subject:"\[ovs\-dev\] \[PATCH ovn v2\] OVN\: Fix learning of neighbors from ARP\/ND packets."

Re: [ovs-dev] [PATCH ovn v2] OVN: Fix learning of neighbors from ARP/ND packets.

2019-09-16 Thread Dumitru Ceara

On Wed, Sep 11, 2019 at 10:15 PM Numan Siddique  wrote:
>
>
>
> On Thu, Aug 15, 2019 at 12:24 PM Han Zhou  wrote:
>>
>> On Wed, Aug 14, 2019 at 11:11 PM Dumitru Ceara  wrote:
>> >
>> > On Thu, Aug 8, 2019 at 1:52 AM Han Zhou  wrote:
>> > >
>> > >
>> > >
>> > > On Wed, Aug 7, 2019 at 8:12 AM Dumitru Ceara  wrote:
>> > >>
>> > >> On Mon, Aug 5, 2019 at 5:34 PM Han Zhou  wrote:
>> > >> >
>> > >> >
>> > >> >
>> > >> > On Mon, Aug 5, 2019 at 1:06 AM Dumitru Ceara 
>> wrote:
>> > >> > >
>> > >> > > On Mon, Aug 5, 2019 at 1:41 AM Han Zhou  wrote:
>> > >> > > >
>> > >> > > >
>> > >> > > >
>> > >> > > > On Mon, Jul 29, 2019 at 2:30 AM Dumitru Ceara 
>> wrote:
>> > >> > > > >
>> > >> > > > > Add a restriction on the target protocol addresses to match the
>> > >> > > > > configured subnets. All other ARP/ND packets are invalid in
>> this
>> > >> > > > > context.
>> > >> > > > >
>> > >> > > > > One exception is for ARP replies that are received for route
>> next-hops
>> > >> > > > > that are only reachable via a port but can't be directly
>> resolved
>> > >> > > > > through route lookups. Such support was introduced by commit:
>> > >> > > > >
>> > >> > > > > 6b785fd8fe29 ("ovn-util: Allow /32 IP addresses for router
>> ports.")
>> > >> > > > >
>> > >> > > > > Reported-at: https://bugzilla.redhat.com/1729846
>> > >> > > > > Reported-by: Haidong Li 
>> > >> > > > > CC: Han Zhou 
>> > >> > > > > CC: Guru Shetty 
>> > >> > > > > Fixes: b068454082f5 ("ovn-northd: Support learning neighbor
>> from ARP request.")
>> > >> > > > > Signed-off-by: Dumitru Ceara 
>> > >> > > >
>> > >> > > > Hi Dumitru,
>> > >> > >
>> > >> > > Hi Han,
>> > >> > >
>> > >> > > Thanks for reviewing this.
>> > >> > >
>> > >> > > >
>> > >> > > > Sorry for my slow response, and thanks a lot for revising the
>> patch for a bigger scope of validations. However, the exception of /32
>> address makes me thinking more about this patch. If ARP replies is allowed
>> from any nexthop for a LR port with /32, at least ARP request for GARP
>> purpose should also be allowed. But before asking for a v3, I'd hold on to
>> rethink the purpose of this patch.
>> > >> > >
>> > >> > > Right, we should allow GARP requests too. If we decide to go ahead
>> > >> > > with this patch I'll add a function in v3 to handle all types of
>> ARPs
>> > >> > > and call it both for unreachable static route next-hops and
>> attached
>> > >> > > subnets.
>> > >> > >
>> > >> > > >
>> > >> > > > The nexthop specific flows are now from static routes. What if
>> OVN support dynamical routing protocols in the future? Of course we can
>> then take those dynamic nexthops into allowed peers. But then I am thinking
>> what is the real benefit of all these restrictions? Why can't we just have
>> simpler logic to handle all these situations without validation? I think
>> the major benefit of the validation is to avoid handling the noise ARP/NDs
>> when multiple subnets shares same L2, but most cases it is really not a big
>> deal, right? For the CPU problem caused by ARP flooding as mentioned by the
>> bug report, it is a real problem, but this patch seems not really helpful
>> for that, because the attacker can just trigger the same CPU problem with
>> *valid* packets. So I am not sure if the benefit of the change is worth the
>> complexity it introduced. Please share your thought and correct me if I
>> missed something.
>> > >> > > >
>> > >> > > > Thanks,
>> > >> > > > Han
>> > >> > >
>> > >> > > I assume the simpler logic to handle all these situations without
>> > >> > > validation is to add rate limiting for ARP packets that get punted
>> to
>> > >> > > the controller. I agree that this should be implemented too.
>> > >> > >
>> > >> > > But I think rate limiting all ARP packets regardless of IP
>> addresses
>> > >> > > is not enough. In the following scenario and if we would have a
>> way to
>> > >> > > rate limit ARP packets:
>> > >> > > - Subnet 42.42.42.0/24 configured on the OVN
>> > >> > > - "Invalid" ARP packets are injected at high rate in the network
>> for 41.41.41.41
>> > >> > > - Host 42.42.42.42 sends GARP.
>> > >> > > - Rate limiting of ARP packets towards controller at 100pps
>> > >> > >
>> > >> > > With the current code, ARP packets for 41.41.41.41 will be punted
>> to
>> > >> > > controller at a rate of at most 100 per second. But the chances
>> that
>> > >> > > the valid 42.42.42.42 GARP is dropped is really high.
>> > >> > >
>> > >> > > If we instead use the following approach:
>> > >> > > a. Punt only useful ARPs to controller.
>> > >> > > b. Rate limit ARPs that are sent to controller.
>> > >> > >
>> > >> > > Then ARP packets outside 42.42.42./24 are never punted to the
>> > >> > > controller and don't consume any rate limiting tokens. For the
>> second
>> > >> > > case, when an attacker would flood with valid ARP packets we would
>> > >> > > have the rate limit in place to protect the controller CPU.
>> > >> > >
>> > >> > > My commit addresses point "a" above as I think

Re: [ovs-dev] [PATCH ovn v2] OVN: Fix learning of neighbors from ARP/ND packets.

2019-09-11 Thread Numan Siddique

On Thu, Aug 15, 2019 at 12:24 PM Han Zhou  wrote:

> On Wed, Aug 14, 2019 at 11:11 PM Dumitru Ceara  wrote:
> >
> > On Thu, Aug 8, 2019 at 1:52 AM Han Zhou  wrote:
> > >
> > >
> > >
> > > On Wed, Aug 7, 2019 at 8:12 AM Dumitru Ceara 
> wrote:
> > >>
> > >> On Mon, Aug 5, 2019 at 5:34 PM Han Zhou  wrote:
> > >> >
> > >> >
> > >> >
> > >> > On Mon, Aug 5, 2019 at 1:06 AM Dumitru Ceara 
> wrote:
> > >> > >
> > >> > > On Mon, Aug 5, 2019 at 1:41 AM Han Zhou 
> wrote:
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > > On Mon, Jul 29, 2019 at 2:30 AM Dumitru Ceara <
> dce...@redhat.com>
> wrote:
> > >> > > > >
> > >> > > > > Add a restriction on the target protocol addresses to match
> the
> > >> > > > > configured subnets. All other ARP/ND packets are invalid in
> this
> > >> > > > > context.
> > >> > > > >
> > >> > > > > One exception is for ARP replies that are received for route
> next-hops
> > >> > > > > that are only reachable via a port but can't be directly
> resolved
> > >> > > > > through route lookups. Such support was introduced by commit:
> > >> > > > >
> > >> > > > > 6b785fd8fe29 ("ovn-util: Allow /32 IP addresses for router
> ports.")
> > >> > > > >
> > >> > > > > Reported-at: https://bugzilla.redhat.com/1729846
> > >> > > > > Reported-by: Haidong Li 
> > >> > > > > CC: Han Zhou 
> > >> > > > > CC: Guru Shetty 
> > >> > > > > Fixes: b068454082f5 ("ovn-northd: Support learning neighbor
> from ARP request.")
> > >> > > > > Signed-off-by: Dumitru Ceara 
> > >> > > >
> > >> > > > Hi Dumitru,
> > >> > >
> > >> > > Hi Han,
> > >> > >
> > >> > > Thanks for reviewing this.
> > >> > >
> > >> > > >
> > >> > > > Sorry for my slow response, and thanks a lot for revising the
> patch for a bigger scope of validations. However, the exception of /32
> address makes me thinking more about this patch. If ARP replies is allowed
> from any nexthop for a LR port with /32, at least ARP request for GARP
> purpose should also be allowed. But before asking for a v3, I'd hold on to
> rethink the purpose of this patch.
> > >> > >
> > >> > > Right, we should allow GARP requests too. If we decide to go ahead
> > >> > > with this patch I'll add a function in v3 to handle all types of
> ARPs
> > >> > > and call it both for unreachable static route next-hops and
> attached
> > >> > > subnets.
> > >> > >
> > >> > > >
> > >> > > > The nexthop specific flows are now from static routes. What if
> OVN support dynamical routing protocols in the future? Of course we can
> then take those dynamic nexthops into allowed peers. But then I am thinking
> what is the real benefit of all these restrictions? Why can't we just have
> simpler logic to handle all these situations without validation? I think
> the major benefit of the validation is to avoid handling the noise ARP/NDs
> when multiple subnets shares same L2, but most cases it is really not a big
> deal, right? For the CPU problem caused by ARP flooding as mentioned by the
> bug report, it is a real problem, but this patch seems not really helpful
> for that, because the attacker can just trigger the same CPU problem with
> *valid* packets. So I am not sure if the benefit of the change is worth the
> complexity it introduced. Please share your thought and correct me if I
> missed something.
> > >> > > >
> > >> > > > Thanks,
> > >> > > > Han
> > >> > >
> > >> > > I assume the simpler logic to handle all these situations without
> > >> > > validation is to add rate limiting for ARP packets that get punted
> to
> > >> > > the controller. I agree that this should be implemented too.
> > >> > >
> > >> > > But I think rate limiting all ARP packets regardless of IP
> addresses
> > >> > > is not enough. In the following scenario and if we would have a
> way to
> > >> > > rate limit ARP packets:
> > >> > > - Subnet 42.42.42.0/24 configured on the OVN
> > >> > > - "Invalid" ARP packets are injected at high rate in the network
> for 41.41.41.41
> > >> > > - Host 42.42.42.42 sends GARP.
> > >> > > - Rate limiting of ARP packets towards controller at 100pps
> > >> > >
> > >> > > With the current code, ARP packets for 41.41.41.41 will be punted
> to
> > >> > > controller at a rate of at most 100 per second. But the chances
> that
> > >> > > the valid 42.42.42.42 GARP is dropped is really high.
> > >> > >
> > >> > > If we instead use the following approach:
> > >> > > a. Punt only useful ARPs to controller.
> > >> > > b. Rate limit ARPs that are sent to controller.
> > >> > >
> > >> > > Then ARP packets outside 42.42.42./24 are never punted to the
> > >> > > controller and don't consume any rate limiting tokens. For the
> second
> > >> > > case, when an attacker would flood with valid ARP packets we would
> > >> > > have the rate limit in place to protect the controller CPU.
> > >> > >
> > >> > > My commit addresses point "a" above as I think point "b" should be
> > >> > > done in a generic way for all protocol packets that need to reach
> the
> > >> > > controller.
> > >> > >
> > >> > > For

Re: [ovs-dev] [PATCH ovn v2] OVN: Fix learning of neighbors from ARP/ND packets.

2019-08-15 Thread Han Zhou

On Wed, Aug 14, 2019 at 11:11 PM Dumitru Ceara  wrote:
>
> On Thu, Aug 8, 2019 at 1:52 AM Han Zhou  wrote:
> >
> >
> >
> > On Wed, Aug 7, 2019 at 8:12 AM Dumitru Ceara  wrote:
> >>
> >> On Mon, Aug 5, 2019 at 5:34 PM Han Zhou  wrote:
> >> >
> >> >
> >> >
> >> > On Mon, Aug 5, 2019 at 1:06 AM Dumitru Ceara 
wrote:
> >> > >
> >> > > On Mon, Aug 5, 2019 at 1:41 AM Han Zhou  wrote:
> >> > > >
> >> > > >
> >> > > >
> >> > > > On Mon, Jul 29, 2019 at 2:30 AM Dumitru Ceara 
wrote:
> >> > > > >
> >> > > > > Add a restriction on the target protocol addresses to match the
> >> > > > > configured subnets. All other ARP/ND packets are invalid in
this
> >> > > > > context.
> >> > > > >
> >> > > > > One exception is for ARP replies that are received for route
next-hops
> >> > > > > that are only reachable via a port but can't be directly
resolved
> >> > > > > through route lookups. Such support was introduced by commit:
> >> > > > >
> >> > > > > 6b785fd8fe29 ("ovn-util: Allow /32 IP addresses for router
ports.")
> >> > > > >
> >> > > > > Reported-at: https://bugzilla.redhat.com/1729846
> >> > > > > Reported-by: Haidong Li 
> >> > > > > CC: Han Zhou 
> >> > > > > CC: Guru Shetty 
> >> > > > > Fixes: b068454082f5 ("ovn-northd: Support learning neighbor
from ARP request.")
> >> > > > > Signed-off-by: Dumitru Ceara 
> >> > > >
> >> > > > Hi Dumitru,
> >> > >
> >> > > Hi Han,
> >> > >
> >> > > Thanks for reviewing this.
> >> > >
> >> > > >
> >> > > > Sorry for my slow response, and thanks a lot for revising the
patch for a bigger scope of validations. However, the exception of /32
address makes me thinking more about this patch. If ARP replies is allowed
from any nexthop for a LR port with /32, at least ARP request for GARP
purpose should also be allowed. But before asking for a v3, I'd hold on to
rethink the purpose of this patch.
> >> > >
> >> > > Right, we should allow GARP requests too. If we decide to go ahead
> >> > > with this patch I'll add a function in v3 to handle all types of
ARPs
> >> > > and call it both for unreachable static route next-hops and
attached
> >> > > subnets.
> >> > >
> >> > > >
> >> > > > The nexthop specific flows are now from static routes. What if
OVN support dynamical routing protocols in the future? Of course we can
then take those dynamic nexthops into allowed peers. But then I am thinking
what is the real benefit of all these restrictions? Why can't we just have
simpler logic to handle all these situations without validation? I think
the major benefit of the validation is to avoid handling the noise ARP/NDs
when multiple subnets shares same L2, but most cases it is really not a big
deal, right? For the CPU problem caused by ARP flooding as mentioned by the
bug report, it is a real problem, but this patch seems not really helpful
for that, because the attacker can just trigger the same CPU problem with
*valid* packets. So I am not sure if the benefit of the change is worth the
complexity it introduced. Please share your thought and correct me if I
missed something.
> >> > > >
> >> > > > Thanks,
> >> > > > Han
> >> > >
> >> > > I assume the simpler logic to handle all these situations without
> >> > > validation is to add rate limiting for ARP packets that get punted
to
> >> > > the controller. I agree that this should be implemented too.
> >> > >
> >> > > But I think rate limiting all ARP packets regardless of IP
addresses
> >> > > is not enough. In the following scenario and if we would have a
way to
> >> > > rate limit ARP packets:
> >> > > - Subnet 42.42.42.0/24 configured on the OVN
> >> > > - "Invalid" ARP packets are injected at high rate in the network
for 41.41.41.41
> >> > > - Host 42.42.42.42 sends GARP.
> >> > > - Rate limiting of ARP packets towards controller at 100pps
> >> > >
> >> > > With the current code, ARP packets for 41.41.41.41 will be punted
to
> >> > > controller at a rate of at most 100 per second. But the chances
that
> >> > > the valid 42.42.42.42 GARP is dropped is really high.
> >> > >
> >> > > If we instead use the following approach:
> >> > > a. Punt only useful ARPs to controller.
> >> > > b. Rate limit ARPs that are sent to controller.
> >> > >
> >> > > Then ARP packets outside 42.42.42./24 are never punted to the
> >> > > controller and don't consume any rate limiting tokens. For the
second
> >> > > case, when an attacker would flood with valid ARP packets we would
> >> > > have the rate limit in place to protect the controller CPU.
> >> > >
> >> > > My commit addresses point "a" above as I think point "b" should be
> >> > > done in a generic way for all protocol packets that need to reach
the
> >> > > controller.
> >> > >
> >> > > For dynamic routing protocols on the other hand I think we should
not
> >> > > install routes with next-hops that are unreachable through other
> >> > > direct or indirect routes.
> >> > >
> >> > > Thanks,
> >> > > Dumitru
> >> >
> >> > I agree that blindly ARP rate limit is not helpful, but a) is not
really helpful in this case

Re: [ovs-dev] [PATCH ovn v2] OVN: Fix learning of neighbors from ARP/ND packets.

2019-08-15 Thread Dumitru Ceara

On Thu, Aug 8, 2019 at 1:52 AM Han Zhou  wrote:
>
>
>
> On Wed, Aug 7, 2019 at 8:12 AM Dumitru Ceara  wrote:
>>
>> On Mon, Aug 5, 2019 at 5:34 PM Han Zhou  wrote:
>> >
>> >
>> >
>> > On Mon, Aug 5, 2019 at 1:06 AM Dumitru Ceara  wrote:
>> > >
>> > > On Mon, Aug 5, 2019 at 1:41 AM Han Zhou  wrote:
>> > > >
>> > > >
>> > > >
>> > > > On Mon, Jul 29, 2019 at 2:30 AM Dumitru Ceara  
>> > > > wrote:
>> > > > >
>> > > > > Add a restriction on the target protocol addresses to match the
>> > > > > configured subnets. All other ARP/ND packets are invalid in this
>> > > > > context.
>> > > > >
>> > > > > One exception is for ARP replies that are received for route 
>> > > > > next-hops
>> > > > > that are only reachable via a port but can't be directly resolved
>> > > > > through route lookups. Such support was introduced by commit:
>> > > > >
>> > > > > 6b785fd8fe29 ("ovn-util: Allow /32 IP addresses for router ports.")
>> > > > >
>> > > > > Reported-at: https://bugzilla.redhat.com/1729846
>> > > > > Reported-by: Haidong Li 
>> > > > > CC: Han Zhou 
>> > > > > CC: Guru Shetty 
>> > > > > Fixes: b068454082f5 ("ovn-northd: Support learning neighbor from ARP 
>> > > > > request.")
>> > > > > Signed-off-by: Dumitru Ceara 
>> > > >
>> > > > Hi Dumitru,
>> > >
>> > > Hi Han,
>> > >
>> > > Thanks for reviewing this.
>> > >
>> > > >
>> > > > Sorry for my slow response, and thanks a lot for revising the patch 
>> > > > for a bigger scope of validations. However, the exception of /32 
>> > > > address makes me thinking more about this patch. If ARP replies is 
>> > > > allowed from any nexthop for a LR port with /32, at least ARP request 
>> > > > for GARP purpose should also be allowed. But before asking for a v3, 
>> > > > I'd hold on to rethink the purpose of this patch.
>> > >
>> > > Right, we should allow GARP requests too. If we decide to go ahead
>> > > with this patch I'll add a function in v3 to handle all types of ARPs
>> > > and call it both for unreachable static route next-hops and attached
>> > > subnets.
>> > >
>> > > >
>> > > > The nexthop specific flows are now from static routes. What if OVN 
>> > > > support dynamical routing protocols in the future? Of course we can 
>> > > > then take those dynamic nexthops into allowed peers. But then I am 
>> > > > thinking what is the real benefit of all these restrictions? Why can't 
>> > > > we just have simpler logic to handle all these situations without 
>> > > > validation? I think the major benefit of the validation is to avoid 
>> > > > handling the noise ARP/NDs when multiple subnets shares same L2, but 
>> > > > most cases it is really not a big deal, right? For the CPU problem 
>> > > > caused by ARP flooding as mentioned by the bug report, it is a real 
>> > > > problem, but this patch seems not really helpful for that, because the 
>> > > > attacker can just trigger the same CPU problem with *valid* packets. 
>> > > > So I am not sure if the benefit of the change is worth the complexity 
>> > > > it introduced. Please share your thought and correct me if I missed 
>> > > > something.
>> > > >
>> > > > Thanks,
>> > > > Han
>> > >
>> > > I assume the simpler logic to handle all these situations without
>> > > validation is to add rate limiting for ARP packets that get punted to
>> > > the controller. I agree that this should be implemented too.
>> > >
>> > > But I think rate limiting all ARP packets regardless of IP addresses
>> > > is not enough. In the following scenario and if we would have a way to
>> > > rate limit ARP packets:
>> > > - Subnet 42.42.42.0/24 configured on the OVN
>> > > - "Invalid" ARP packets are injected at high rate in the network for 
>> > > 41.41.41.41
>> > > - Host 42.42.42.42 sends GARP.
>> > > - Rate limiting of ARP packets towards controller at 100pps
>> > >
>> > > With the current code, ARP packets for 41.41.41.41 will be punted to
>> > > controller at a rate of at most 100 per second. But the chances that
>> > > the valid 42.42.42.42 GARP is dropped is really high.
>> > >
>> > > If we instead use the following approach:
>> > > a. Punt only useful ARPs to controller.
>> > > b. Rate limit ARPs that are sent to controller.
>> > >
>> > > Then ARP packets outside 42.42.42./24 are never punted to the
>> > > controller and don't consume any rate limiting tokens. For the second
>> > > case, when an attacker would flood with valid ARP packets we would
>> > > have the rate limit in place to protect the controller CPU.
>> > >
>> > > My commit addresses point "a" above as I think point "b" should be
>> > > done in a generic way for all protocol packets that need to reach the
>> > > controller.
>> > >
>> > > For dynamic routing protocols on the other hand I think we should not
>> > > install routes with next-hops that are unreachable through other
>> > > direct or indirect routes.
>> > >
>> > > Thanks,
>> > > Dumitru
>> >
>> > I agree that blindly ARP rate limit is not helpful, but a) is not really 
>> > helpful in this case either. In

Re: [ovs-dev] [PATCH ovn v2] OVN: Fix learning of neighbors from ARP/ND packets.

2019-08-07 Thread Han Zhou

On Wed, Aug 7, 2019 at 8:12 AM Dumitru Ceara  wrote:

> On Mon, Aug 5, 2019 at 5:34 PM Han Zhou  wrote:
> >
> >
> >
> > On Mon, Aug 5, 2019 at 1:06 AM Dumitru Ceara  wrote:
> > >
> > > On Mon, Aug 5, 2019 at 1:41 AM Han Zhou  wrote:
> > > >
> > > >
> > > >
> > > > On Mon, Jul 29, 2019 at 2:30 AM Dumitru Ceara 
> wrote:
> > > > >
> > > > > Add a restriction on the target protocol addresses to match the
> > > > > configured subnets. All other ARP/ND packets are invalid in this
> > > > > context.
> > > > >
> > > > > One exception is for ARP replies that are received for route
> next-hops
> > > > > that are only reachable via a port but can't be directly resolved
> > > > > through route lookups. Such support was introduced by commit:
> > > > >
> > > > > 6b785fd8fe29 ("ovn-util: Allow /32 IP addresses for router ports.")
> > > > >
> > > > > Reported-at: https://bugzilla.redhat.com/1729846
> > > > > Reported-by: Haidong Li 
> > > > > CC: Han Zhou 
> > > > > CC: Guru Shetty 
> > > > > Fixes: b068454082f5 ("ovn-northd: Support learning neighbor from
> ARP request.")
> > > > > Signed-off-by: Dumitru Ceara 
> > > >
> > > > Hi Dumitru,
> > >
> > > Hi Han,
> > >
> > > Thanks for reviewing this.
> > >
> > > >
> > > > Sorry for my slow response, and thanks a lot for revising the patch
> for a bigger scope of validations. However, the exception of /32 address
> makes me thinking more about this patch. If ARP replies is allowed from any
> nexthop for a LR port with /32, at least ARP request for GARP purpose
> should also be allowed. But before asking for a v3, I'd hold on to rethink
> the purpose of this patch.
> > >
> > > Right, we should allow GARP requests too. If we decide to go ahead
> > > with this patch I'll add a function in v3 to handle all types of ARPs
> > > and call it both for unreachable static route next-hops and attached
> > > subnets.
> > >
> > > >
> > > > The nexthop specific flows are now from static routes. What if OVN
> support dynamical routing protocols in the future? Of course we can then
> take those dynamic nexthops into allowed peers. But then I am thinking what
> is the real benefit of all these restrictions? Why can't we just have
> simpler logic to handle all these situations without validation? I think
> the major benefit of the validation is to avoid handling the noise ARP/NDs
> when multiple subnets shares same L2, but most cases it is really not a big
> deal, right? For the CPU problem caused by ARP flooding as mentioned by the
> bug report, it is a real problem, but this patch seems not really helpful
> for that, because the attacker can just trigger the same CPU problem with
> *valid* packets. So I am not sure if the benefit of the change is worth the
> complexity it introduced. Please share your thought and correct me if I
> missed something.
> > > >
> > > > Thanks,
> > > > Han
> > >
> > > I assume the simpler logic to handle all these situations without
> > > validation is to add rate limiting for ARP packets that get punted to
> > > the controller. I agree that this should be implemented too.
> > >
> > > But I think rate limiting all ARP packets regardless of IP addresses
> > > is not enough. In the following scenario and if we would have a way to
> > > rate limit ARP packets:
> > > - Subnet 42.42.42.0/24 configured on the OVN
> > > - "Invalid" ARP packets are injected at high rate in the network for
> 41.41.41.41
> > > - Host 42.42.42.42 sends GARP.
> > > - Rate limiting of ARP packets towards controller at 100pps
> > >
> > > With the current code, ARP packets for 41.41.41.41 will be punted to
> > > controller at a rate of at most 100 per second. But the chances that
> > > the valid 42.42.42.42 GARP is dropped is really high.
> > >
> > > If we instead use the following approach:
> > > a. Punt only useful ARPs to controller.
> > > b. Rate limit ARPs that are sent to controller.
> > >
> > > Then ARP packets outside 42.42.42./24 are never punted to the
> > > controller and don't consume any rate limiting tokens. For the second
> > > case, when an attacker would flood with valid ARP packets we would
> > > have the rate limit in place to protect the controller CPU.
> > >
> > > My commit addresses point "a" above as I think point "b" should be
> > > done in a generic way for all protocol packets that need to reach the
> > > controller.
> > >
> > > For dynamic routing protocols on the other hand I think we should not
> > > install routes with next-hops that are unreachable through other
> > > direct or indirect routes.
> > >
> > > Thanks,
> > > Dumitru
> >
> > I agree that blindly ARP rate limit is not helpful, but a) is not really
> helpful in this case either. In your example, the attacker can just use any
> valid IP in 42.42.42.0/24 to send GARP flooding, which would result in
> exactly same result that a useful GARP from 42.42.42.42 is dropped because
> of blindly rate limiting all ARPs. To solve the problem properly, the ARP
> rate limiting must be done per IP.
>
> Ok, ideally ARP

Re: [ovs-dev] [PATCH ovn v2] OVN: Fix learning of neighbors from ARP/ND packets.

2019-08-07 Thread Dumitru Ceara

On Mon, Aug 5, 2019 at 5:34 PM Han Zhou  wrote:
>
>
>
> On Mon, Aug 5, 2019 at 1:06 AM Dumitru Ceara  wrote:
> >
> > On Mon, Aug 5, 2019 at 1:41 AM Han Zhou  wrote:
> > >
> > >
> > >
> > > On Mon, Jul 29, 2019 at 2:30 AM Dumitru Ceara  wrote:
> > > >
> > > > Add a restriction on the target protocol addresses to match the
> > > > configured subnets. All other ARP/ND packets are invalid in this
> > > > context.
> > > >
> > > > One exception is for ARP replies that are received for route next-hops
> > > > that are only reachable via a port but can't be directly resolved
> > > > through route lookups. Such support was introduced by commit:
> > > >
> > > > 6b785fd8fe29 ("ovn-util: Allow /32 IP addresses for router ports.")
> > > >
> > > > Reported-at: https://bugzilla.redhat.com/1729846
> > > > Reported-by: Haidong Li 
> > > > CC: Han Zhou 
> > > > CC: Guru Shetty 
> > > > Fixes: b068454082f5 ("ovn-northd: Support learning neighbor from ARP 
> > > > request.")
> > > > Signed-off-by: Dumitru Ceara 
> > >
> > > Hi Dumitru,
> >
> > Hi Han,
> >
> > Thanks for reviewing this.
> >
> > >
> > > Sorry for my slow response, and thanks a lot for revising the patch for a 
> > > bigger scope of validations. However, the exception of /32 address makes 
> > > me thinking more about this patch. If ARP replies is allowed from any 
> > > nexthop for a LR port with /32, at least ARP request for GARP purpose 
> > > should also be allowed. But before asking for a v3, I'd hold on to 
> > > rethink the purpose of this patch.
> >
> > Right, we should allow GARP requests too. If we decide to go ahead
> > with this patch I'll add a function in v3 to handle all types of ARPs
> > and call it both for unreachable static route next-hops and attached
> > subnets.
> >
> > >
> > > The nexthop specific flows are now from static routes. What if OVN 
> > > support dynamical routing protocols in the future? Of course we can then 
> > > take those dynamic nexthops into allowed peers. But then I am thinking 
> > > what is the real benefit of all these restrictions? Why can't we just 
> > > have simpler logic to handle all these situations without validation? I 
> > > think the major benefit of the validation is to avoid handling the noise 
> > > ARP/NDs when multiple subnets shares same L2, but most cases it is really 
> > > not a big deal, right? For the CPU problem caused by ARP flooding as 
> > > mentioned by the bug report, it is a real problem, but this patch seems 
> > > not really helpful for that, because the attacker can just trigger the 
> > > same CPU problem with *valid* packets. So I am not sure if the benefit of 
> > > the change is worth the complexity it introduced. Please share your 
> > > thought and correct me if I missed something.
> > >
> > > Thanks,
> > > Han
> >
> > I assume the simpler logic to handle all these situations without
> > validation is to add rate limiting for ARP packets that get punted to
> > the controller. I agree that this should be implemented too.
> >
> > But I think rate limiting all ARP packets regardless of IP addresses
> > is not enough. In the following scenario and if we would have a way to
> > rate limit ARP packets:
> > - Subnet 42.42.42.0/24 configured on the OVN
> > - "Invalid" ARP packets are injected at high rate in the network for 
> > 41.41.41.41
> > - Host 42.42.42.42 sends GARP.
> > - Rate limiting of ARP packets towards controller at 100pps
> >
> > With the current code, ARP packets for 41.41.41.41 will be punted to
> > controller at a rate of at most 100 per second. But the chances that
> > the valid 42.42.42.42 GARP is dropped is really high.
> >
> > If we instead use the following approach:
> > a. Punt only useful ARPs to controller.
> > b. Rate limit ARPs that are sent to controller.
> >
> > Then ARP packets outside 42.42.42./24 are never punted to the
> > controller and don't consume any rate limiting tokens. For the second
> > case, when an attacker would flood with valid ARP packets we would
> > have the rate limit in place to protect the controller CPU.
> >
> > My commit addresses point "a" above as I think point "b" should be
> > done in a generic way for all protocol packets that need to reach the
> > controller.
> >
> > For dynamic routing protocols on the other hand I think we should not
> > install routes with next-hops that are unreachable through other
> > direct or indirect routes.
> >
> > Thanks,
> > Dumitru
>
> I agree that blindly ARP rate limit is not helpful, but a) is not really 
> helpful in this case either. In your example, the attacker can just use any 
> valid IP in 42.42.42.0/24 to send GARP flooding, which would result in 
> exactly same result that a useful GARP from 42.42.42.42 is dropped because of 
> blindly rate limiting all ARPs. To solve the problem properly, the ARP rate 
> limiting must be done per IP.

Ok, ideally ARP rate limiting should be done per IP but it would take
quite a lot of resources to keep that information per host.

Any idea how to

Re: [ovs-dev] [PATCH ovn v2] OVN: Fix learning of neighbors from ARP/ND packets.

2019-08-05 Thread Han Zhou

On Mon, Aug 5, 2019 at 1:06 AM Dumitru Ceara  wrote:
>
> On Mon, Aug 5, 2019 at 1:41 AM Han Zhou  wrote:
> >
> >
> >
> > On Mon, Jul 29, 2019 at 2:30 AM Dumitru Ceara  wrote:
> > >
> > > Add a restriction on the target protocol addresses to match the
> > > configured subnets. All other ARP/ND packets are invalid in this
> > > context.
> > >
> > > One exception is for ARP replies that are received for route next-hops
> > > that are only reachable via a port but can't be directly resolved
> > > through route lookups. Such support was introduced by commit:
> > >
> > > 6b785fd8fe29 ("ovn-util: Allow /32 IP addresses for router ports.")
> > >
> > > Reported-at: https://bugzilla.redhat.com/1729846
> > > Reported-by: Haidong Li 
> > > CC: Han Zhou 
> > > CC: Guru Shetty 
> > > Fixes: b068454082f5 ("ovn-northd: Support learning neighbor from ARP
request.")
> > > Signed-off-by: Dumitru Ceara 
> >
> > Hi Dumitru,
>
> Hi Han,
>
> Thanks for reviewing this.
>
> >
> > Sorry for my slow response, and thanks a lot for revising the patch for
a bigger scope of validations. However, the exception of /32 address makes
me thinking more about this patch. If ARP replies is allowed from any
nexthop for a LR port with /32, at least ARP request for GARP purpose
should also be allowed. But before asking for a v3, I'd hold on to rethink
the purpose of this patch.
>
> Right, we should allow GARP requests too. If we decide to go ahead
> with this patch I'll add a function in v3 to handle all types of ARPs
> and call it both for unreachable static route next-hops and attached
> subnets.
>
> >
> > The nexthop specific flows are now from static routes. What if OVN
support dynamical routing protocols in the future? Of course we can then
take those dynamic nexthops into allowed peers. But then I am thinking what
is the real benefit of all these restrictions? Why can't we just have
simpler logic to handle all these situations without validation? I think
the major benefit of the validation is to avoid handling the noise ARP/NDs
when multiple subnets shares same L2, but most cases it is really not a big
deal, right? For the CPU problem caused by ARP flooding as mentioned by the
bug report, it is a real problem, but this patch seems not really helpful
for that, because the attacker can just trigger the same CPU problem with
*valid* packets. So I am not sure if the benefit of the change is worth the
complexity it introduced. Please share your thought and correct me if I
missed something.
> >
> > Thanks,
> > Han
>
> I assume the simpler logic to handle all these situations without
> validation is to add rate limiting for ARP packets that get punted to
> the controller. I agree that this should be implemented too.
>
> But I think rate limiting all ARP packets regardless of IP addresses
> is not enough. In the following scenario and if we would have a way to
> rate limit ARP packets:
> - Subnet 42.42.42.0/24 configured on the OVN
> - "Invalid" ARP packets are injected at high rate in the network for
41.41.41.41
> - Host 42.42.42.42 sends GARP.
> - Rate limiting of ARP packets towards controller at 100pps
>
> With the current code, ARP packets for 41.41.41.41 will be punted to
> controller at a rate of at most 100 per second. But the chances that
> the valid 42.42.42.42 GARP is dropped is really high.
>
> If we instead use the following approach:
> a. Punt only useful ARPs to controller.
> b. Rate limit ARPs that are sent to controller.
>
> Then ARP packets outside 42.42.42./24 are never punted to the
> controller and don't consume any rate limiting tokens. For the second
> case, when an attacker would flood with valid ARP packets we would
> have the rate limit in place to protect the controller CPU.
>
> My commit addresses point "a" above as I think point "b" should be
> done in a generic way for all protocol packets that need to reach the
> controller.
>
> For dynamic routing protocols on the other hand I think we should not
> install routes with next-hops that are unreachable through other
> direct or indirect routes.
>
> Thanks,
> Dumitru

I agree that blindly ARP rate limit is not helpful, but a) is not really
helpful in this case either. In your example, the attacker can just use any
valid IP in 42.42.42.0/24 to send GARP flooding, which would result in
exactly same result that a useful GARP from 42.42.42.42 is dropped because
of blindly rate limiting all ARPs. To solve the problem properly, the ARP
rate limiting must be done per IP.
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH ovn v2] OVN: Fix learning of neighbors from ARP/ND packets.

2019-08-05 Thread Dumitru Ceara

On Mon, Aug 5, 2019 at 1:41 AM Han Zhou  wrote:
>
>
>
> On Mon, Jul 29, 2019 at 2:30 AM Dumitru Ceara  wrote:
> >
> > Add a restriction on the target protocol addresses to match the
> > configured subnets. All other ARP/ND packets are invalid in this
> > context.
> >
> > One exception is for ARP replies that are received for route next-hops
> > that are only reachable via a port but can't be directly resolved
> > through route lookups. Such support was introduced by commit:
> >
> > 6b785fd8fe29 ("ovn-util: Allow /32 IP addresses for router ports.")
> >
> > Reported-at: https://bugzilla.redhat.com/1729846
> > Reported-by: Haidong Li 
> > CC: Han Zhou 
> > CC: Guru Shetty 
> > Fixes: b068454082f5 ("ovn-northd: Support learning neighbor from ARP 
> > request.")
> > Signed-off-by: Dumitru Ceara 
>
> Hi Dumitru,

Hi Han,

Thanks for reviewing this.

>
> Sorry for my slow response, and thanks a lot for revising the patch for a 
> bigger scope of validations. However, the exception of /32 address makes me 
> thinking more about this patch. If ARP replies is allowed from any nexthop 
> for a LR port with /32, at least ARP request for GARP purpose should also be 
> allowed. But before asking for a v3, I'd hold on to rethink the purpose of 
> this patch.

Right, we should allow GARP requests too. If we decide to go ahead
with this patch I'll add a function in v3 to handle all types of ARPs
and call it both for unreachable static route next-hops and attached
subnets.

>
> The nexthop specific flows are now from static routes. What if OVN support 
> dynamical routing protocols in the future? Of course we can then take those 
> dynamic nexthops into allowed peers. But then I am thinking what is the real 
> benefit of all these restrictions? Why can't we just have simpler logic to 
> handle all these situations without validation? I think the major benefit of 
> the validation is to avoid handling the noise ARP/NDs when multiple subnets 
> shares same L2, but most cases it is really not a big deal, right? For the 
> CPU problem caused by ARP flooding as mentioned by the bug report, it is a 
> real problem, but this patch seems not really helpful for that, because the 
> attacker can just trigger the same CPU problem with *valid* packets. So I am 
> not sure if the benefit of the change is worth the complexity it introduced. 
> Please share your thought and correct me if I missed something.
>
> Thanks,
> Han

I assume the simpler logic to handle all these situations without
validation is to add rate limiting for ARP packets that get punted to
the controller. I agree that this should be implemented too.

But I think rate limiting all ARP packets regardless of IP addresses
is not enough. In the following scenario and if we would have a way to
rate limit ARP packets:
- Subnet 42.42.42.0/24 configured on the OVN
- "Invalid" ARP packets are injected at high rate in the network for 41.41.41.41
- Host 42.42.42.42 sends GARP.
- Rate limiting of ARP packets towards controller at 100pps

With the current code, ARP packets for 41.41.41.41 will be punted to
controller at a rate of at most 100 per second. But the chances that
the valid 42.42.42.42 GARP is dropped is really high.

If we instead use the following approach:
a. Punt only useful ARPs to controller.
b. Rate limit ARPs that are sent to controller.

Then ARP packets outside 42.42.42./24 are never punted to the
controller and don't consume any rate limiting tokens. For the second
case, when an attacker would flood with valid ARP packets we would
have the rate limit in place to protect the controller CPU.

My commit addresses point "a" above as I think point "b" should be
done in a generic way for all protocol packets that need to reach the
controller.

For dynamic routing protocols on the other hand I think we should not
install routes with next-hops that are unreachable through other
direct or indirect routes.

Thanks,
Dumitru
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH ovn v2] OVN: Fix learning of neighbors from ARP/ND packets.

2019-08-04 Thread Han Zhou

On Mon, Jul 29, 2019 at 2:30 AM Dumitru Ceara  wrote:
>
> Add a restriction on the target protocol addresses to match the
> configured subnets. All other ARP/ND packets are invalid in this
> context.
>
> One exception is for ARP replies that are received for route next-hops
> that are only reachable via a port but can't be directly resolved
> through route lookups. Such support was introduced by commit:
>
> 6b785fd8fe29 ("ovn-util: Allow /32 IP addresses for router ports.")
>
> Reported-at: https://bugzilla.redhat.com/1729846
> Reported-by: Haidong Li 
> CC: Han Zhou 
> CC: Guru Shetty 
> Fixes: b068454082f5 ("ovn-northd: Support learning neighbor from ARP
request.")
> Signed-off-by: Dumitru Ceara 

Hi Dumitru,

Sorry for my slow response, and thanks a lot for revising the patch for a
bigger scope of validations. However, the exception of /32 address makes me
thinking more about this patch. If ARP replies is allowed from any nexthop
for a LR port with /32, at least ARP request for GARP purpose should also
be allowed. But before asking for a v3, I'd hold on to rethink the purpose
of this patch.

The nexthop specific flows are now from static routes. What if OVN support
dynamical routing protocols in the future? Of course we can then take those
dynamic nexthops into allowed peers. But then I am thinking what is the
real benefit of all these restrictions? Why can't we just have simpler
logic to handle all these situations without validation? I think the major
benefit of the validation is to avoid handling the noise ARP/NDs when
multiple subnets shares same L2, but most cases it is really not a big
deal, right? For the CPU problem caused by ARP flooding as mentioned by the
bug report, it is a real problem, but this patch seems not really helpful
for that, because the attacker can just trigger the same CPU problem with
*valid* packets. So I am not sure if the benefit of the change is worth the
complexity it introduced. Please share your thought and correct me if I
missed something.

Thanks,
Han
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH ovn v2] OVN: Fix learning of neighbors from ARP/ND packets.

2019-07-29 Thread Dumitru Ceara

Add a restriction on the target protocol addresses to match the
configured subnets. All other ARP/ND packets are invalid in this
context.

One exception is for ARP replies that are received for route next-hops
that are only reachable via a port but can't be directly resolved
through route lookups. Such support was introduced by commit:

6b785fd8fe29 ("ovn-util: Allow /32 IP addresses for router ports.")

Reported-at: https://bugzilla.redhat.com/1729846
Reported-by: Haidong Li 
CC: Han Zhou 
CC: Guru Shetty 
Fixes: b068454082f5 ("ovn-northd: Support learning neighbor from ARP request.")
Signed-off-by: Dumitru Ceara 
---

v2:
- Update commit message.
- Implement the fix also for ARP replies and IPv6 ND.

Signed-off-by: Dumitru Ceara 
---
 northd/ovn-northd.c | 95 +
 1 file changed, 81 insertions(+), 14 deletions(-)

diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index bed2993..637e82c 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -5815,10 +5815,32 @@ build_static_route_flow(struct hmap *lflows, struct 
ovn_datapath *od,
 if (is_ipv4) {
 if (out_port->lrp_networks.n_ipv4_addrs) {
 lrp_addr_s = out_port->lrp_networks.ipv4_addrs[0].addr_s;
+
+/* Explicitly allow ARP replies for the next-hop. */
+struct ds match;
+ds_init();
+ds_put_format(, "inport == %s && arp.op == 2 && "
+  "arp.spa == %s", out_port->json_key,
+  route->nexthop);
+ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 90,
+  ds_cstr(),
+  "put_arp(inport, arp.spa, arp.sha);");
+ds_destroy();
 }
 } else {
 if (out_port->lrp_networks.n_ipv6_addrs) {
 lrp_addr_s = out_port->lrp_networks.ipv6_addrs[0].addr_s;
+
+/* Explicitly allow NA for the next-hop. */
+struct ds match;
+ds_init();
+ds_put_format(, "inport == %s && nd_na && "
+  "ip6.src == %s", out_port->json_key,
+  route->nexthop);
+ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 90,
+  ds_cstr(),
+  "put_nd(inport, nd.target, nd.tll);");
+ds_destroy();
 }
 }
 }
@@ -6159,10 +6181,6 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap 
*ports,
   "ip4.dst == 0.0.0.0/8",
   "drop;");
 
-/* ARP reply handling.  Use ARP replies to populate the logical
- * router's ARP table. */
-ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 90, "arp.op == 2",
-  "put_arp(inport, arp.spa, arp.sha);");
 
 /* Drop Ethernet local broadcast.  By definition this traffic should
  * not be forwarded.*/
@@ -6175,16 +6193,7 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap 
*ports,
 ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 30,
   ds_cstr(), "drop;");
 
-/* ND advertisement handling.  Use advertisements to populate
- * the logical router's ARP/ND table. */
-ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 90, "nd_na",
-  "put_nd(inport, nd.target, nd.tll);");
 
-/* Lean from neighbor solicitations that were not directed at
- * us.  (A priority-90 flow will respond to requests to us and
- * learn the sender's mac address. */
-ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 80, "nd_ns",
-  "put_nd(inport, ip6.src, nd.sll);");
 
 /* Pass other traffic not already handled to the next table for
  * routing. */
@@ -6320,15 +6329,34 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap 
*ports,
   ds_cstr(), ds_cstr());
 }
 
+/* ARP reply handling. Use ARP replies to populate the logical
+ * router's ARP table. */
+for (int i = 0; i < op->lrp_networks.n_ipv4_addrs; i++) {
+ds_clear();
+ds_put_format(, "inport == %s && arp.spa == %s/%u && "
+  "arp.tpa == %s/%u && arp.op == 2",
+  op->json_key,
+  op->lrp_networks.ipv4_addrs[i].network_s,
+  op->lrp_networks.ipv4_addrs[i].plen,
+  op->lrp_networks.ipv4_addrs[i].network_s,
+  op->lrp_networks.ipv4_addrs[i].plen);
+ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 90,
+  ds_cstr(),
+  "put_arp(inport, arp.spa, arp.sha);");
+}
+

Re: [ovs-dev] [PATCH ovn v2] OVN: Fix learning of neighbors from ARP/ND packets.

Re: [ovs-dev] [PATCH ovn v2] OVN: Fix learning of neighbors from ARP/ND packets.

Re: [ovs-dev] [PATCH ovn v2] OVN: Fix learning of neighbors from ARP/ND packets.

Re: [ovs-dev] [PATCH ovn v2] OVN: Fix learning of neighbors from ARP/ND packets.

Re: [ovs-dev] [PATCH ovn v2] OVN: Fix learning of neighbors from ARP/ND packets.

Re: [ovs-dev] [PATCH ovn v2] OVN: Fix learning of neighbors from ARP/ND packets.

Re: [ovs-dev] [PATCH ovn v2] OVN: Fix learning of neighbors from ARP/ND packets.

Re: [ovs-dev] [PATCH ovn v2] OVN: Fix learning of neighbors from ARP/ND packets.

Re: [ovs-dev] [PATCH ovn v2] OVN: Fix learning of neighbors from ARP/ND packets.

[ovs-dev] [PATCH ovn v2] OVN: Fix learning of neighbors from ARP/ND packets.

10 matches

Site Navigation

Mail list logo

Footer information