| Message ID | cover.1570787286.git.sd@queasysnail.net |
|---|---|
| Headers | show |
| Series | ipsec: add TCP encapsulation support (RFC 8229) | expand |
From: Sabrina Dubroca <sd@queasysnail.net> Date: Fri, 11 Oct 2019 16:57:23 +0200 > This patchset introduces support for TCP encapsulation of IKE and ESP > messages, as defined by RFC 8229 [0]. It is an evolution of what > Herbert Xu proposed in January 2018 [1] that addresses the main > criticism against it, by not interfering with the TCP implementation > at all. The networking stack now has infrastructure for this: TCP ULPs > and Stream Parsers. So this will bring up a re-occurring nightmare in that now we have another situation where stacking ULPs would be necessary (kTLS over TCP encap) and the ULP mechanism simply can't do this. Last time this came up, it had to do with sock_map. No way could be found to stack ULPs properly, so instead sock_map was implemented via something other than ULPs. I fear we have the same situation here again and this issue must be addressed before these patches are included. Thanks.
2019-10-14, 14:43:27 -0400, David Miller wrote: > From: Sabrina Dubroca <sd@queasysnail.net> > Date: Fri, 11 Oct 2019 16:57:23 +0200 > > > This patchset introduces support for TCP encapsulation of IKE and ESP > > messages, as defined by RFC 8229 [0]. It is an evolution of what > > Herbert Xu proposed in January 2018 [1] that addresses the main > > criticism against it, by not interfering with the TCP implementation > > at all. The networking stack now has infrastructure for this: TCP ULPs > > and Stream Parsers. > > So this will bring up a re-occurring nightmare in that now we have another > situation where stacking ULPs would be necessary (kTLS over TCP encap) and > the ULP mechanism simply can't do this. > > Last time this came up, it had to do with sock_map. No way could be found > to stack ULPs properly, so instead sock_map was implemented via something > other than ULPs. > > I fear we have the same situation here again and this issue must be > addressed before these patches are included. > > Thanks. I don't think there's any problem here. We're not stacking ULPs on the same socket. There's a TCP encap socket for IPsec, which belongs to the IKE daemon. The traffic on that socket is composed of IKE messages and ESP packets. Then there's whatever userspace sockets (doesn't have to be TCP), and the whole IPsec and TCP encap is completely invisible to them. Where we would probably need ULP stacking is if we implement ESP over TLS [1], but we're not there. [1] https://tools.ietf.org/html/rfc8229#appendix-A
On Tue, 15 Oct 2019 10:24:24 +0200, Sabrina Dubroca wrote: > 2019-10-14, 14:43:27 -0400, David Miller wrote: > > From: Sabrina Dubroca <sd@queasysnail.net> > > Date: Fri, 11 Oct 2019 16:57:23 +0200 > > > > > This patchset introduces support for TCP encapsulation of IKE and ESP > > > messages, as defined by RFC 8229 [0]. It is an evolution of what > > > Herbert Xu proposed in January 2018 [1] that addresses the main > > > criticism against it, by not interfering with the TCP implementation > > > at all. The networking stack now has infrastructure for this: TCP ULPs > > > and Stream Parsers. > > > > So this will bring up a re-occurring nightmare in that now we have another > > situation where stacking ULPs would be necessary (kTLS over TCP encap) and > > the ULP mechanism simply can't do this. > > > > Last time this came up, it had to do with sock_map. No way could be found > > to stack ULPs properly, so instead sock_map was implemented via something > > other than ULPs. > > > > I fear we have the same situation here again and this issue must be > > addressed before these patches are included. > > > > Thanks. > > I don't think there's any problem here. We're not stacking ULPs on the > same socket. There's a TCP encap socket for IPsec, which belongs to > the IKE daemon. The traffic on that socket is composed of IKE messages > and ESP packets. Then there's whatever userspace sockets (doesn't have > to be TCP), and the whole IPsec and TCP encap is completely invisible > to them. > > Where we would probably need ULP stacking is if we implement ESP over > TLS [1], but we're not there. > > [1] https://tools.ietf.org/html/rfc8229#appendix-A But can there be any potential issues if the TCP socket with esp ULP is also inserted into a sockmap? (well, I think sockmap socket gets a ULP, I think we prevent sockmap on top of ULP but not the other way around..) Is there any chance we could see some selftests here?
2019-10-15, 11:46:57 -0700, Jakub Kicinski wrote: > On Tue, 15 Oct 2019 10:24:24 +0200, Sabrina Dubroca wrote: > > 2019-10-14, 14:43:27 -0400, David Miller wrote: > > > From: Sabrina Dubroca <sd@queasysnail.net> > > > Date: Fri, 11 Oct 2019 16:57:23 +0200 > > > > > > > This patchset introduces support for TCP encapsulation of IKE and ESP > > > > messages, as defined by RFC 8229 [0]. It is an evolution of what > > > > Herbert Xu proposed in January 2018 [1] that addresses the main > > > > criticism against it, by not interfering with the TCP implementation > > > > at all. The networking stack now has infrastructure for this: TCP ULPs > > > > and Stream Parsers. > > > > > > So this will bring up a re-occurring nightmare in that now we have another > > > situation where stacking ULPs would be necessary (kTLS over TCP encap) and > > > the ULP mechanism simply can't do this. > > > > > > Last time this came up, it had to do with sock_map. No way could be found > > > to stack ULPs properly, so instead sock_map was implemented via something > > > other than ULPs. > > > > > > I fear we have the same situation here again and this issue must be > > > addressed before these patches are included. > > > > > > Thanks. > > > > I don't think there's any problem here. We're not stacking ULPs on the > > same socket. There's a TCP encap socket for IPsec, which belongs to > > the IKE daemon. The traffic on that socket is composed of IKE messages > > and ESP packets. Then there's whatever userspace sockets (doesn't have > > to be TCP), and the whole IPsec and TCP encap is completely invisible > > to them. > > > > Where we would probably need ULP stacking is if we implement ESP over > > TLS [1], but we're not there. > > > > [1] https://tools.ietf.org/html/rfc8229#appendix-A > > But can there be any potential issues if the TCP socket with esp ULP is > also inserted into a sockmap? (well, I think sockmap socket gets a ULP, > I think we prevent sockmap on top of ULP but not the other way around..) Yeah, there's nothing preventing a socket that's already in a sockmap from getting a ULP, only for inserting a socket in a sockmap if it already has a ULP (see sock_map_update_common). I gave it a quick test with espintcp, it doesn't quite seem to work: a sockmap program that drops everything actually drops messages, but a sockmap program that drops some messages based on length... doesn't. Although, to be honest, I don't see a use case for sockmap on espintcp sockets. > Is there any chance we could see some selftests here? For espintcp? That's planned, I need to rework my test scripts so that they don't need human interaction, and turn them into selftests.
On Thu, 17 Oct 2019 16:33:14 +0200, Sabrina Dubroca wrote: > > But can there be any potential issues if the TCP socket with esp ULP is > > also inserted into a sockmap? (well, I think sockmap socket gets a ULP, > > I think we prevent sockmap on top of ULP but not the other way around..) > > Yeah, there's nothing preventing a socket that's already in a sockmap > from getting a ULP, only for inserting a socket in a sockmap if it > already has a ULP (see sock_map_update_common). > > I gave it a quick test with espintcp, it doesn't quite seem to work: a > sockmap program that drops everything actually drops messages, but a > sockmap program that drops some messages based on length... doesn't. > > Although, to be honest, I don't see a use case for sockmap on espintcp > sockets. Perhaps we could reject the espintcp ULP installation when sk_user_data is present? Would that make sense? > > Is there any chance we could see some selftests here? > > For espintcp? That's planned, I need to rework my test scripts so that > they don't need human interaction, and turn them into selftests.
This patchset introduces support for TCP encapsulation of IKE and ESP messages, as defined by RFC 8229 [0]. It is an evolution of what Herbert Xu proposed in January 2018 [1] that addresses the main criticism against it, by not interfering with the TCP implementation at all. The networking stack now has infrastructure for this: TCP ULPs and Stream Parsers. The first patches are preparation and refactoring, and the final patch adds the feature. The main omission in this submission is IPv6 support. ESP encapsulation over UDP with IPv6 is currently not supported in the kernel either, as UDP encapsulation is aimed at NAT traversal, and NAT is not frequently used with IPv6. Some of the code is taken directly, or slightly modified, from Herbert Xu's original submission [1]. The ULP and strparser pieces are new. This work was presented and discussed at the IPsec workshop and netdev 0x13 conference [2] in Prague, last March. [0] https://tools.ietf.org/html/rfc8229 [1] https://patchwork.ozlabs.org/patch/859107/ [2] https://netdevconf.org/0x13/session.html?talk-ipsec-encap Changes since v3: - fix sparse warning related to RCU tag on icsk_ulp_data Changes since v2: - rename config option to INET_ESPINTCP and move it to net/ipv4/Kconfig (patch 6/6) Changes since v1: - drop patch 1, already present in the tree as commit bd95e678e0f6 ("bpf: sockmap, fix use after free from sleep in psock backlog workqueue") - patch 1/6: fix doc error reported by kbuild test robot <lkp@intel.com> - patch 6/6, fix things reported by Steffen Klassert: - remove unneeded goto and improve error handling in esp_output_tcp_finish - clean up the ifdefs by providing dummy implementations of those functions - fix Kconfig select, missing NET_SOCK_MSG Sabrina Dubroca (6): net: add queue argument to __skb_wait_for_more_packets and __skb_{,try_}recv_datagram xfrm: introduce xfrm_trans_queue_net xfrm: add route lookup to xfrm4_rcv_encap esp4: prepare esp_input_done2 for non-UDP encapsulation esp4: split esp_output_udp_encap and introduce esp_output_encap xfrm: add espintcp (RFC 8229) include/linux/skbuff.h | 11 +- include/net/espintcp.h | 39 +++ include/net/xfrm.h | 4 + include/uapi/linux/udp.h | 1 + net/core/datagram.c | 27 +- net/ipv4/Kconfig | 11 + net/ipv4/esp4.c | 264 ++++++++++++++++++-- net/ipv4/udp.c | 3 +- net/ipv4/xfrm4_protocol.c | 9 + net/unix/af_unix.c | 7 +- net/xfrm/Makefile | 1 + net/xfrm/espintcp.c | 505 ++++++++++++++++++++++++++++++++++++++ net/xfrm/xfrm_input.c | 21 +- net/xfrm/xfrm_policy.c | 7 + net/xfrm/xfrm_state.c | 3 + 15 files changed, 867 insertions(+), 46 deletions(-) create mode 100644 include/net/espintcp.h create mode 100644 net/xfrm/espintcp.c