Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 1 | .. SPDX-License-Identifier: GPL-2.0 |
| 2 | |
| 3 | ==== |
| 4 | XFRM |
| 5 | ==== |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 6 | |
| 7 | The sync patches work is based on initial patches from |
| 8 | Krisztian <hidden@balabit.hu> and others and additional patches |
| 9 | from Jamal <hadi@cyberus.ca>. |
| 10 | |
| 11 | The end goal for syncing is to be able to insert attributes + generate |
Eric Engestrom | edb9a1b | 2016-04-25 07:36:56 +0100 | [diff] [blame] | 12 | events so that the SA can be safely moved from one machine to another |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 13 | for HA purposes. |
| 14 | The idea is to synchronize the SA so that the takeover machine can do |
| 15 | the processing of the SA as accurate as possible if it has access to it. |
| 16 | |
| 17 | We already have the ability to generate SA add/del/upd events. |
| 18 | These patches add ability to sync and have accurate lifetime byte (to |
| 19 | ensure proper decay of SAs) and replay counters to avoid replay attacks |
| 20 | with as minimal loss at failover time. |
Eric Engestrom | edb9a1b | 2016-04-25 07:36:56 +0100 | [diff] [blame] | 21 | This way a backup stays as closely up-to-date as an active member. |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 22 | |
| 23 | Because the above items change for every packet the SA receives, |
| 24 | it is possible for a lot of the events to be generated. |
| 25 | For this reason, we also add a nagle-like algorithm to restrict |
| 26 | the events. i.e we are going to set thresholds to say "let me |
| 27 | know if the replay sequence threshold is reached or 10 secs have passed" |
| 28 | These thresholds are set system-wide via sysctls or can be updated |
| 29 | per SA. |
| 30 | |
| 31 | The identified items that need to be synchronized are: |
| 32 | - the lifetime byte counter |
| 33 | note that: lifetime time limit is not important if you assume the failover |
| 34 | machine is known ahead of time since the decay of the time countdown |
| 35 | is not driven by packet arrival. |
| 36 | - the replay sequence for both inbound and outbound |
| 37 | |
| 38 | 1) Message Structure |
| 39 | ---------------------- |
| 40 | |
| 41 | nlmsghdr:aevent_id:optional-TLVs. |
| 42 | |
| 43 | The netlink message types are: |
| 44 | |
| 45 | XFRM_MSG_NEWAE and XFRM_MSG_GETAE. |
| 46 | |
| 47 | A XFRM_MSG_GETAE does not have TLVs. |
Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 48 | |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 49 | A XFRM_MSG_NEWAE will have at least two TLVs (as is |
| 50 | discussed further below). |
| 51 | |
Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 52 | aevent_id structure looks like:: |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 53 | |
| 54 | struct xfrm_aevent_id { |
Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 55 | struct xfrm_usersa_id sa_id; |
| 56 | xfrm_address_t saddr; |
| 57 | __u32 flags; |
| 58 | __u32 reqid; |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 59 | }; |
| 60 | |
Jamal Hadi Salim | 2b5f6dc | 2006-12-02 22:22:25 -0800 | [diff] [blame] | 61 | The unique SA is identified by the combination of xfrm_usersa_id, |
| 62 | reqid and saddr. |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 63 | |
| 64 | flags are used to indicate different things. The possible |
Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 65 | flags are:: |
| 66 | |
| 67 | XFRM_AE_RTHR=1, /* replay threshold*/ |
| 68 | XFRM_AE_RVAL=2, /* replay value */ |
| 69 | XFRM_AE_LVAL=4, /* lifetime value */ |
| 70 | XFRM_AE_ETHR=8, /* expiry timer threshold */ |
| 71 | XFRM_AE_CR=16, /* Event cause is replay update */ |
| 72 | XFRM_AE_CE=32, /* Event cause is timer expiry */ |
| 73 | XFRM_AE_CU=64, /* Event cause is policy update */ |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 74 | |
| 75 | How these flags are used is dependent on the direction of the |
| 76 | message (kernel<->user) as well the cause (config, query or event). |
| 77 | This is described below in the different messages. |
| 78 | |
| 79 | The pid will be set appropriately in netlink to recognize direction |
| 80 | (0 to the kernel and pid = processid that created the event |
| 81 | when going from kernel to user space) |
| 82 | |
| 83 | A program needs to subscribe to multicast group XFRMNLGRP_AEVENTS |
| 84 | to get notified of these events. |
| 85 | |
| 86 | 2) TLVS reflect the different parameters: |
| 87 | ----------------------------------------- |
| 88 | |
| 89 | a) byte value (XFRMA_LTIME_VAL) |
Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 90 | |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 91 | This TLV carries the running/current counter for byte lifetime since |
| 92 | last event. |
| 93 | |
| 94 | b)replay value (XFRMA_REPLAY_VAL) |
Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 95 | |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 96 | This TLV carries the running/current counter for replay sequence since |
| 97 | last event. |
| 98 | |
| 99 | c)replay threshold (XFRMA_REPLAY_THRESH) |
Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 100 | |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 101 | This TLV carries the threshold being used by the kernel to trigger events |
| 102 | when the replay sequence is exceeded. |
| 103 | |
| 104 | d) expiry timer (XFRMA_ETIMER_THRESH) |
Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 105 | |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 106 | This is a timer value in milliseconds which is used as the nagle |
| 107 | value to rate limit the events. |
| 108 | |
| 109 | 3) Default configurations for the parameters: |
Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 110 | --------------------------------------------- |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 111 | |
| 112 | By default these events should be turned off unless there is |
| 113 | at least one listener registered to listen to the multicast |
| 114 | group XFRMNLGRP_AEVENTS. |
| 115 | |
| 116 | Programs installing SAs will need to specify the two thresholds, however, |
| 117 | in order to not change existing applications such as racoon |
| 118 | we also provide default threshold values for these different parameters |
| 119 | in case they are not specified. |
| 120 | |
| 121 | the two sysctls/proc entries are: |
Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 122 | |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 123 | a) /proc/sys/net/core/sysctl_xfrm_aevent_etime |
| 124 | used to provide default values for the XFRMA_ETIMER_THRESH in incremental |
| 125 | units of time of 100ms. The default is 10 (1 second) |
| 126 | |
| 127 | b) /proc/sys/net/core/sysctl_xfrm_aevent_rseqth |
| 128 | used to provide default values for XFRMA_REPLAY_THRESH parameter |
| 129 | in incremental packet count. The default is two packets. |
| 130 | |
| 131 | 4) Message types |
| 132 | ---------------- |
| 133 | |
| 134 | a) XFRM_MSG_GETAE issued by user-->kernel. |
Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 135 | XFRM_MSG_GETAE does not carry any TLVs. |
| 136 | |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 137 | The response is a XFRM_MSG_NEWAE which is formatted based on what |
| 138 | XFRM_MSG_GETAE queried for. |
Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 139 | |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 140 | The response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs. |
Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 141 | * if XFRM_AE_RTHR flag is set, then XFRMA_REPLAY_THRESH is also retrieved |
| 142 | * if XFRM_AE_ETHR flag is set, then XFRMA_ETIMER_THRESH is also retrieved |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 143 | |
| 144 | b) XFRM_MSG_NEWAE is issued by either user space to configure |
Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 145 | or kernel to announce events or respond to a XFRM_MSG_GETAE. |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 146 | |
| 147 | i) user --> kernel to configure a specific SA. |
Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 148 | |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 149 | any of the values or threshold parameters can be updated by passing the |
| 150 | appropriate TLV. |
Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 151 | |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 152 | A response is issued back to the sender in user space to indicate success |
| 153 | or failure. |
Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 154 | |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 155 | In the case of success, additionally an event with |
| 156 | XFRM_MSG_NEWAE is also issued to any listeners as described in iii). |
| 157 | |
| 158 | ii) kernel->user direction as a response to XFRM_MSG_GETAE |
Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 159 | |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 160 | The response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs. |
Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 161 | |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 162 | The threshold TLVs will be included if explicitly requested in |
| 163 | the XFRM_MSG_GETAE message. |
| 164 | |
| 165 | iii) kernel->user to report as event if someone sets any values or |
Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 166 | thresholds for an SA using XFRM_MSG_NEWAE (as described in #i above). |
| 167 | In such a case XFRM_AE_CU flag is set to inform the user that |
| 168 | the change happened as a result of an update. |
| 169 | The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs. |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 170 | |
| 171 | iv) kernel->user to report event when replay threshold or a timeout |
Mauro Carvalho Chehab | a5cfea3 | 2020-05-01 16:44:31 +0200 | [diff] [blame^] | 172 | is exceeded. |
| 173 | |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 174 | In such a case either XFRM_AE_CR (replay exceeded) or XFRM_AE_CE (timeout |
| 175 | happened) is set to inform the user what happened. |
| 176 | Note the two flags are mutually exclusive. |
| 177 | The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs. |
| 178 | |
| 179 | Exceptions to threshold settings |
| 180 | -------------------------------- |
| 181 | |
| 182 | If you have an SA that is getting hit by traffic in bursts such that |
| 183 | there is a period where the timer threshold expires with no packets |
| 184 | seen, then an odd behavior is seen as follows: |
| 185 | The first packet arrival after a timer expiry will trigger a timeout |
Eric Engestrom | edb9a1b | 2016-04-25 07:36:56 +0100 | [diff] [blame] | 186 | event; i.e we don't wait for a timeout period or a packet threshold |
Jamal Hadi Salim | b8a9952 | 2006-04-14 15:05:16 -0700 | [diff] [blame] | 187 | to be reached. This is done for simplicity and efficiency reasons. |
| 188 | |
| 189 | -JHS |