Quoting Damjan Marion (damarion) (2017-02-17 14:30:05) > > > On 17 Feb 2017, at 14:07, Klement Sekera -X (ksekera - PANTHEON > > TECHNOLOGIES at Cisco) <ksek...@cisco.com> wrote: > > > > Hi guys, > > > > BFD echo function allows testing datapaths only and thus using more > > aggresive rates and faster detection by using packets, which are > > processed only by the sender and simply looped back by the receiver. > > Each peer declares the willingness/rate at which it will loop back > > echo packets and each side decides to use the feature or not locally. > > > > For the BFD over UDP, the echo packets are recognized by having > > destination port 3785. > > > > To implement this in VPP, we need to > > > > 1.) loop back echo packets from remote side - this is easy, already done > > 2.) be able to send the packets out and receive them - this hits the > > current spoofing protection, when a packet with destination set to our > > own IP address gets dropped like this: > > > > ... > > 00:00:00:708351: ip4-local > > UDP: 172.16.2.1 -> 172.16.1.1 > > tos 0x00, ttl 255, length 52, checksum 0x6096 > > fragment id 0x0000 > > UDP: 49152 -> 3785 > > length 32, checksum 0x0000 > > 00:00:00:708351: error-drop > > ip4-input: ip4 spoofed local-address packet drops > > > > in this example 172.16.1.1 is the address on the interface receiving the > > packet. > > > > Discussion with Neale yielded a few possible solutions, none of which is > > great: > > > > 1.) add input feature to siphon BFD packets instead of going to > > ip4-local node > > 2a.) skip checks in ip4-local node based on BFD ports > > 2b.) skip checks in ip4-local node based on UDP port registration (via > > udp_register_dst_port()) > > 3.) add information for prefix/address to FIB to skip checks for this > > entry > > > > based on discussion, here are the downsides of each: > > > > 1.) taxes all input packets > > 2.) layering violation, caches misses in b.) case > > 3.) exposes VPP to spoofed packets for non-BFD traffic > > > > based on these, 2.) seems to hurt the least.. with 2a.) being the > > easiest to implement to move forward.. > > > > I would appreciate thoughts/ideas from more experienced people.. > > What about moving spoof check to udp node and keep per-registration snoop > on/off flag?
Per registration of what? The UDP port? That would be the 2b.) solution, no? Side note: BFD itself doesn't need any spoof checks in this case (echo), because there is internal authentication of the packet payload. The echo function is inherently insecure because an attacker controlling the link could selectively loop back echo packets, while blocking all other traffic, thus falsely (until detected by control frames) keeping the illusion that link is working. The maximum which an attacker could achieve by manipulating the IP/UDP headers is just that (link up illusion), because the IP/UDP is ignored when parsing our echo packets and the payload guarantees that the echo packet is matched to the correct BFD session. Control frames theoretically don't need the spoof checks either - if the SHA1 authentication is turned on for the session. _______________________________________________ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
