rfc 4301 populate from packet pfp in linux
play

RFC 4301 Populate From Packet (PFP) in Linux Sowmini Varadhan - PowerPoint PPT Presentation

Jan 10, 2023 •201 likes •410 views

RFC 4301 Populate From Packet (PFP) in Linux Sowmini Varadhan (sowmini.varadhan@oracle.com) Linux IPsec workshop, March 2018, Dresden Germany Agenda Problem description: what is this and why do we need it? Follows up on discussion

  1. RFC 4301 “Populate From Packet” (PFP) in Linux Sowmini Varadhan (sowmini.varadhan@oracle.com) Linux IPsec workshop, March 2018, Dresden Germany

  2. Agenda ● Problem description: what is this and why do we need it? – Follows up on discussion at http://swan.libreswan.narkive.com/Tjgazg3z/ipsec-pfp-support-on-linux – Entropy and RSS for performance – How to retain entropy after IPsec ● Use-cases: RDS-TCP, VXLAN, RoCEv2 ● PFP deep-dive – Current kernel code – Proposed changes needed to get this ● Discussion: DoS vector threats, sysctl knobs..

  3. ECMP: Equal Cost Multipathing ● For efficient network usage – We want to avoid re-ordering of packets for a given flow at the routers – We want packets of different flows to exploit parallel paths where possible (ECMP) S2 S1 L2 L1 UDP sport 11111 → 4791 UDP sport 22222→ 4791

  4. What is a “flow”? ● One definition “all ipv4 packets between host A to host B”, or “all UDP packets from A to B” ● But this has a very large granularity- using TCP or UDP 4-tuple (src addr, src port, dst addr, dst port) gives us better flow hashing. ● Same principles apply to RSS at the host as well- use well-defined fields in the packet to define a “flow” ● Existing hardware at routers and ASICs already knows to look for IP addresses and (for TCP and UDP) the port numbers for flow-hashing

  5. Entropy and UDP encapsulations like VXLAN ● We have a number of L3 tunneling protocols that encapsulate with TCP or UDP ● E.g., VXLAN tunnels a tenant L2 frame from a VM in UDP. – UDP destinaton port 4789 (IANA designated port# for VXLAN) – UDP sport is a hash of fields in the tenant frame so that client flows can be hashed across available ECMP paths at the router, UDP sport is randomized to provide “entropy” – VXLAN frame format (Ref: https://docs.citrix.com/zh-cn/netscaler/11/networking/vxlans.html ): –

  6. Other UDP encapsulations: RoCE ● RoCEv2 allows applications to tunnel IB frames over UDP/IP, and obtain benefits of RDMA over commodity ethernet – Tunneling is done in the NIC firmware Infiniband frame

  7. TCP encapsulations: RDS-TCP ● Socket-over-socket model: – Application opens a PF_RDS socket and sees datagram semantics. – RDS Datagram is sent over a kernel TCP socket; TCP provides reliable, ordered delivery ● TCP flows are between IANA registered RDS-TCP port (16385) and a client transient port. ● Multipath RDS: RDS socket is hashed to one of 8 TCP flows between any pair of peers. Client transient port provides RSS/ECMP entropy. – Why 8 sockets? Because the rule-of-thumb for best performance using microbenchmarks like iperf says “use 8-10 socket because the typical NIC has about 8 hardware rings”

  8. Securing kernel manage UDP/TCP tunneling sockets ● IPsec to provide privacy/encryption for data sent through kernel managed TCP/UDP sockets ● IPsec operates at the IP layer, encrypts TCP/UDP header. ● Software/hardware IPsec offloads help improve the single-stream performance profile ● But have we compromised the entropy?

  9. IPsec/ESP hides the port numbers ● TCP and UDP headers may get encrypted with IPsec ● Fortunately, the SPI (32 bits) gets inserted at the exact same byte offset as TCP/UDP port numbers (sport/dport are each 16 bits) ● Unique SPI per IPsec tunnel – so it can be used to define a flow! – Existing hardware can look at the same byte offset to find the flow hash for TCP, UDP and ESP.

  10. Getting an SPI per TCP/UDP 4-tuple ● We typically do not know the client transient port number a priori- most client sockets will use a kernel-assigned port number (implicit bind during connect(), or bind to port 0) ● That means we cannot set up the SADB/SPD entry for the exact 4-tuple, we end up setting two tunnels ● Example for iperf testing, the server listens by default at port 5001. To test Ipsec + iperf for 8 TCP streams using a transient client port (typical iperf test) we would only be able to set up the *swan tunnel “ l ” e f t p r o t o p o r t = t c p / 5 0 0 1 ● 8 TCP 4-tuples → 2 SPIs; Entropy is lost

  11. But does it really matter? ● Oracle DB testing: cluster based appliance that can do parallel queries using RDS-TCP to the database ● Three test cases – Clear traffic, with load spread across 8 TCP connections – IPsec with a single tunnel for *.16385 (single-SPI) – Force the client ports via explicit bind(), and set up 8 IPsec tunnels (8-SPI) ● Elapsed time for the test, peak throughput and number of CPUs processing softirq at peak throughput were instrumented

  12. Results for data appliance parallel query test Elapsed time (s) Peak throughput(Gbps) Number of cpus processing softirq Clear traffic over 8 30 8.2 4 TCP paths IPsec with 1 SPI 606 0.281 1 IPsec with 8 SPIs 204 1.1 4 ● Note that the throughput improves by a factor of 5X by ensuring that each TCP connection gets a unique SPI ● The kernel used for the table above was a UEK 4.1 kernel that did not have support for IPsec software or hardware offload. We expect the gap between clear and IPsec traffic to be reduced with newer kernels that have IPsec offload support (ongoing work to instrument this case) ● Having an SPI per TCP connection helps performance, but how to achieve this without being constrained to requiring an explicit bind() for each TCP/UDP socket?

  13. RFC 4301: Populate From Packet ● RFC 4301 has a remedy for this “If IPsec processing is specified for an entry, a "populate from packet" (PFP) flag may be asserted for one or more of the selectors in the SPD entry (Local IP address; Remote IP address; Next Layer Protocol; and, depending on Next Layer Protocol, Local port and Remote port, or ICMP type/code, or Mobility Header type). If asserted for a given selector X, the flag indicates that the SA to be created should take its value for X from the value in the packet. Otherwise, the SA should take its value(s) for X from the value(s) in the SPD entry.” ● For TCP/UDP if the SPD is marked “PFP” send an upcall to pluto and create an SA for the exact 4-tuple for the packet that triggered the SPD lookup.

  14. Current kernel behavior ● With “ a ” for *swan tunnel setup, when data is u t o = o n d e m a n d sent (via or s ) an SADB_ACQUIRE c o n n e c t ( ) e n d ( ) / s e n d t o ( ) upcall is sent from the kernel to the p daemon. l u t o ● SADB_ACQUIRE is sent from x if f r m _ s t a t e _ f i n d ( ) tells us that there is no acquire currently x f r m _ s t a t e _ l o o k a t ( ) in progress. – In the iperf example, today we’d trigger one ACQUIRE for the first 4-tuple that matched *.5001 and subsequent packet triggers that matched *.5001 would all find a c q _ i n _ p r o g r e s s

  15. Proposed modification ● Add a new XFRM_POLICY_PFP flag, and provide the netlink hooks to allow userspace to set it on a specific SPD ● In x if we find an xfrm_state in XFRM_STATE_ACQ f r m _ s t a t e _ l o o k a t ( ) , if (pol->flags & XFRM_POLICY_PFP) { // return acq_in_progress only if xfrm_selector_match() succeeds if ((x->sel.family && !xfrm_selector_match(&x->sel, fl, x->sel.family)) || !security_xfrm_state_pol_flow_match(x, pol, fl)) return; // no acquire in progress. } *acq_in_progress = 1; // don’t send another ACQUIRE

  16. Changes to p l u t o ● Need to be able to set the new XFRM_POLICY_PFP flag ● And much more… Paul Wouters will describe

  17. Is there a DoS threat with PFP? ● Clear TCP/UDP traffic gets entropy from the 4-tuple- kernel has to manage some state per socket, routers use the entropy to find the hash needed for ECMP ● If we have an SPI per 4-tuple, we end up creating IPsec tunnel state merely for entropy ● we may end up with many more tunnels than the available multipathing – e.g., 1000 UDP sockets, but only 8-way multipathing => 1000 IPsec tunnels. ● Sysctl tunables to place upper limits on this? e.g., generate a max of k ACQUIRE’s for a PFP SPD by using a mask for port matching?

  18. Backup slides

  19. RDS-TCP Architectural Overview RDS app RDS app RDS app App data user kernel rds_tcp RDS App data Kernel TCP socket TCP TCP RDS App data IP IP TCP RDS App data driver L2 IP TCP RDS App data

  20. RSS and entropy • Shannon Nelson pointed out to me that Niantic does the RSS hashing based on the TCP/UDP 4- tuple after decrypt (when offload has been enabled) • All drivers should follow that model for offloaded IPsec (this will give the desired steering even when PFP has not been requested) • Even when IPsec has not been (or cannot be) offloaded, NICs should use SPI for the RSS hash.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Worksheet 9 Worksheet 9 Linux as a router, packet filtering, traffic Linux as a router, packet

Worksheet 9 Worksheet 9 Linux as a router, packet filtering, traffic Linux as a router, packet

Worksheet 9 Worksheet 9 Linux as a router, packet filtering, traffic Linux as a router, packet filtering, traffic shaping shaping Linux as a router Linux as a router Capable of acting as a router, firewall, traffic Capable of acting as a

366 views • 21 slides
Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network Security by Avi Kak (kak@purdue.edu) March 24, 2015 3:44pm 2015 Avinash Kak, Purdue University c Goals: Packet-filtering vs. proxy-server

828 views • 70 slides
CS518 CS518 Packet Handling in Linux Packet Handling in Linux --Gaurav Gaurav Dawra Dawra --

CS518 CS518 Packet Handling in Linux Packet Handling in Linux --Gaurav Gaurav Dawra Dawra --

CS518 CS518 Packet Handling in Linux Packet Handling in Linux --Gaurav Gaurav Dawra Dawra -- Overview Internetworking: Past and Present Overview Internetworking: Past and Present Overview TCP/IP and OSI Model TCP/IP

751 views • 47 slides
BlazePPS A Packet Processing System Implemented in an FPGA and Linux Valeh Amiri (vv2252)

BlazePPS A Packet Processing System Implemented in an FPGA and Linux Valeh Amiri (vv2252)

BlazePPS A Packet Processing System Implemented in an FPGA and Linux Valeh Amiri (vv2252) Christopher Campbell (cc3769) Sheng Qian (sq2168) Yuanpei Zhang (yz2727) Columbia University May 14 th , 2015 Overview Goals Design

500 views • 12 slides
How to do Packet Sniffing on Linux (tcpdump) NetBeez Webinar Panos Vouzis Co-founder and COO

How to do Packet Sniffing on Linux (tcpdump) NetBeez Webinar Panos Vouzis Co-founder and COO

How to do Packet Sniffing on Linux (tcpdump) NetBeez Webinar Panos Vouzis Co-founder and COO Agenda What is tcpdump? Lab set-up tcpdump usage Output breakdown Saving to file Filtering (host, port, traffic

582 views • 11 slides
Performance Implications of Packet Filtering with Linux eBPF Dominik Scholz , Daniel Raumer, Paul

Performance Implications of Packet Filtering with Linux eBPF Dominik Scholz , Daniel Raumer, Paul

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Performance Implications of Packet Filtering with Linux eBPF Dominik Scholz , Daniel Raumer, Paul Emmerich, Alexander Kurtz, Krzysztof Lesiak

721 views • 29 slides
Weddings 2707 Little Rock Rd. Charlotte, NC 28214 704-394-4301 1 Your Wedding Day On your

Weddings 2707 Little Rock Rd. Charlotte, NC 28214 704-394-4301 1 Your Wedding Day On your

The Holiday Inn Charlotte Airport Weddings 2707 Little Rock Rd. Charlotte, NC 28214 704-394-4301 1 Your Wedding Day On your wedding day, let us take care of the details while you relax and savor the moment! From a grand reception in the

356 views • 9 slides
Scope focused on Linux using Linux terminology the principles are general Assumption knowledge

Scope focused on Linux using Linux terminology the principles are general Assumption knowledge

% Networking % Ji Benc, Red Hat % Advanced Operating Systems, MFF UK Scope focused on Linux using Linux terminology the principles are general Assumption knowledge of OSI model understanding of packet structure basic understanding of

407 views • 11 slides
Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator developed by Dennis Frezzo and his team at Cisco Systems. Packet Tracer (PT) is a powerful and dynamic tool that displays the various protocols used in

419 views • 17 slides
Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system distributions that use the Linux

562 views • 53 slides
How Will We Populate the Semantic Web on a Vast Scale? Tom M. Mitchell Weam AbuZaki, Justin

How Will We Populate the Semantic Web on a Vast Scale? Tom M. Mitchell Weam AbuZaki, Justin

How Will We Populate the Semantic Web on a Vast Scale? Tom M. Mitchell Weam AbuZaki, Justin Betteridge, Andrew Carlson, Estevam R. Hruschka Jr., Bryan Kisiel, Burr Settles, Richard Wang Machine Learning Department Carnegie Mellon University

665 views • 34 slides
Breakout Group A WE CHANGED OUR MINDS Availability of data to populate our asset inventory

Breakout Group A WE CHANGED OUR MINDS Availability of data to populate our asset inventory

Breakout Group A WE CHANGED OUR MINDS Availability of data to populate our asset inventory Around the table, most felt these data exist presently, many already in u electronic form (though nothing is centralized) General agreement to

340 views • 10 slides
Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer

Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer

03/11/2017 Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer to a radio for the transmission of digital data via amateur radio. It is another mode of operation that has a multitude of uses, such as

571 views • 17 slides
How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet monitor? How to acquire the data Handling performance bottlenecks Case Study: Packet Capture Performance Analyzing the transport and

487 views • 37 slides
Methodology and Key Assumptions The Trust team has worked with Deloitte to populate the NHSI Long

Methodology and Key Assumptions The Trust team has worked with Deloitte to populate the NHSI Long

DRAFT FOR DISCUSSION Methodology and Key Assumptions The Trust team has worked with Deloitte to populate the NHSI Long Term Financial Model to produce the Financial Case outputs. The April 2019 NHSI 19/20 plan submission has been used as the

626 views • 5 slides
New Developments in Trenchless Technologies Wide range of technologies suitable for different

New Developments in Trenchless Technologies Wide range of technologies suitable for different

New Developments in Trenchless Technologies Wide range of technologies suitable for different installation lengths, diameters, materials, or specific requirements (like accuracy) Direct Pipe & Intersect drills Variants on

626 views • 9 slides
Networked Embedded Software: Introduction Luca Mottola Politecnico di Milano, Italy and SICS

Networked Embedded Software: Introduction Luca Mottola Politecnico di Milano, Italy and SICS

Networked Embedded Software: Introduction Luca Mottola Politecnico di Milano, Italy and SICS Swedish ICT ( home.deib.polimi.it/mottola ) Who am I? Whats the course about? Networked Embedded Software Software that powers networked embedded

530 views • 35 slides
Mobile Routing Goal is to allow a host to be disconnected from one network and connected to

Mobile Routing Goal is to allow a host to be disconnected from one network and connected to

Mobile Routing Goal is to allow a host to be disconnected from one network and connected to another With normal IP addresses, host would either become unreachable, or it would need to get a new IP address somehow (DHCP, manual

226 views • 10 slides
IPv6 IP Version 6 to the Rescue Effort started by the IETF in 1994 Much larger addresses

IPv6 IP Version 6 to the Rescue Effort started by the IETF in 1994 Much larger addresses

IPv6 IP Version 6 to the Rescue Effort started by the IETF in 1994 Much larger addresses (128 bits) Many sundry improvements Became an IETF standard in 1998 Nothing much happened for a decade Hampered by deployment issues,

504 views • 39 slides
IPsec Slide 1 Protocol security - where? Application layer: (+): easy access to user credentials,

IPsec Slide 1 Protocol security - where? Application layer: (+): easy access to user credentials,

IPsec 1 IPsec Slide 1 Protocol security - where? Application layer: (+): easy access to user credentials, extend without waiting for OS vendor, understand data; (-): design again and again; e.g., PGP, ssh, Kerberos Transport layer: (+):

420 views • 18 slides
Network Mobility Thierry Ernst Keio University ernst@sfc.wide.ad.jp 1 Thierry Ernst -

Network Mobility Thierry Ernst Keio University ernst@sfc.wide.ad.jp 1 Thierry Ernst -

Network Mobility Thierry Ernst Keio University ernst@sfc.wide.ad.jp 1 Thierry Ernst - Nautilus6.org - September 2004 IP-layer Mobility: Host Mobility and Network Mobility Address Requirements for IPv6 nodes: Must be topologically correct

678 views • 41 slides
Weaving 101 2 Agenda Access onto Sites Entrances & Doors Spaces Covered/ Work

Weaving 101 2 Agenda Access onto Sites Entrances & Doors Spaces Covered/ Work

8/7/2018 Underwater Basket Weaving 101 2 Agenda Access onto Sites Entrances & Doors Spaces Covered/ Work Areas Vertical Access Toilet Rooms Signs 3 1 8/7/2018 ADA Standards 4 ADA Standards (2010) Apply to:

713 views • 29 slides
Network Security Securing communications (SSL/TLS and IPSec) Marcus Bendtsen, Andrei Gurtov

Network Security Securing communications (SSL/TLS and IPSec) Marcus Bendtsen, Andrei Gurtov

Network Security Securing communications (SSL/TLS and IPSec) Marcus Bendtsen, Andrei Gurtov Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Network communication Who are you talking to?

636 views • 35 slides

More recommend