1a5cfea33SMauro Carvalho Chehab.. SPDX-License-Identifier: GPL-2.0 2a5cfea33SMauro Carvalho Chehab 3*03e23b18SBagas Sanjaya========= 4*03e23b18SBagas SanjayaXFRM sync 5*03e23b18SBagas Sanjaya========= 6b8a99520SJamal Hadi Salim 7b8a99520SJamal Hadi SalimThe sync patches work is based on initial patches from 8b8a99520SJamal Hadi SalimKrisztian <hidden@balabit.hu> and others and additional patches 9b8a99520SJamal Hadi Salimfrom Jamal <hadi@cyberus.ca>. 10b8a99520SJamal Hadi Salim 11b8a99520SJamal Hadi SalimThe end goal for syncing is to be able to insert attributes + generate 12edb9a1b8SEric Engestromevents so that the SA can be safely moved from one machine to another 13b8a99520SJamal Hadi Salimfor HA purposes. 14b8a99520SJamal Hadi SalimThe idea is to synchronize the SA so that the takeover machine can do 15b8a99520SJamal Hadi Salimthe processing of the SA as accurate as possible if it has access to it. 16b8a99520SJamal Hadi Salim 17b8a99520SJamal Hadi SalimWe already have the ability to generate SA add/del/upd events. 18b8a99520SJamal Hadi SalimThese patches add ability to sync and have accurate lifetime byte (to 19b8a99520SJamal Hadi Salimensure proper decay of SAs) and replay counters to avoid replay attacks 20b8a99520SJamal Hadi Salimwith as minimal loss at failover time. 21edb9a1b8SEric EngestromThis way a backup stays as closely up-to-date as an active member. 22b8a99520SJamal Hadi Salim 23b8a99520SJamal Hadi SalimBecause the above items change for every packet the SA receives, 24b8a99520SJamal Hadi Salimit is possible for a lot of the events to be generated. 25b8a99520SJamal Hadi SalimFor this reason, we also add a nagle-like algorithm to restrict 26b8a99520SJamal Hadi Salimthe events. i.e we are going to set thresholds to say "let me 27b8a99520SJamal Hadi Salimknow if the replay sequence threshold is reached or 10 secs have passed" 28b8a99520SJamal Hadi SalimThese thresholds are set system-wide via sysctls or can be updated 29b8a99520SJamal Hadi Salimper SA. 30b8a99520SJamal Hadi Salim 31b8a99520SJamal Hadi SalimThe identified items that need to be synchronized are: 32b8a99520SJamal Hadi Salim- the lifetime byte counter 33b8a99520SJamal Hadi Salimnote that: lifetime time limit is not important if you assume the failover 34b8a99520SJamal Hadi Salimmachine is known ahead of time since the decay of the time countdown 35b8a99520SJamal Hadi Salimis not driven by packet arrival. 36b8a99520SJamal Hadi Salim- the replay sequence for both inbound and outbound 37b8a99520SJamal Hadi Salim 38b8a99520SJamal Hadi Salim1) Message Structure 3901ad7831SBagas Sanjaya-------------------- 40b8a99520SJamal Hadi Salim 41b8a99520SJamal Hadi Salimnlmsghdr:aevent_id:optional-TLVs. 42b8a99520SJamal Hadi Salim 43b8a99520SJamal Hadi SalimThe netlink message types are: 44b8a99520SJamal Hadi Salim 45b8a99520SJamal Hadi SalimXFRM_MSG_NEWAE and XFRM_MSG_GETAE. 46b8a99520SJamal Hadi Salim 47b8a99520SJamal Hadi SalimA XFRM_MSG_GETAE does not have TLVs. 48a5cfea33SMauro Carvalho Chehab 49b8a99520SJamal Hadi SalimA XFRM_MSG_NEWAE will have at least two TLVs (as is 50b8a99520SJamal Hadi Salimdiscussed further below). 51b8a99520SJamal Hadi Salim 52a5cfea33SMauro Carvalho Chehabaevent_id structure looks like:: 53b8a99520SJamal Hadi Salim 54b8a99520SJamal Hadi Salim struct xfrm_aevent_id { 55b8a99520SJamal Hadi Salim struct xfrm_usersa_id sa_id; 562b5f6dccSJamal Hadi Salim xfrm_address_t saddr; 57b8a99520SJamal Hadi Salim __u32 flags; 582b5f6dccSJamal Hadi Salim __u32 reqid; 59b8a99520SJamal Hadi Salim }; 60b8a99520SJamal Hadi Salim 612b5f6dccSJamal Hadi SalimThe unique SA is identified by the combination of xfrm_usersa_id, 622b5f6dccSJamal Hadi Salimreqid and saddr. 63b8a99520SJamal Hadi Salim 64b8a99520SJamal Hadi Salimflags are used to indicate different things. The possible 65a5cfea33SMauro Carvalho Chehabflags are:: 66a5cfea33SMauro Carvalho Chehab 67b8a99520SJamal Hadi Salim XFRM_AE_RTHR=1, /* replay threshold*/ 68b8a99520SJamal Hadi Salim XFRM_AE_RVAL=2, /* replay value */ 69b8a99520SJamal Hadi Salim XFRM_AE_LVAL=4, /* lifetime value */ 70b8a99520SJamal Hadi Salim XFRM_AE_ETHR=8, /* expiry timer threshold */ 71b8a99520SJamal Hadi Salim XFRM_AE_CR=16, /* Event cause is replay update */ 72b8a99520SJamal Hadi Salim XFRM_AE_CE=32, /* Event cause is timer expiry */ 73b8a99520SJamal Hadi Salim XFRM_AE_CU=64, /* Event cause is policy update */ 74b8a99520SJamal Hadi Salim 75b8a99520SJamal Hadi SalimHow these flags are used is dependent on the direction of the 76b8a99520SJamal Hadi Salimmessage (kernel<->user) as well the cause (config, query or event). 77b8a99520SJamal Hadi SalimThis is described below in the different messages. 78b8a99520SJamal Hadi Salim 79b8a99520SJamal Hadi SalimThe pid will be set appropriately in netlink to recognize direction 80b8a99520SJamal Hadi Salim(0 to the kernel and pid = processid that created the event 81b8a99520SJamal Hadi Salimwhen going from kernel to user space) 82b8a99520SJamal Hadi Salim 83b8a99520SJamal Hadi SalimA program needs to subscribe to multicast group XFRMNLGRP_AEVENTS 84b8a99520SJamal Hadi Salimto get notified of these events. 85b8a99520SJamal Hadi Salim 8601ad7831SBagas Sanjaya2) TLVS reflect the different parameters 8701ad7831SBagas Sanjaya---------------------------------------- 88b8a99520SJamal Hadi Salim 89b8a99520SJamal Hadi Salima) byte value (XFRMA_LTIME_VAL) 90a5cfea33SMauro Carvalho Chehab 91b8a99520SJamal Hadi Salim This TLV carries the running/current counter for byte lifetime since 92b8a99520SJamal Hadi Salim last event. 93b8a99520SJamal Hadi Salim 94b8a99520SJamal Hadi Salimb) replay value (XFRMA_REPLAY_VAL) 95a5cfea33SMauro Carvalho Chehab 96b8a99520SJamal Hadi Salim This TLV carries the running/current counter for replay sequence since 97b8a99520SJamal Hadi Salim last event. 98b8a99520SJamal Hadi Salim 99b8a99520SJamal Hadi Salimc) replay threshold (XFRMA_REPLAY_THRESH) 100a5cfea33SMauro Carvalho Chehab 101b8a99520SJamal Hadi Salim This TLV carries the threshold being used by the kernel to trigger events 102b8a99520SJamal Hadi Salim when the replay sequence is exceeded. 103b8a99520SJamal Hadi Salim 104b8a99520SJamal Hadi Salimd) expiry timer (XFRMA_ETIMER_THRESH) 105a5cfea33SMauro Carvalho Chehab 106b8a99520SJamal Hadi Salim This is a timer value in milliseconds which is used as the nagle 107b8a99520SJamal Hadi Salim value to rate limit the events. 108b8a99520SJamal Hadi Salim 10901ad7831SBagas Sanjaya3) Default configurations for the parameters 11001ad7831SBagas Sanjaya-------------------------------------------- 111b8a99520SJamal Hadi Salim 112b8a99520SJamal Hadi SalimBy default these events should be turned off unless there is 113b8a99520SJamal Hadi Salimat least one listener registered to listen to the multicast 114b8a99520SJamal Hadi Salimgroup XFRMNLGRP_AEVENTS. 115b8a99520SJamal Hadi Salim 116b8a99520SJamal Hadi SalimPrograms installing SAs will need to specify the two thresholds, however, 117b8a99520SJamal Hadi Salimin order to not change existing applications such as racoon 118b8a99520SJamal Hadi Salimwe also provide default threshold values for these different parameters 119b8a99520SJamal Hadi Salimin case they are not specified. 120b8a99520SJamal Hadi Salim 121b8a99520SJamal Hadi Salimthe two sysctls/proc entries are: 122a5cfea33SMauro Carvalho Chehab 123b8a99520SJamal Hadi Salima) /proc/sys/net/core/sysctl_xfrm_aevent_etime 124a397b259SBagas Sanjaya 125a397b259SBagas Sanjaya Used to provide default values for the XFRMA_ETIMER_THRESH in incremental 126b8a99520SJamal Hadi Salim units of time of 100ms. The default is 10 (1 second) 127b8a99520SJamal Hadi Salim 128b8a99520SJamal Hadi Salimb) /proc/sys/net/core/sysctl_xfrm_aevent_rseqth 129a397b259SBagas Sanjaya 130a397b259SBagas Sanjaya Used to provide default values for XFRMA_REPLAY_THRESH parameter 131b8a99520SJamal Hadi Salim in incremental packet count. The default is two packets. 132b8a99520SJamal Hadi Salim 133b8a99520SJamal Hadi Salim4) Message types 134b8a99520SJamal Hadi Salim---------------- 135b8a99520SJamal Hadi Salim 136b8a99520SJamal Hadi Salima) XFRM_MSG_GETAE issued by user-->kernel. 137b8a99520SJamal Hadi Salim XFRM_MSG_GETAE does not carry any TLVs. 138a5cfea33SMauro Carvalho Chehab 139b8a99520SJamal Hadi Salim The response is a XFRM_MSG_NEWAE which is formatted based on what 140b8a99520SJamal Hadi Salim XFRM_MSG_GETAE queried for. 141a5cfea33SMauro Carvalho Chehab 142b8a99520SJamal Hadi Salim The response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs. 143a397b259SBagas Sanjaya 144b8a99520SJamal Hadi Salim * if XFRM_AE_RTHR flag is set, then XFRMA_REPLAY_THRESH is also retrieved 145b8a99520SJamal Hadi Salim * if XFRM_AE_ETHR flag is set, then XFRMA_ETIMER_THRESH is also retrieved 146b8a99520SJamal Hadi Salim 147b8a99520SJamal Hadi Salimb) XFRM_MSG_NEWAE is issued by either user space to configure 148b8a99520SJamal Hadi Salim or kernel to announce events or respond to a XFRM_MSG_GETAE. 149b8a99520SJamal Hadi Salim 150b8a99520SJamal Hadi Salim i) user --> kernel to configure a specific SA. 151a5cfea33SMauro Carvalho Chehab 152b8a99520SJamal Hadi Salim any of the values or threshold parameters can be updated by passing the 153b8a99520SJamal Hadi Salim appropriate TLV. 154a5cfea33SMauro Carvalho Chehab 155b8a99520SJamal Hadi Salim A response is issued back to the sender in user space to indicate success 156b8a99520SJamal Hadi Salim or failure. 157a5cfea33SMauro Carvalho Chehab 158b8a99520SJamal Hadi Salim In the case of success, additionally an event with 159b8a99520SJamal Hadi Salim XFRM_MSG_NEWAE is also issued to any listeners as described in iii). 160b8a99520SJamal Hadi Salim 161b8a99520SJamal Hadi Salim ii) kernel->user direction as a response to XFRM_MSG_GETAE 162a5cfea33SMauro Carvalho Chehab 163b8a99520SJamal Hadi Salim The response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs. 164a5cfea33SMauro Carvalho Chehab 165b8a99520SJamal Hadi Salim The threshold TLVs will be included if explicitly requested in 166b8a99520SJamal Hadi Salim the XFRM_MSG_GETAE message. 167b8a99520SJamal Hadi Salim 168b8a99520SJamal Hadi Salim iii) kernel->user to report as event if someone sets any values or 169b8a99520SJamal Hadi Salim thresholds for an SA using XFRM_MSG_NEWAE (as described in #i above). 170b8a99520SJamal Hadi Salim In such a case XFRM_AE_CU flag is set to inform the user that 171b8a99520SJamal Hadi Salim the change happened as a result of an update. 172b8a99520SJamal Hadi Salim The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs. 173b8a99520SJamal Hadi Salim 174b8a99520SJamal Hadi Salim iv) kernel->user to report event when replay threshold or a timeout 175b8a99520SJamal Hadi Salim is exceeded. 176a5cfea33SMauro Carvalho Chehab 177b8a99520SJamal Hadi SalimIn such a case either XFRM_AE_CR (replay exceeded) or XFRM_AE_CE (timeout 178b8a99520SJamal Hadi Salimhappened) is set to inform the user what happened. 179b8a99520SJamal Hadi SalimNote the two flags are mutually exclusive. 180b8a99520SJamal Hadi SalimThe message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs. 181b8a99520SJamal Hadi Salim 1827276e7aeSBagas Sanjaya5) Exceptions to threshold settings 1837276e7aeSBagas Sanjaya----------------------------------- 184b8a99520SJamal Hadi Salim 185b8a99520SJamal Hadi SalimIf you have an SA that is getting hit by traffic in bursts such that 186b8a99520SJamal Hadi Salimthere is a period where the timer threshold expires with no packets 187b8a99520SJamal Hadi Salimseen, then an odd behavior is seen as follows: 188b8a99520SJamal Hadi SalimThe first packet arrival after a timer expiry will trigger a timeout 189edb9a1b8SEric Engestromevent; i.e we don't wait for a timeout period or a packet threshold 190b8a99520SJamal Hadi Salimto be reached. This is done for simplicity and efficiency reasons. 191b8a99520SJamal Hadi Salim 192b8a99520SJamal Hadi Salim-JHS 193