nRwvXFJGTNlOIAdW/hFIBCEMPAnbCykXKTJVPx1v2eMveiT2QtSAf7Ee+o0tuj1AliLM G9qjjgk42Z3zGkmACJDfFfkbhdyUWBPcCYJ3A+XfzkdqufjdSTOE6kSbdZXgbiL078Ao 3q8oSIFQ11AQsmUP6Z1nB0pfaUOonUtNDqCdsCTvofhgebsV+FDZTE9hkGpO1fMSu6Id j5mpkS1g+tp+YVCUhtqoZ5rUAv1JmDbUu0jRzYPsXpSu0GaCfVNDrByjIjZHFWgl/nOC nH4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695024320; x=1695629120; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PPWRnEDlmzjDvKCuAcepEH2uKQacvVIlU4RvOyhuSnA=; b=Cw0q3X2//i/T9L5txa3ZZMmqFn63W3JHB3KCrd9GQxm9oGpov3NPS+o+Fe3QWWwHMu aZPbnOL+NnygFBrv1tKvlwZI2VHT6EvDp+wqrJNWGu0rHvuBR9lkpOT2xsD+eVo51VVK Cw/yvVsUXmmLY6+ea0hLuw708eyJ4MoCu8SsV/XGqAl2nckpdcPMSJUWu/krlH0DM3rX tCPhoC7ukUeIo0DXcldh6yfnC8j2Gpu8cEZWVMbtWleYkO8o3GMSWgzi5gtI2ApsDwWF dLtOibRGI8CWfXQPlkTsjmum1YOVVV6psSGC8ZN9aKtPWwUA0QCa2GeACODJ8QnbjujK hYMg== X-Gm-Message-State: AOJu0Yzxjw4wJR5NMF37hhcLlMTieZaO37OZwbktfEq+d4l/E7uDkqC9 lepjUEIu/8X6w2tnB/WvRdQ5V8w3vMgdufrVZx9zQg== X-Received: by 2002:a05:622a:1307:b0:40f:d1f4:aa58 with SMTP id v7-20020a05622a130700b0040fd1f4aa58mr316425qtk.8.1695024320296; Mon, 18 Sep 2023 01:05:20 -0700 (PDT) MIME-Version: 1.0 References: <20230918014752.1791518-1-guodongtai@kylinos.cn> In-Reply-To: <20230918014752.1791518-1-guodongtai@kylinos.cn> From: Eric Dumazet Date: Mon, 18 Sep 2023 10:05:09 +0200 Message-ID: Subject: Re: [PATCH v1] tcp: enhancing timestamps random algo to address issues arising from NAT mapping To: George Guo , Florian Westphal Cc: davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, dsahern@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Mon, 18 Sep 2023 01:07:08 -0700 (PDT) On Mon, Sep 18, 2023 at 3:46=E2=80=AFAM George Guo = wrote: > > Tsval=3Dtsoffset+local_clock, here tsoffset is randomized with saddr and = daddr parameters in func > secure_tcp_ts_off. Most of time it is OK except for NAT mapping to the sa= me port and daddr. > Consider the following scenario: > ns1: ns2: > +-----------+ +-----------+ > | | | | > | | | | > | | | | > | veth1 | | vethb | > |192.168.1.1| |192.168.1.2| > +----+------+ +-----+-----+ > | | > | | > | br0:192.168.1.254 | > +----------+----------+ > veth0 | vetha > 192.168.1.3 | 192.168.1.4 > | > nat(192.168.1.x -->172.30.60.199) > | > V > eth0 > 172.30.60.199 > | > | > +----> ... ... ---->server: 172.30.60.191 > > Let's say ns1 (192.168.1.1) generates a timestamp ts1, and ns2 (192.168.1= .2) generates a timestamp > ts2, with ts1 > ts2. > > If ns1 initiates a connection to a server, and then the server actively c= loses the connection, > entering the TIME_WAIT state, and ns2 attempts to connect to the server w= hile port reuse is in > progress, due to the presence of NAT, the server sees both connections as= originating from the > same IP address (e.g., 172.30.60.199) and port. However, since ts2 is sma= ller than ts1, the server > will respond with the acknowledgment (ACK) for the fourth handshake. > > SERVER CLIENT > > 1. ESTABLISHED ESTABLISH= ED > > (Close) > 2. FIN-WAIT-1 --> = --> CLOSE-WAIT > > 3. FIN-WAIT-2 <-- = <-- CLOSE-WAIT > > (Close) > 4. TIME-WAIT <-- = <-- LAST-ACK > > 5. TIME-WAIT --> = --> CLOSED > > - - - - - - - - - - - - - port reused - - - - - - - - - - - - - - - > > 5.1. TIME-WAIT <-- <-= - SYN-SENT > > 5.2. TIME-WAIT --> = --> SYN-SENT > > 5.3. CLOSED <-- <-- = SYN-SENT > > 6. SYN-RECV <-- <-= - SYN-SENT > > 7. SYN-RECV --> = --> ESTABLISHED > > 1. ESTABLISH <-- = <-- ESTABLISHED > > This enhancement uses sport and daddr rather than saddr and daddr, which = keep the timestamp > monotonically increasing in the situation described above. Then the port = reuse is like this: > > SERVER CLIENT > > 1. ESTABLISHED ESTABLISH= ED > > (Close) > 2. FIN-WAIT-1 --> = --> CLOSE-WAIT > > 3. FIN-WAIT-2 <-- = <-- CLOSE-WAIT > > (Close) > 4. TIME-WAIT <-- = <-- LAST-ACK > > 5. TIME-WAIT --> = --> CLOSED > > - - - - - - - - - - - - - port reused - - - - - - - - - - - - - - - > > 5.1. TIME-WAIT <-- <= -- SYN-SENT > > 6. SYN-RECV --> = --> ESTABLISHED > > 1. ESTABLISH <-- = <-- ESTABLISHED > > The enhancement lets port reused more efficiently. > > Signed-off-by: George Guo > CC Florian I do not think we can 'fix' tcp timestamp vs NAT. Unless the NAT device makes sure a port is dedicated for a peer, and/or the NAT rewrites TS values (which would be bad). I personally prefer seeing the same timestamps from A to B regardless of ports, it helps detect various issues. Also, you seem to forget IPv6.