forked from torvalds/linux
-
Notifications
You must be signed in to change notification settings - Fork 23
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ipv6: Support for anonymous tunnel decapsulation
Nowadays, there are more and more private domains where a lot of ingresses and egresses must be linked altogether. Configuring each possible tunnel explicitly could quickly become a nightmare in such use case. Therefore, introducing support for ip6ip6 decapsulation without an explicit tunnel configuration looks like the best solution (e.g., for IOAM). For now, this patch only adds support for ip6ip6 decap, but ip6ip4 could probably be added too if needed. Last year, we had an interesting discussion [1] with Tom about this topic, and especially on how such solution could be implemented in a more generic way. Here is the summary of the thread. Tom said: "This is just IP in IP encapsulation that happens to be terminated at an egress node of the IOAM domain. The fact that it's IOAM isn't germaine, this IP in IP is done in a variety of ways. We should be using the normal protocol handler for NEXTHDR_IPV6 instead of special case code." He also said: "The current implementation might not be what you're looking for since ip6ip6 wants a tunnel configured. What we really want is more like anonymous decapsulation, that is just decap the ip6ip6 packet and resubmit the packet into the stack (this is what you patch is doing). The idea has been kicked around before, especially in the use case where we're tunneling across a domain and there could be hundreds of such tunnels to some device. I think it's generally okay to do this, although someone might raise security concerns since it sort of obfuscates the "real packet". Probably makes sense to have a sysctl to enable this and probably could default to on. Of course, if we do this the next question is should we also implement anonymous decapsulation for 44,64,46 tunnels." Based on the above, here is a generic solution to introduce anonymous tunnels for IPv6. We know that the tunnel6 module is, when loaded, already responsible for handling IPPROTO_IPV6 from an IPv6 context (= ip6ip6). Therefore, when tunnel6 is loaded, it handles ip6ip6 with its tunnel6_rcv handler. Inside the handler, we add a check for anonymous tunnel decapsulation and, if enabled, perform the decap. When tunnel6 is unloaded, it gives the responsability back to tunnel6_anonymous and its own handler. Note that the introduced sysctl to enable anonymous decapsulation is equal to 0 (= disabled) by default. Indeed, as opposed to what Tom suggested, I think it should be disabled by default in order to make sure that users won't have it enabled without knowing it (for security reasons, obviously). Thoughts? Some feedback would be really appreciated, specifically on these points: - Should the anonymous decapsulation happen before (as it is right now) or after tunnel6 handlers? "Before" looks like the most logical solution as, even if you configure a tunnel and enable anonymous decap, the latter will take precedence. - Any comments on the choice of the sysctl name ("tunnel66_decap_enabled")? - Any comments on the patch in general? [1] https://lore.kernel.org/netdev/CALx6S374PQ7GGA_ey6wCwc55hUzOx+2kWT=96TzyF0=g=8T=WA@mail.gmail.com Signed-off-by: Justin Iurman <justin.iurman@uliege.be>
- Loading branch information
1 parent
deecae7
commit fcb82b1
Showing
8 changed files
with
143 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
/* SPDX-License-Identifier: GPL-2.0+ */ | ||
/* | ||
* Anonymous tunnels for IPv6 | ||
* | ||
* Author: | ||
* Justin Iurman <justin.iurman@uliege.be> | ||
*/ | ||
|
||
#ifndef _NET_TUNNEL6_ANONYMOUS_H | ||
#define _NET_TUNNEL6_ANONYMOUS_H | ||
|
||
#include <linux/skbuff.h> | ||
|
||
int tunnel6_anonymous_init(void); | ||
void tunnel6_anonymous_exit(void); | ||
|
||
int tunnel6_anonymous_register(void); | ||
int tunnel6_anonymous_unregister(void); | ||
|
||
bool anonymous66_enabled(struct sk_buff *skb); | ||
int anonymous66_decap(struct sk_buff *skb); | ||
|
||
#endif /* _NET_TUNNEL6_ANONYMOUS_H */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
// SPDX-License-Identifier: GPL-2.0+ | ||
/* | ||
* Anonymous tunnels for IPv6 | ||
* | ||
* Handle the decapsulation process of anonymous tunnels (i.e., not | ||
* explicitly configured). This behavior is needed for architectures | ||
* where a lot of ingresses and egresses must be linked altogether, | ||
* leading to a solution to avoid configuring all possible tunnels. | ||
* | ||
* Author: | ||
* Justin Iurman <justin.iurman@uliege.be> | ||
*/ | ||
|
||
#include <linux/export.h> | ||
#include <linux/icmpv6.h> | ||
#include <linux/init.h> | ||
#include <linux/netdevice.h> | ||
#include <net/addrconf.h> | ||
#include <net/protocol.h> | ||
#include <net/tunnel6_anonymous.h> | ||
#include <uapi/linux/in.h> | ||
|
||
/* called with rcu_read_lock() */ | ||
int anonymous66_rcv(struct sk_buff *skb) | ||
{ | ||
if (!pskb_may_pull(skb, sizeof(struct ipv6hdr))) | ||
goto drop; | ||
|
||
if (anonymous66_enabled(skb)) | ||
return anonymous66_decap(skb); | ||
|
||
icmpv6_send(skb, ICMPV6_PARAMPROB, ICMPV6_UNK_NEXTHDR, 0); | ||
drop: | ||
kfree_skb(skb); | ||
return 0; | ||
} | ||
|
||
static const struct inet6_protocol anonymous66_protocol = { | ||
.handler = anonymous66_rcv, | ||
.flags = INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL, | ||
}; | ||
|
||
bool anonymous66_enabled(struct sk_buff *skb) | ||
{ | ||
return __in6_dev_get(skb->dev)->cnf.tunnel66_decap_enabled; | ||
} | ||
EXPORT_SYMBOL(anonymous66_enabled); | ||
|
||
int anonymous66_decap(struct sk_buff *skb) | ||
{ | ||
skb_reset_network_header(skb); | ||
skb_reset_transport_header(skb); | ||
skb->encapsulation = 0; | ||
|
||
__skb_tunnel_rx(skb, skb->dev, dev_net(skb->dev)); | ||
netif_rx(skb); | ||
|
||
return 0; | ||
} | ||
EXPORT_SYMBOL(anonymous66_decap); | ||
|
||
int tunnel6_anonymous_register(void) | ||
{ | ||
return inet6_add_protocol(&anonymous66_protocol, IPPROTO_IPV6); | ||
} | ||
EXPORT_SYMBOL(tunnel6_anonymous_register); | ||
|
||
int tunnel6_anonymous_unregister(void) | ||
{ | ||
return inet6_del_protocol(&anonymous66_protocol, IPPROTO_IPV6); | ||
} | ||
EXPORT_SYMBOL(tunnel6_anonymous_unregister); | ||
|
||
int __init tunnel6_anonymous_init(void) | ||
{ | ||
tunnel6_anonymous_register(); | ||
return 0; | ||
} | ||
|
||
void tunnel6_anonymous_exit(void) | ||
{ | ||
tunnel6_anonymous_unregister(); | ||
} |