-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
program: discard IPv4 packets with options #184
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While this currently addresses the IPv4 issue, the code is still buggy for IPv6. Why not fix it in the same PR? Otherwise, what issue is tracking the fact that the IPv6 code is similarly broken?
This PR is missing support for fragmented XDP buffers - see |
We should add some functional test cases for this new feature. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to address outstanding feedback for fragmentation and test cases.
Perhaps the key question is "why are we adding support for IPv4 options?" - that hasn't been answered in this PR. IPv6 extensions are broken in a slightly different way, since the IPv6 header itself is always a fixed size. Right now we do not support IPv6 extensions by design, but we also did not support IPv4 options by design. Until now, our trade-off was to expose the bare minimum hand-crafted, unverified parsing code needed to test basic networking scenarios with XDP, plus anything needed to unblock customers, e.g. MsQUIC. Our position has always been that eBPF is the path forward for parsing more complex and arbitrary packet payloads. |
I don't follow why we would want to support IPv4 options but not IPv6 extension headers. It's the inconsistency that I'm calling out and it sounds like you agree it's inconsistent in this PR and insufficiently motivated why there should be a difference. |
In my comprehension, the
Sure, could you please indicate me where to do that. I'm not yet 100% familiar with the code base
Motivation is that we use XDP internally and we encountered IPv4 packets with header length is not the default 20 bytes, so we fixed it in our fork and wanted to share the fix. |
This all makes sense to me, and I think this is reasonable to take. I do also think adding some explicit tests (@mtfriesen to give the pointer) would be a good idea. |
I agree, this is the minimal change to parse variable-length IPv4 headers without wading into parsing specific options/extensions. Makes sense to take it. Re: tests, I'd start perhaps with the |
There is definitely a problem in the IPv6 code equivalent to the IPv4 problem before, which is that it incorrectly assumes that the UDP header can only appear immediately after the IPv6 header. Such an assumption is equivalent to an assumption that an IPv4 packet has no options.
Either don't support skipping over IPv4 options, or support skipping over IPv6 extension headers. It makes no sense to support one but not the other.
By that same motivation you should support IPv6 packets with intermediate headers.
Same motivation means should fix IPv6 to skip over intermediate headers. Otherwise you'll see the exact same problem in IPv6. |
I agree that on a conceptual level that we're solving a problem in IPv4 that has an IPv6 equivalent. However, our consistency in this XDP parsing module has been very simple: we solve only the problems that actual customers need us to solve until we can provide them with eBPF, which is the superior, general solution. Since this code is intended to be removed eventually, we aim to avoid unnecessary development costs, minimize our attack surface, etc. unless a specific customer requires increasing the size and complexity of this codebase. In other words, it is intentionally incomplete and incorrect, except in specific cases where customers care about narrowly defined "correct" behavior. |
In IPv6, there is no bug: the UDP / TCP headers will just not be parsed , so the user will not see any packets whatever the applied rule. This is a limitation, but not a bug. |
To be fair, both IPv4 and IPv6 were known limitations: we intentionally did not bother with the IPv4 header length field. We've taken an extremely minimalist approach to parsing headers: touch only the fields we must to support specific customer scenarios. |
Talking about the attack surface: with the code right now (without the fix), if someone uses XDP to, let's say, drop any packet that matches a specific rule for a security purpose, it's really easy for an attacker to just specify an IPv4 HeaderLength > 5, and write fake UDP / TCP headers that will just bypass the rule intended. Packets will then be passed to the other layers, meaning that the security purpose intended is not achieved. As explained in the motivations, we just wanted to share with you this simple fix. If you intend to remove this part of the code, no problem for me not to merge this PR. Just be aware that it may cause some security issues and could be used by an attacker. |
Right, however, we don't have any DDoS/filtering customers at the moment. If we did, however, we'd need to add the IPv6 extension-skipping logic for exactly the same reason as the IPv4 example. There is also a long tail for DDoS, e.g. fragmentation attacks, that are currently entirely unsupported in our L4+ filters. |
Basically, we've very intentionally defined a narrow scope to these parsing rules because eBPF is the long-term answer. We know from experience that parsing packets in an RFC-compliant, performant, and secure manner has nontrivial development and ongoing maintenance costs. |
I agree that would be consistent. I'm only arguing for consistency. So I'd be fine with that, or with adding IPv6-extension skipping logic (if security is important for this legacy code which sounds like it'll be deprecated/removed once eBPF logic is in). |
Just done that and re-pushed.I agree this is the best way to have consistency between IPv4 & IPv6, i.e. discard packets with options / extensions explicitly. |
We're hitting build failures:
|
IPv4 header is not always 20 bytes, as it can contain options (i.e. when HeaderLength > 5)
Casting to UINT64 seems to fix the issue |
* Bump submodules/wil from `3e2ee37` to `0b2d6c2` (microsoft#175) Bumps [submodules/wil](https://github.com/microsoft/wil) from `3e2ee37` to `0b2d6c2`. - [Release notes](https://github.com/microsoft/wil/releases) - [Commits](microsoft/wil@3e2ee37...0b2d6c2) --- updated-dependencies: - dependency-name: submodules/wil dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Upgrade to the latest prerelease build of eBPF (microsoft#180) * upgrade to the latest prerelease build of eBPF, including minor version bump to 0.7 * eBPF: relax NPI client dispatch table requirement * Bump actions/checkout from 3.3.0 to 3.5.0 (microsoft#181) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.3.0 to 3.5.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@ac59398...8f4b7f8) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump submodules/wil from `0b2d6c2` to `1340b8a` (microsoft#176) Bumps [submodules/wil](https://github.com/microsoft/wil) from `0b2d6c2` to `1340b8a`. - [Release notes](https://github.com/microsoft/wil/releases) - [Commits](microsoft/wil@0b2d6c2...1340b8a) --- updated-dependencies: - dependency-name: submodules/wil dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * consume new ebpf extension definitions (microsoft#183) * improve tracing of XDP programs (microsoft#182) * program: discard IPv4 packets with options (microsoft#184) * Use volatile accessors for reads from user mode (microsoft#188) * use volatile accessors for reads from user mode * add gratuitous casts for VS2019 builds * update to a newer eBPF 0.7.0 build (microsoft#191) * Bump submodules/wil from `1340b8a` to `70155eb` (microsoft#190) Bumps [submodules/wil](https://github.com/microsoft/wil) from `1340b8a` to `70155eb`. - [Release notes](https://github.com/microsoft/wil/releases) - [Commits](microsoft/wil@1340b8a...70155eb) --- updated-dependencies: - dependency-name: submodules/wil dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * assert MDL reuse correctness in generic XDP (microsoft#192) * upgrade to eBPF 0.8.0 release (official) (microsoft#194) * Bump submodules/wil from `70155eb` to `9db6276` (microsoft#199) Bumps [submodules/wil](https://github.com/microsoft/wil) from `70155eb` to `9db6276`. - [Release notes](https://github.com/microsoft/wil/releases) - [Commits](microsoft/wil@70155eb...9db6276) --- updated-dependencies: - dependency-name: submodules/wil dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump actions/checkout from 3.5.0 to 3.5.2 (microsoft#200) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.0 to 3.5.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@8f4b7f8...8e5e7e5) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump submodules/wil from `9db6276` to `fc5dbf5` (microsoft#202) Bumps [submodules/wil](https://github.com/microsoft/wil) from `9db6276` to `fc5dbf5`. - [Release notes](https://github.com/microsoft/wil/releases) - [Commits](microsoft/wil@9db6276...fc5dbf5) --- updated-dependencies: - dependency-name: submodules/wil dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * collect full kernel dumps in Azure pipelines (microsoft#203) * enable 1GB circular buffer for ebpf logging in spinxsk (microsoft#204) * ensure EC passive worker gets boosted during cleanup (microsoft#205) * Bump submodules/wil from `fc5dbf5` to `1c6126b` (microsoft#206) Bumps [submodules/wil](https://github.com/microsoft/wil) from `fc5dbf5` to `1c6126b`. - [Release notes](https://github.com/microsoft/wil/releases) - [Commits](microsoft/wil@fc5dbf5...1c6126b) --- updated-dependencies: - dependency-name: submodules/wil dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ingest eBPF 0.9.0 (microsoft#207) * Bump submodules/wil from `1c6126b` to `57a57cd` (microsoft#209) Bumps [submodules/wil](https://github.com/microsoft/wil) from `1c6126b` to `57a57cd`. - [Release notes](https://github.com/microsoft/wil/releases) - [Commits](microsoft/wil@1c6126b...57a57cd) --- updated-dependencies: - dependency-name: submodules/wil dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * submodule QEO and plumb stub interface (microsoft#211) * Add XDPFNMP support for direct OIDs (microsoft#210) * Add bare minimum QEO offload support (microsoft#214) * collect complete crash dumps on local machines, too (microsoft#215) * s/flavor/config/g (microsoft#216) * Improve offload synchronization (microsoft#217) * Bumb XDP Patch Version (microsoft#219) * Bump submodules/quic-offloads from `d08bf41` to `fc6f00b` (microsoft#220) Bumps [submodules/quic-offloads](https://github.com/microsoft/quic-offloads) from `d08bf41` to `fc6f00b`. - [Commits](microsoft/net-offloads@d08bf41...fc6f00b) --- updated-dependencies: - dependency-name: submodules/quic-offloads dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Ensure offloads are cleaned up during detach (microsoft#222) * many hours of work :) (microsoft#223) * split offload file into per-offload-type modules (microsoft#224) * enable functional and spinxsk tests to run with eBPF preinstalled (microsoft#226) * Outline of an Initial Threat Model (microsoft#229) * Initial Release and Support Documentation (microsoft#227) * Fix deadlock in LWF unload (microsoft#230) * Enforce QEO connection offload state (microsoft#231) * disable untested, experimental features in official builds (microsoft#232) * conditionally re-copy the pattern buffer into each RX packet (microsoft#235) * Consume new NDIS OID definition and fall back to IPSec prototype OID (microsoft#236) * Bump actions/setup-dotnet from 3.0.3 to 3.1.0 (microsoft#238) Bumps [actions/setup-dotnet](https://github.com/actions/setup-dotnet) from 3.0.3 to 3.1.0. - [Release notes](https://github.com/actions/setup-dotnet/releases) - [Commits](actions/setup-dotnet@607fce5...aa983c5) --- updated-dependencies: - dependency-name: actions/setup-dotnet dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update uninstall instructions (microsoft#239) * upgrade to 0.9.0 postrelease fix (microsoft#237) * configure linker to load xdpapi dependencies only from system32 (microsoft#240) * Add some more detail to our threat model (microsoft#241) * Bump submodules/net-offloads from `b5fc47d` to `02dbf4e` (microsoft#244) Bumps [submodules/net-offloads](https://github.com/microsoft/net-offloads) from `b5fc47d` to `02dbf4e`. - [Commits](microsoft/net-offloads@b5fc47d...02dbf4e) --- updated-dependencies: - dependency-name: submodules/net-offloads dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump submodules/wil from `57a57cd` to `08ce919` (microsoft#245) Bumps [submodules/wil](https://github.com/microsoft/wil) from `57a57cd` to `08ce919`. - [Release notes](https://github.com/microsoft/wil/releases) - [Commits](microsoft/wil@57a57cd...08ce919) --- updated-dependencies: - dependency-name: submodules/wil dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump actions/setup-dotnet from 3.1.0 to 3.2.0 (microsoft#246) Bumps [actions/setup-dotnet](https://github.com/actions/setup-dotnet) from 3.1.0 to 3.2.0. - [Release notes](https://github.com/actions/setup-dotnet/releases) - [Commits](actions/setup-dotnet@aa983c5...3447fd6) --- updated-dependencies: - dependency-name: actions/setup-dotnet dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Allow configuration of non-admin XDP users (microsoft#248) * enable OS component tracing in functional tests (microsoft#253) * Bump functional test timeouts (microsoft#250) * wait for NDIS in restart test, outside of watchdog (microsoft#251) * catch eBPF uninstall hangs (microsoft#255) * Use 1ES hosted pools for GitHub actions (microsoft#257) * avoid WMI query during eBPF uninstall (microsoft#260) * bump miniport restart timeout (microsoft#261) * always test eBPF in spinxsk CI (microsoft#263) * force powershell job cleanup (microsoft#264) * Fix the only AzWatson bugcheck in the last 7 days (microsoft#262) * use default spinxsk queue count (microsoft#266) * dust off the XSK perf tests and run them in CI (microsoft#268) * Bump actions/checkout from 3.5.2 to 3.5.3 (microsoft#269) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.2 to 3.5.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@8e5e7e5...c85c95e) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add functional test watchdog (microsoft#267) * use plain PowerShell in GitHub Actions (microsoft#271) * cut perf matrix in half (microsoft#270) * continue on error (microsoft#272) * fix UDP checksum ipv6 logic (microsoft#273) * Improve TCP test reliability (microsoft#274) * continue to try to fix TCP test case (microsoft#276) * add more perf coverage (microsoft#275) * log system commands in functional tests (microsoft#277) * remove TODO in RSS query initialization (microsoft#279) * add more eBPF uninstall diagnostics (microsoft#280) * consistently use xdp.cpp.default.props (microsoft#281) * target WS2019 ABI * cleanup * Add downlevel VS2019 build (microsoft#282) * dummy commit * Upload perf data (microsoft#283) * Depend on specific build of corenet-ci repo (microsoft#284) * Link to Perf Dashboard (microsoft#287) * Bump submodules/wil from `08ce919` to `9eb9851` (microsoft#289) Bumps [submodules/wil](https://github.com/microsoft/wil) from `08ce919` to `9eb9851`. - [Release notes](https://github.com/microsoft/wil/releases) - [Commits](microsoft/wil@08ce919...9eb9851) --- updated-dependencies: - dependency-name: submodules/wil dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump actions/checkout from 3.5.2 to 3.5.3 (microsoft#290) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.2 to 3.5.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3.5.2...c85c95e) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * don't out of bounds argv (microsoft#291) * add new ForPerfTest profile to prepare-machine.ps1. (microsoft#292) * Add simple AF_XDP sample (microsoft#295) * Use enum for XdpCreateProgram flags (microsoft#296) * remove nonstandard shared umem (microsoft#297) * Delete changelog.md (microsoft#299) * Move .props files to src directory (microsoft#298) * Add new MSI installer project - `xdpinstaller` (microsoft#285) * invoke prepare-machine from anywhere (microsoft#301) * remove cleanup artifacts script (microsoft#302) * Bump submodules/wil from `9eb9851` to `d784315` (microsoft#305) Bumps [submodules/wil](https://github.com/microsoft/wil) from `9eb9851` to `d784315`. - [Release notes](https://github.com/microsoft/wil/releases) - [Commits](microsoft/wil@9eb9851...d784315) --- updated-dependencies: - dependency-name: submodules/wil dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * reduce spinxsk success threshold for msquic pool (microsoft#303) * check drivers after prepare-machine (microsoft#304) * Integrate installer with XDP project (microsoft#300) * bugchecks aren't being captured, so try again with live dumps (microsoft#308) * limit test runtime in GH Actions (microsoft#309) * try again with GitHub actions timeouts (microsoft#313) * Use XDP MSI in CI tests (microsoft#312) * add IO work item logging (microsoft#317) * Fix perf runs with MSI (microsoft#316) * improve eBPF uninstall diagnostics (microsoft#318) * Add MSI documentation (microsoft#314) * more perf script fixes (microsoft#319) * use regular, kernel-only crash dumps in CI (microsoft#322) * Wait for work items before unloading XDP (microsoft#321) * provide MSI in kits instead of raw binaries (microsoft#323) * Bump submodules/wil from `d784315` to `f1b694f` (microsoft#324) Bumps [submodules/wil](https://github.com/microsoft/wil) from `d784315` to `f1b694f`. - [Release notes](https://github.com/microsoft/wil/releases) - [Commits](microsoft/wil@d784315...f1b694f) --- updated-dependencies: - dependency-name: submodules/wil dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * consistently use PascalCase for fields and variables in published API (microsoft#327) * Bump submodules/wil from `f1b694f` to `ae986e1` (microsoft#328) Bumps [submodules/wil](https://github.com/microsoft/wil) from `f1b694f` to `ae986e1`. - [Release notes](https://github.com/microsoft/wil/releases) - [Commits](microsoft/wil@f1b694f...ae986e1) --- updated-dependencies: - dependency-name: submodules/wil dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add minimal performance counters (microsoft#326) * Remove dependencies on msquic CI pool and use prerelease images instead (microsoft#330) * Actions: require all actions succeed (microsoft#332) * Remove OID_GEN_DRIVER_VERSION from test miniports (microsoft#334) * Enable developer builds of just one project (microsoft#335) * Refactor packet parsing into separate file and cross compile in user mode (microsoft#333) * try to start XDP 10x more times (microsoft#337) * Create packet fuzzer (microsoft#336) * specify config and arch during check-drivers.ps1 (microsoft#339) * improve eBPF uninstall timeout diagnostics (microsoft#340) * Move experimental (unsupported) APIs to separate headers (microsoft#342) * use consistent argument types in NDIS request poll helper (microsoft#343) * Add XDP, AF_XDP, and XDP driver docs in markdown (microsoft#344) * add link to AF_XDP documentation from readme (microsoft#347) * create test archive (microsoft#349) * add xdpcfg.exe to MSI (microsoft#348) * convert XSK buffer types from macro-based bit values to plain C bitfields (microsoft#346) * yml (microsoft#350) * fix devkit creation (microsoft#351) * bump minor release (microsoft#352) * bump patch number (microsoft#353) * Fix creation of release artifacts and revert version number (microsoft#354) * fix kit version numbering (microsoft#355) * Stamp the XDP version number onto the MSI file name (microsoft#357) * add a few more docs (microsoft#358) * onebranch build changes (1/x), (2/x) (microsoft#360) * Use warning level 4 by default (microsoft#359) * set CET flag (microsoft#362) * OneBranch Build Support (microsoft#361) * Fix Official OneBranch Pipeline (microsoft#364) * bump versions for 1.0 release (microsoft#365) * bump main version to 1.1 (microsoft#366) * bump main version to 1.0.1 * Update xdp.props * Fix and verify test execution outside of CI (microsoft#368) * Describe OneBranch authorizing the new branch to the release steps (microsoft#367) * Mention v1.0 in Release Docs (microsoft#369) * reduce artifacts in devkit (microsoft#372) * Updated Installation Instructions (microsoft#371) * Document updating aka.ms links (microsoft#374) --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Michael Friesen <3517159+mtfriesen@users.noreply.github.com> Co-authored-by: cdammanintopix <63319198+cdammanintopix@users.noreply.github.com> Co-authored-by: Nick Banks <nibanks@microsoft.com> Co-authored-by: Yi Huang <huanyi@microsoft.com> Co-authored-by: Gianni Trevisiol <gtrevi@users.noreply.github.com>
IPv4 header is not always 20 bytes, as it can contain options (i.e. when HeaderLength > 5)