Paths

Table of Contentst

Add Router and Prefix table limits.
AcceptedPublic
Actions

Authored by bz on Dec 6 2019, 9:58 PM.

Details

Reviewers

bz
melifaro
emaste
gnn
ae
hrs
donner

Summary

Implement limit checks for ND6 default routers, and ND6 prefixes learnt.
This avoids easy attacks exhausting resources, e.g., memory.

Limits are only setable on the base system and not on a
per-VNET base to avoid a VNET opening itself up as a target
for DoS taking the entire system down. Should there be a
need for per-VNET limits we can either do as frag6 and have
a system global maximum sum for all VNETs and a per-VNET
one, or we could implement a SYSCTL_PROC not allowing a VNET
to go beyond the global (per-VNET) limit.

In the end the goal here is to avoid a panic and not to provide
all possible counter measures. For some cases network
infrastructure could help a lot easier than we could with 100s
of lines of code.

PR: 157410
Sponsored by: Netflix (originally)

This is extracted from D22447.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

No Lint Coverage

Unit

No Test Coverage

Build Status

Buildable 28016
Build 26173: arc lint + arc unit

Event Timeline

bz created this revision.Dec 6 2019, 9:58 PM

Herald added a subscriber: imp. · View Herald TranscriptDec 6 2019, 9:58 PM

Harbormaster completed remote builds in B28016: Diff 65333.Dec 6 2019, 9:58 PM

bz added a parent revision: D22447: Implement NDP resource limits..Dec 6 2019, 9:58 PM

melifaro added inline comments.Dec 7 2019, 7:45 PM

sys/netinet6/nd6_rtr.c
1152	If we have a an existing router dropping it preference (high -> low) in "overflow" condition, we would update `dr` in the beginning, but fail to maintain sort order for `V_nd6_defrouter`. Can we restrict this check to `dr == NULL` use case?

Update (move sysctls to the top of the file).
Implement excluding dr pref updates from the resource limits as suggested by @melifaro.

Harbormaster completed remote builds in B29788: Diff 69173.Mar 4 2020, 7:17 PM

bz marked an inline comment as done.Mar 4 2020, 7:17 PM

bz added inline comments.

sys/netinet6/nd6_rtr.c
1152	Sorry it took me so long to update this. To much on the plate.

melifaro added inline comments.Mar 10 2020, 8:20 PM

sys/netinet6/nd6_rtr.c
139	Sorry for commenting on it lately. There is a use case with router and many IPv6 interfaces that I'd like to discuss. As the size check is done in `nd6_prelist_add()`, it is traversed by both `nd6_ra_input()` and `SIOCAIFADDR_IN6` codepath. The latter may result in inability to configure more than 64 IPv6-enabled interfaces by default. Would it be possible to introduce some check (no expiration time?) that permits static configuration regardless of the variable value? Could you also consider something like `nd6_ra_prefixes_max` sysctl name, to indicate the review intent (DoS protection, but not the overall IPv6 limit)?

LGTM, if we can raise default nd6_prefixes_max limit to a higher value (256, 1024), to avoid tweaking potentially existing setups.

This revision is now accepted and ready to land.Sep 3 2020, 9:50 PM

markj added a subscriber: markj.Sep 28 2020, 1:00 PM

markj added inline comments.

sys/netinet6/nd6_rtr.c
123	Aren't these per-VNET limits?
139	Indeed, I think we should only apply the limit to prefixes added via router advertisements. I believe expiration time cannot be used to determine whether to count the prefix against the limit, since there is nothing disallowing routers from advertising prefixes with infinite lifetimes. For now we could add a new NDPRF_ flag to indicate whether the prefix was generated from a router advertisement.
143	Extra newline.

Looks reasonable to me

LGTM

Revision Contents
Changeset List

Path

Size

sys/

netinet6/

nd6_rtr.c

53 lines

Diff 65333

View Options

Add Router and Prefix table limits.AcceptedPublicActions