> On 17 Feb 2017, at 14:38, Klement Sekera -X (ksekera - PANTHEON TECHNOLOGIES > at Cisco) <ksek...@cisco.com> wrote: > > Quoting Damjan Marion (damarion) (2017-02-17 14:30:05) >> >>> On 17 Feb 2017, at 14:07, Klement Sekera -X (ksekera - PANTHEON >>> TECHNOLOGIES at Cisco) <ksek...@cisco.com> wrote: >>> >>> Hi guys, >>> >>> BFD echo function allows testing datapaths only and thus using more >>> aggresive rates and faster detection by using packets, which are >>> processed only by the sender and simply looped back by the receiver. >>> Each peer declares the willingness/rate at which it will loop back >>> echo packets and each side decides to use the feature or not locally. >>> >>> For the BFD over UDP, the echo packets are recognized by having >>> destination port 3785. >>> >>> To implement this in VPP, we need to >>> >>> 1.) loop back echo packets from remote side - this is easy, already done >>> 2.) be able to send the packets out and receive them - this hits the >>> current spoofing protection, when a packet with destination set to our >>> own IP address gets dropped like this: >>> >>> ... >>> 00:00:00:708351: ip4-local >>> UDP: 172.16.2.1 -> 172.16.1.1 >>> tos 0x00, ttl 255, length 52, checksum 0x6096 >>> fragment id 0x0000 >>> UDP: 49152 -> 3785 >>> length 32, checksum 0x0000 >>> 00:00:00:708351: error-drop >>> ip4-input: ip4 spoofed local-address packet drops >>> >>> in this example 172.16.1.1 is the address on the interface receiving the >>> packet. >>> >>> Discussion with Neale yielded a few possible solutions, none of which is >>> great: >>> >>> 1.) add input feature to siphon BFD packets instead of going to >>> ip4-local node >>> 2a.) skip checks in ip4-local node based on BFD ports >>> 2b.) skip checks in ip4-local node based on UDP port registration (via >>> udp_register_dst_port()) >>> 3.) add information for prefix/address to FIB to skip checks for this >>> entry >>> >>> based on discussion, here are the downsides of each: >>> >>> 1.) taxes all input packets >>> 2.) layering violation, caches misses in b.) case >>> 3.) exposes VPP to spoofed packets for non-BFD traffic >>> >>> based on these, 2.) seems to hurt the least.. with 2a.) being the >>> easiest to implement to move forward.. >>> >>> I would appreciate thoughts/ideas from more experienced people.. >> >> What about moving spoof check to udp node and keep per-registration snoop >> on/off flag? > > Per registration of what? The UDP port? That would be the 2b.) solution, > no?
Not exactly, but close. - ip4-local skips check for all udp packets - udp lookup node does check unless explicitly asked not to do so. I.e. with udp_register_dst_port_no_spoof(). _______________________________________________ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
