Re: [vpp-dev] Query regarding packet validation checks in ip6_local

Tue, 02 Nov 2021 12:41:35 -0700 

Hi Pankaj, 

I’ll leave the hop-by-hop questions to others that are more familiar with the 
code. As for the length check being done only on the else branch, 
ip6_tcp_udp_icmp_validate_checksum needs to compute the length so I’m guessing 
the expectation is that the checksum validation will fail for bogus length 
packets. Are you hitting any issues with that code? 

Regards,
Florin

> On Nov 2, 2021, at 11:50 AM, pankajmalhotr...@gmail.com wrote:
> 
> Hi,
>     In file vnet/ip/ip6_forward.c(VPP 21.01), function ip6_local_inline(), 
> the node's packet processing has the following check: 
>  
>           if (PREDICT_FALSE (need_csum))
>             {
>               flags = ip6_tcp_udp_icmp_validate_checksum (vm, b[0]);
>               good_l4_csum = flags & VNET_BUFFER_F_L4_CHECKSUM_CORRECT;
>               error = IP6_ERROR_UNKNOWN_PROTOCOL;
>             }
>           else
>             {
>               if (ip6_tcp_udp_icmp_bad_length (vm, b[0]))
>                 error = IP6_ERROR_BAD_LENGTH;
>             }
>  
> Kindly explain the reason behind the checksum and the length validation being 
> under the if-else check, making the length validation not applicable for the 
> case when checksum validation is applicable. 
>  
> Also, in the function ip6_tcp_udp_icmp_bad_length (refer the below snippet), 
> the function seems to assume that the hop-by-hop extension header shall 
> always be present. Is it that, IPv6 hop-by-hop extension header has to be 
> mandatorily present?
>  
> static_always_inline u8
> ip6_tcp_udp_icmp_bad_length (vlib_main_t * vm, vlib_buffer_t * p0)
> {
>  
>   u16 payload_length_host_byte_order;
>   u32 n_this_buffer, n_bytes_left;
>   ip6_header_t *ip0 = vlib_buffer_get_current (p0);
>   u32 headers_size = sizeof (ip0[0]);
>   u8 *data_this_buffer;
>  
>   data_this_buffer = (u8 *) (ip0 + 1);
>  
>   ip6_hop_by_hop_ext_t *ext_hdr = (ip6_hop_by_hop_ext_t *) data_this_buffer;
>  
>   /* validate really icmp6 next */
>  
>   if (!(ext_hdr->next_hdr == IP_PROTOCOL_ICMP6)
>       || (ext_hdr->next_hdr == IP_PROTOCOL_UDP))
>     return 0;
>   ::
>   ::
> 
> 
> Thanks,
> Pankaj Malhotra 
> 
> 
> 


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#20410): https://lists.fd.io/g/vpp-dev/message/20410
Mute This Topic: https://lists.fd.io/mt/86774091/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to