Re: [PATCH v7 04/22] net/tcp: Prevent TCP-MD5 with TCP-AO being set

From: Dmitry Safonov
Date: Mon Jun 19 2023 - 12:31:13 EST

Next message: Thomas Gleixner: "Re: [PATCH v1] x86/apic: Fix kernel panic when "intremap=off" and "x2apic_phys" are set"
Previous message: Andrew Lunn: "Re: [PATCH net v1] Revert "net: phy: dp83867: perform soft reset and retain established link""
In reply to: David Ahern: "Re: [PATCH v7 04/22] net/tcp: Prevent TCP-MD5 with TCP-AO being set"
Next in thread: Dmitry Safonov: "Re: [PATCH v7 04/22] net/tcp: Prevent TCP-MD5 with TCP-AO being set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi David,

On 6/18/23 18:50, David Ahern wrote:
> On 6/14/23 4:09 PM, Dmitry Safonov wrote:
>> Be as conservative as possible: if there is TCP-MD5 key for a given peer
>> regardless of L3 interface - don't allow setting TCP-AO key for the same
>> peer. According to RFC5925, TCP-AO is supposed to replace TCP-MD5 and
>> there can't be any switch between both on any connected tuple.
>> Later it can be relaxed, if there's a use, but in the beginning restrict
>> any intersection.
>>
>> Note: it's still should be possible to set both TCP-MD5 and TCP-AO keys
>> on a listening socket for *different* peers.
>
> Does the testsuite cover use of both MD5 and AO for a single listening
> socket with different peers and then other tests covering attempts to
> use both for a same peer?

Thanks for the question, I have written the following tests for
AO/MD5/unsigned listening socket [1]:

1. Listener with TCP-AO key, which has addr = INADDR_ANY
2. Listener with TCP-MD5 key, which has tcpm_addr = INADDR_ANY
3. Listener without any key

Then there's AO_REQUIRED thing, which BGP folks asked to introduce,
which is (7.3) from RFC5925, an option that is per-ao_info, which makes
such socket accepting only TCP-AO enabled segments.

So, 4. Listener with TCP-AO, AO_REQUIRED flag.

And then, going to non-INADDR_ANY:
5. Listener with TCP-AO and TCP-MD5 keys for different peers.

Here again, for each of AO/MD5/unsigned methods, attempt to connect:
6. outside of both key peers
7. inside correct key: i.e. TCP-MD5 client to TCP-MD5 matching key
8. to a wrong key: i.e. TCP-AO client to TCP-MD5 matching key

And another type of checks are the ones expecting *setsockopt()* to fail:
9. Adding TCP-AO key that matches the same peer as TCP-MD5 key
10. The reverse situation
11. Adding TCP-MD5 key to AO_REQUIRED socket
12. Setting AO_REQUIRED on a socket with TCP-MD5 key
13. Adding TCP-AO key on already established connection without any key

And then another bunch of tests that check TCP-AO/TCP-MD5/unsigned
interaction in non/default VRFs.
I think the output of selftest [1] is more-or-less self-descriptive,
correct me if I could improve that.

[1]
https://github.com/0x7f454c46/linux/commit/d7b321f2b5a481e5ff0e80e2e0b3503b1ddb9817

Thanks,
Dmitry

Next message: Thomas Gleixner: "Re: [PATCH v1] x86/apic: Fix kernel panic when "intremap=off" and "x2apic_phys" are set"
Previous message: Andrew Lunn: "Re: [PATCH net v1] Revert "net: phy: dp83867: perform soft reset and retain established link""
In reply to: David Ahern: "Re: [PATCH v7 04/22] net/tcp: Prevent TCP-MD5 with TCP-AO being set"
Next in thread: Dmitry Safonov: "Re: [PATCH v7 04/22] net/tcp: Prevent TCP-MD5 with TCP-AO being set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]