2009-07-08 13:19:16 -07:00
|
|
|
|
/*
|
mac-learning: Implement per-port MAC learning fairness.
In "MAC flooding", an attacker transmits an overwhelming number of frames
with unique Ethernet source address on a switch port. The goal is to
force the switch to evict all useful MAC learning table entries, so that
its behavior degenerates to that of a hub, flooding all traffic. In turn,
that allows an attacker to eavesdrop on the traffic of other hosts attached
to the switch, with all the risks that that entails.
Before this commit, the Open vSwitch "normal" action that implements its
standalone switch behavior (and that can be used by OpenFlow controllers
as well) was vulnerable to MAC flooding attacks. This commit fixes the
problem by implementing per-port fairness for MAC table entries: when
the MAC table is at its maximum size, MAC table eviction always deletes an
entry from the port with the most entries. Thus, MAC entries will never
be evicted from ports with only a few entries if a port with a huge number
of entries exists.
Controllers could introduce their own MAC flooding vulnerabilities into
OVS. For a controller that adds destination MAC based flows to an OpenFlow
flow table as a reaction to "packet-in" events, such a bug, if it exists,
would be in the controller code itself and would need to be fixed in the
controller. For a controller that relies on the Open vSwitch "learn"
action to add destination MAC based flows, Open vSwitch has existing
support for eviction policy similar to that implemented in this commit
through the "groups" column in the Flow_Table table documented in
ovs-vswitchd.conf.db(5); we recommend that users of "learn" not already
familiar with eviction groups to read that documentation.
In addition to implementation of per-port MAC learning fairness,
this commit includes some closely related changes:
- Access to client-provided "port" data in struct mac_entry
is now abstracted through helper functions, which makes it
easier to ensure that the per-port data structures are maintained
consistently.
- The mac_learning_changed() function, which had become trivial,
vestigial, and confusing, was removed. Its functionality was folded
into the new function mac_entry_set_port().
- Many comments were added and improved; there had been a lot of
comment rot in previous versions.
CERT: VU#784996
Reported-by: "Ronny L. Bull - bullrl" <bullrl@clarkson.edu>
Reported-at: http://www.irongeek.com/i.php?page=videos/derbycon4/t314-exploring-layer-2-network-security-in-virtualized-environments-ronny-l-bull-dr-jeanna-n-matthews
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
2015-02-11 23:34:50 -08:00
|
|
|
|
* Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015 Nicira, Inc.
|
2009-07-08 13:19:16 -07:00
|
|
|
|
*
|
2009-06-15 15:11:30 -07:00
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
|
|
* You may obtain a copy of the License at:
|
2009-07-08 13:19:16 -07:00
|
|
|
|
*
|
2009-06-15 15:11:30 -07:00
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
*
|
|
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
|
|
* limitations under the License.
|
2009-07-08 13:19:16 -07:00
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
|
#include "learning-switch.h"
|
|
|
|
|
|
|
|
|
|
|
|
#include <errno.h>
|
|
|
|
|
|
#include <inttypes.h>
|
|
|
|
|
|
#include <netinet/in.h>
|
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
|
#include <time.h>
|
|
|
|
|
|
|
2010-10-28 17:13:18 -07:00
|
|
|
|
#include "byte-order.h"
|
2010-11-10 14:51:49 -08:00
|
|
|
|
#include "classifier.h"
|
2015-02-22 03:21:09 -08:00
|
|
|
|
#include "dp-packet.h"
|
2009-07-08 13:19:16 -07:00
|
|
|
|
#include "flow.h"
|
2010-10-01 13:41:40 -07:00
|
|
|
|
#include "hmap.h"
|
2009-07-08 13:19:16 -07:00
|
|
|
|
#include "mac-learning.h"
|
|
|
|
|
|
#include "ofpbuf.h"
|
2012-07-03 22:17:14 -07:00
|
|
|
|
#include "ofp-actions.h"
|
2012-01-12 15:48:19 -08:00
|
|
|
|
#include "ofp-errors.h"
|
2012-07-19 23:23:17 -07:00
|
|
|
|
#include "ofp-msgs.h"
|
2010-07-28 15:18:14 -07:00
|
|
|
|
#include "ofp-parse.h"
|
2009-07-08 13:19:16 -07:00
|
|
|
|
#include "ofp-print.h"
|
2010-05-27 13:14:05 -07:00
|
|
|
|
#include "ofp-util.h"
|
2009-07-08 13:19:16 -07:00
|
|
|
|
#include "openflow/openflow.h"
|
|
|
|
|
|
#include "poll-loop.h"
|
|
|
|
|
|
#include "rconn.h"
|
2010-10-01 13:41:40 -07:00
|
|
|
|
#include "shash.h"
|
2012-05-22 10:32:02 -07:00
|
|
|
|
#include "simap.h"
|
2009-07-08 13:19:16 -07:00
|
|
|
|
#include "timeval.h"
|
2014-12-15 14:10:38 +01:00
|
|
|
|
#include "openvswitch/vconn.h"
|
2014-12-15 14:10:38 +01:00
|
|
|
|
#include "openvswitch/vlog.h"
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2010-10-19 14:47:01 -07:00
|
|
|
|
VLOG_DEFINE_THIS_MODULE(learning_switch);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2010-10-01 13:41:40 -07:00
|
|
|
|
struct lswitch_port {
|
|
|
|
|
|
struct hmap_node hmap_node; /* Hash node for port number. */
|
2013-06-19 16:58:44 -07:00
|
|
|
|
ofp_port_t port_no; /* OpenFlow port number. */
|
2010-10-01 13:41:40 -07:00
|
|
|
|
uint32_t queue_id; /* OpenFlow queue number. */
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2012-08-07 10:38:35 -07:00
|
|
|
|
enum lswitch_state {
|
|
|
|
|
|
S_CONNECTING, /* Waiting for connection to complete. */
|
|
|
|
|
|
S_FEATURES_REPLY, /* Waiting for features reply. */
|
|
|
|
|
|
S_SWITCHING, /* Switching flows. */
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2009-07-08 13:19:16 -07:00
|
|
|
|
struct lswitch {
|
2012-07-24 16:15:37 -07:00
|
|
|
|
struct rconn *rconn;
|
2012-08-07 10:38:35 -07:00
|
|
|
|
enum lswitch_state state;
|
2012-07-24 16:15:37 -07:00
|
|
|
|
|
2009-07-08 13:19:16 -07:00
|
|
|
|
/* If nonnegative, the switch sets up flows that expire after the given
|
|
|
|
|
|
* number of seconds (or never expire, if the value is OFP_FLOW_PERMANENT).
|
|
|
|
|
|
* Otherwise, the switch processes every packet. */
|
|
|
|
|
|
int max_idle;
|
|
|
|
|
|
|
2012-07-03 22:17:14 -07:00
|
|
|
|
enum ofputil_protocol protocol;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
unsigned long long int datapath_id;
|
|
|
|
|
|
struct mac_learning *ml; /* NULL to act as hub instead of switch. */
|
2010-11-10 14:51:49 -08:00
|
|
|
|
struct flow_wildcards wc; /* Wildcards to apply to flows. */
|
2009-11-19 12:48:32 -08:00
|
|
|
|
bool action_normal; /* Use OFPP_NORMAL? */
|
2010-10-01 13:41:40 -07:00
|
|
|
|
|
|
|
|
|
|
/* Queue distribution. */
|
|
|
|
|
|
uint32_t default_queue; /* Default OpenFlow queue, or UINT32_MAX. */
|
|
|
|
|
|
struct hmap queue_numbers; /* Map from port number to lswitch_port. */
|
|
|
|
|
|
struct shash queue_names; /* Map from port name to lswitch_port. */
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
|
|
|
|
|
/* Number of outgoing queued packets on the rconn. */
|
|
|
|
|
|
struct rconn_packet_counter *queued;
|
2012-07-24 16:15:37 -07:00
|
|
|
|
|
|
|
|
|
|
/* If true, do not reply to any messages from the switch (for debugging
|
|
|
|
|
|
* fail-open mode). */
|
|
|
|
|
|
bool mute;
|
2012-08-07 10:38:35 -07:00
|
|
|
|
|
|
|
|
|
|
/* Optional "flow mod" requests to send to the switch at connection time,
|
|
|
|
|
|
* to set up the flow table. */
|
|
|
|
|
|
const struct ofputil_flow_mod *default_flows;
|
|
|
|
|
|
size_t n_default_flows;
|
2013-08-20 18:41:45 -07:00
|
|
|
|
enum ofputil_protocol usable_protocols;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
/* The log messages here could actually be useful in debugging, so keep the
|
|
|
|
|
|
* rate limit relatively high. */
|
|
|
|
|
|
static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(30, 300);
|
|
|
|
|
|
|
2012-07-24 16:15:37 -07:00
|
|
|
|
static void queue_tx(struct lswitch *, struct ofpbuf *);
|
|
|
|
|
|
static void send_features_request(struct lswitch *);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2012-07-24 16:15:37 -07:00
|
|
|
|
static void lswitch_process_packet(struct lswitch *, const struct ofpbuf *);
|
2012-02-15 16:33:04 -08:00
|
|
|
|
static enum ofperr process_switch_features(struct lswitch *,
|
2012-07-19 23:23:17 -07:00
|
|
|
|
struct ofp_header *);
|
2012-07-24 16:15:37 -07:00
|
|
|
|
static void process_packet_in(struct lswitch *, const struct ofp_header *);
|
|
|
|
|
|
static void process_echo_request(struct lswitch *, const struct ofp_header *);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
mac-learning: Implement per-port MAC learning fairness.
In "MAC flooding", an attacker transmits an overwhelming number of frames
with unique Ethernet source address on a switch port. The goal is to
force the switch to evict all useful MAC learning table entries, so that
its behavior degenerates to that of a hub, flooding all traffic. In turn,
that allows an attacker to eavesdrop on the traffic of other hosts attached
to the switch, with all the risks that that entails.
Before this commit, the Open vSwitch "normal" action that implements its
standalone switch behavior (and that can be used by OpenFlow controllers
as well) was vulnerable to MAC flooding attacks. This commit fixes the
problem by implementing per-port fairness for MAC table entries: when
the MAC table is at its maximum size, MAC table eviction always deletes an
entry from the port with the most entries. Thus, MAC entries will never
be evicted from ports with only a few entries if a port with a huge number
of entries exists.
Controllers could introduce their own MAC flooding vulnerabilities into
OVS. For a controller that adds destination MAC based flows to an OpenFlow
flow table as a reaction to "packet-in" events, such a bug, if it exists,
would be in the controller code itself and would need to be fixed in the
controller. For a controller that relies on the Open vSwitch "learn"
action to add destination MAC based flows, Open vSwitch has existing
support for eviction policy similar to that implemented in this commit
through the "groups" column in the Flow_Table table documented in
ovs-vswitchd.conf.db(5); we recommend that users of "learn" not already
familiar with eviction groups to read that documentation.
In addition to implementation of per-port MAC learning fairness,
this commit includes some closely related changes:
- Access to client-provided "port" data in struct mac_entry
is now abstracted through helper functions, which makes it
easier to ensure that the per-port data structures are maintained
consistently.
- The mac_learning_changed() function, which had become trivial,
vestigial, and confusing, was removed. Its functionality was folded
into the new function mac_entry_set_port().
- Many comments were added and improved; there had been a lot of
comment rot in previous versions.
CERT: VU#784996
Reported-by: "Ronny L. Bull - bullrl" <bullrl@clarkson.edu>
Reported-at: http://www.irongeek.com/i.php?page=videos/derbycon4/t314-exploring-layer-2-network-security-in-virtualized-environments-ronny-l-bull-dr-jeanna-n-matthews
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
2015-02-11 23:34:50 -08:00
|
|
|
|
static ofp_port_t get_mac_entry_ofp_port(const struct mac_learning *ml,
|
|
|
|
|
|
const struct mac_entry *)
|
|
|
|
|
|
OVS_REQ_RDLOCK(ml->rwlock);
|
|
|
|
|
|
static void set_mac_entry_ofp_port(struct mac_learning *ml,
|
|
|
|
|
|
struct mac_entry *, ofp_port_t)
|
|
|
|
|
|
OVS_REQ_WRLOCK(ml->rwlock);
|
|
|
|
|
|
|
2010-09-23 14:12:09 -07:00
|
|
|
|
/* Creates and returns a new learning switch whose configuration is given by
|
|
|
|
|
|
* 'cfg'.
|
2010-07-28 15:18:14 -07:00
|
|
|
|
*
|
2009-07-08 13:19:16 -07:00
|
|
|
|
* 'rconn' is used to send out an OpenFlow features request. */
|
|
|
|
|
|
struct lswitch *
|
2010-09-23 14:12:09 -07:00
|
|
|
|
lswitch_create(struct rconn *rconn, const struct lswitch_config *cfg)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
|
|
|
|
|
struct lswitch *sw;
|
2012-08-07 11:30:46 -07:00
|
|
|
|
uint32_t ofpfw;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2009-09-28 13:56:42 -07:00
|
|
|
|
sw = xzalloc(sizeof *sw);
|
2012-07-24 16:15:37 -07:00
|
|
|
|
sw->rconn = rconn;
|
2012-08-07 10:38:35 -07:00
|
|
|
|
sw->state = S_CONNECTING;
|
2010-09-23 14:12:09 -07:00
|
|
|
|
sw->max_idle = cfg->max_idle;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
sw->datapath_id = 0;
|
2012-02-01 15:04:51 -08:00
|
|
|
|
sw->ml = (cfg->mode == LSW_LEARN
|
|
|
|
|
|
? mac_learning_create(MAC_ENTRY_DEFAULT_IDLE_TIME)
|
|
|
|
|
|
: NULL);
|
2010-09-23 14:12:09 -07:00
|
|
|
|
sw->action_normal = cfg->mode == LSW_NORMAL;
|
2010-11-10 14:51:49 -08:00
|
|
|
|
|
2012-08-07 11:30:46 -07:00
|
|
|
|
switch (cfg->wildcards) {
|
|
|
|
|
|
case 0:
|
|
|
|
|
|
ofpfw = 0;
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
case UINT32_MAX:
|
|
|
|
|
|
/* Try to wildcard as many fields as possible, but we cannot
|
|
|
|
|
|
* wildcard all fields. We need in_port to detect moves. We need
|
|
|
|
|
|
* Ethernet source and dest and VLAN VID to do L2 learning. */
|
|
|
|
|
|
ofpfw = (OFPFW10_DL_TYPE | OFPFW10_DL_VLAN_PCP
|
|
|
|
|
|
| OFPFW10_NW_SRC_ALL | OFPFW10_NW_DST_ALL
|
|
|
|
|
|
| OFPFW10_NW_TOS | OFPFW10_NW_PROTO
|
|
|
|
|
|
| OFPFW10_TP_SRC | OFPFW10_TP_DST);
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
|
ofpfw = cfg->wildcards;
|
|
|
|
|
|
break;
|
2010-07-15 16:20:37 -07:00
|
|
|
|
}
|
2012-08-07 11:30:46 -07:00
|
|
|
|
ofputil_wildcard_from_ofpfw10(ofpfw, &sw->wc);
|
2010-10-01 13:41:40 -07:00
|
|
|
|
|
|
|
|
|
|
sw->default_queue = cfg->default_queue;
|
|
|
|
|
|
hmap_init(&sw->queue_numbers);
|
|
|
|
|
|
shash_init(&sw->queue_names);
|
|
|
|
|
|
if (cfg->port_queues) {
|
2012-05-22 10:32:02 -07:00
|
|
|
|
struct simap_node *node;
|
2010-10-01 13:41:40 -07:00
|
|
|
|
|
2012-05-22 10:32:02 -07:00
|
|
|
|
SIMAP_FOR_EACH (node, cfg->port_queues) {
|
2010-10-01 13:41:40 -07:00
|
|
|
|
struct lswitch_port *port = xmalloc(sizeof *port);
|
|
|
|
|
|
hmap_node_nullify(&port->hmap_node);
|
2012-05-22 10:32:02 -07:00
|
|
|
|
port->queue_id = node->data;
|
2010-10-01 13:41:40 -07:00
|
|
|
|
shash_add(&sw->queue_names, node->name, port);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-08-07 10:38:35 -07:00
|
|
|
|
sw->default_flows = cfg->default_flows;
|
|
|
|
|
|
sw->n_default_flows = cfg->n_default_flows;
|
2013-08-20 18:41:45 -07:00
|
|
|
|
sw->usable_protocols = cfg->usable_protocols;
|
2012-08-07 10:38:35 -07:00
|
|
|
|
|
2009-07-08 13:19:16 -07:00
|
|
|
|
sw->queued = rconn_packet_counter_create();
|
2012-08-07 10:38:35 -07:00
|
|
|
|
|
|
|
|
|
|
return sw;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
|
lswitch_handshake(struct lswitch *sw)
|
|
|
|
|
|
{
|
|
|
|
|
|
enum ofputil_protocol protocol;
|
2014-07-16 13:28:40 -07:00
|
|
|
|
enum ofp_version version;
|
2012-08-07 10:38:35 -07:00
|
|
|
|
|
2012-07-24 16:15:37 -07:00
|
|
|
|
send_features_request(sw);
|
2010-09-23 14:08:13 -07:00
|
|
|
|
|
2014-07-16 13:28:40 -07:00
|
|
|
|
version = rconn_get_version(sw->rconn);
|
|
|
|
|
|
protocol = ofputil_protocol_from_ofp_version(version);
|
|
|
|
|
|
if (version >= OFP13_VERSION) {
|
|
|
|
|
|
/* OpenFlow 1.3 and later by default drop packets that miss in the flow
|
|
|
|
|
|
* table. Set up a flow to send packets to the controller by
|
|
|
|
|
|
* default. */
|
|
|
|
|
|
struct ofputil_flow_mod fm;
|
|
|
|
|
|
struct ofpact_output output;
|
|
|
|
|
|
struct ofpbuf *msg;
|
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
|
|
ofpact_init_OUTPUT(&output);
|
|
|
|
|
|
output.port = OFPP_CONTROLLER;
|
|
|
|
|
|
output.max_len = OFP_DEFAULT_MISS_SEND_LEN;
|
|
|
|
|
|
|
|
|
|
|
|
match_init_catchall(&fm.match);
|
|
|
|
|
|
fm.priority = 0;
|
|
|
|
|
|
fm.cookie = 0;
|
|
|
|
|
|
fm.cookie_mask = 0;
|
|
|
|
|
|
fm.new_cookie = 0;
|
|
|
|
|
|
fm.modify_cookie = false;
|
|
|
|
|
|
fm.table_id = 0;
|
|
|
|
|
|
fm.command = OFPFC_ADD;
|
|
|
|
|
|
fm.idle_timeout = 0;
|
|
|
|
|
|
fm.hard_timeout = 0;
|
2014-11-07 18:18:48 +05:30
|
|
|
|
fm.importance = 0;
|
2014-07-16 13:28:40 -07:00
|
|
|
|
fm.buffer_id = UINT32_MAX;
|
|
|
|
|
|
fm.out_port = OFPP_NONE;
|
|
|
|
|
|
fm.out_group = OFPG_ANY;
|
|
|
|
|
|
fm.flags = 0;
|
|
|
|
|
|
fm.ofpacts = &output.ofpact;
|
|
|
|
|
|
fm.ofpacts_len = sizeof output;
|
|
|
|
|
|
fm.delete_reason = 0;
|
|
|
|
|
|
|
|
|
|
|
|
msg = ofputil_encode_flow_mod(&fm, protocol);
|
|
|
|
|
|
error = rconn_send(sw->rconn, msg, NULL);
|
|
|
|
|
|
if (error) {
|
|
|
|
|
|
VLOG_INFO_RL(&rl, "%s: failed to add default flow (%s)",
|
|
|
|
|
|
rconn_get_name(sw->rconn), ovs_strerror(error));
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2012-08-07 10:38:35 -07:00
|
|
|
|
if (sw->default_flows) {
|
2012-02-10 13:30:23 -08:00
|
|
|
|
struct ofpbuf *msg = NULL;
|
|
|
|
|
|
int error = 0;
|
|
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
|
|
|
|
/* If the initial protocol isn't good enough for default_flows, then
|
|
|
|
|
|
* pick one that will work and encode messages to set up that
|
|
|
|
|
|
* protocol.
|
|
|
|
|
|
*
|
|
|
|
|
|
* This could be improved by actually negotiating a mutually acceptable
|
|
|
|
|
|
* flow format with the switch, but that would require an asynchronous
|
|
|
|
|
|
* state machine. This version ought to work fine in practice. */
|
2013-08-20 18:41:45 -07:00
|
|
|
|
if (!(protocol & sw->usable_protocols)) {
|
|
|
|
|
|
enum ofputil_protocol want = rightmost_1bit(sw->usable_protocols);
|
2012-02-10 13:30:23 -08:00
|
|
|
|
while (!error) {
|
|
|
|
|
|
msg = ofputil_encode_set_protocol(protocol, want, &protocol);
|
|
|
|
|
|
if (!msg) {
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
2012-08-07 10:38:35 -07:00
|
|
|
|
error = rconn_send(sw->rconn, msg, NULL);
|
2011-06-01 10:53:53 -07:00
|
|
|
|
}
|
2010-12-06 10:03:31 -08:00
|
|
|
|
}
|
2013-08-20 18:41:45 -07:00
|
|
|
|
if (protocol & sw->usable_protocols) {
|
2012-11-15 22:09:07 -08:00
|
|
|
|
for (i = 0; !error && i < sw->n_default_flows; i++) {
|
|
|
|
|
|
msg = ofputil_encode_flow_mod(&sw->default_flows[i], protocol);
|
|
|
|
|
|
error = rconn_send(sw->rconn, msg, NULL);
|
|
|
|
|
|
}
|
2012-02-10 13:30:23 -08:00
|
|
|
|
|
2012-11-15 22:09:07 -08:00
|
|
|
|
if (error) {
|
|
|
|
|
|
VLOG_INFO_RL(&rl, "%s: failed to queue default flows (%s)",
|
2013-06-24 10:54:49 -07:00
|
|
|
|
rconn_get_name(sw->rconn), ovs_strerror(error));
|
2012-11-15 22:09:07 -08:00
|
|
|
|
}
|
|
|
|
|
|
} else {
|
|
|
|
|
|
VLOG_INFO_RL(&rl, "%s: failed to set usable protocol",
|
|
|
|
|
|
rconn_get_name(sw->rconn));
|
2012-02-10 13:30:23 -08:00
|
|
|
|
}
|
2010-12-06 10:03:31 -08:00
|
|
|
|
}
|
2012-07-03 22:17:14 -07:00
|
|
|
|
sw->protocol = protocol;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
2012-07-24 16:15:37 -07:00
|
|
|
|
bool
|
|
|
|
|
|
lswitch_is_alive(const struct lswitch *sw)
|
|
|
|
|
|
{
|
|
|
|
|
|
return rconn_is_alive(sw->rconn);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2009-07-08 13:19:16 -07:00
|
|
|
|
/* Destroys 'sw'. */
|
|
|
|
|
|
void
|
|
|
|
|
|
lswitch_destroy(struct lswitch *sw)
|
|
|
|
|
|
{
|
|
|
|
|
|
if (sw) {
|
2010-10-01 13:41:40 -07:00
|
|
|
|
struct lswitch_port *node, *next;
|
|
|
|
|
|
|
2012-07-24 16:15:37 -07:00
|
|
|
|
rconn_destroy(sw->rconn);
|
2010-10-01 13:41:40 -07:00
|
|
|
|
HMAP_FOR_EACH_SAFE (node, next, hmap_node, &sw->queue_numbers) {
|
|
|
|
|
|
hmap_remove(&sw->queue_numbers, &node->hmap_node);
|
|
|
|
|
|
free(node);
|
|
|
|
|
|
}
|
|
|
|
|
|
shash_destroy(&sw->queue_names);
|
2013-06-18 19:41:51 -07:00
|
|
|
|
mac_learning_unref(sw->ml);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
rconn_packet_counter_destroy(sw->queued);
|
|
|
|
|
|
free(sw);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Takes care of necessary 'sw' activity, except for receiving packets (which
|
|
|
|
|
|
* the caller must do). */
|
|
|
|
|
|
void
|
2010-08-11 17:24:13 -07:00
|
|
|
|
lswitch_run(struct lswitch *sw)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2012-07-24 16:15:37 -07:00
|
|
|
|
int i;
|
|
|
|
|
|
|
2009-07-08 13:19:16 -07:00
|
|
|
|
if (sw->ml) {
|
2013-07-22 11:11:54 -07:00
|
|
|
|
ovs_rwlock_wrlock(&sw->ml->rwlock);
|
2013-08-01 18:04:07 -07:00
|
|
|
|
mac_learning_run(sw->ml);
|
2013-07-22 11:11:54 -07:00
|
|
|
|
ovs_rwlock_unlock(&sw->ml->rwlock);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
2012-07-24 16:15:37 -07:00
|
|
|
|
|
|
|
|
|
|
rconn_run(sw->rconn);
|
|
|
|
|
|
|
2012-08-07 10:38:35 -07:00
|
|
|
|
if (sw->state == S_CONNECTING) {
|
|
|
|
|
|
if (rconn_get_version(sw->rconn) != -1) {
|
|
|
|
|
|
lswitch_handshake(sw);
|
|
|
|
|
|
sw->state = S_FEATURES_REPLY;
|
|
|
|
|
|
}
|
|
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-07-24 16:15:37 -07:00
|
|
|
|
for (i = 0; i < 50; i++) {
|
|
|
|
|
|
struct ofpbuf *msg;
|
|
|
|
|
|
|
|
|
|
|
|
msg = rconn_recv(sw->rconn);
|
|
|
|
|
|
if (!msg) {
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (!sw->mute) {
|
|
|
|
|
|
lswitch_process_packet(sw, msg);
|
|
|
|
|
|
}
|
|
|
|
|
|
ofpbuf_delete(msg);
|
|
|
|
|
|
}
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
|
lswitch_wait(struct lswitch *sw)
|
|
|
|
|
|
{
|
|
|
|
|
|
if (sw->ml) {
|
2013-07-22 11:11:54 -07:00
|
|
|
|
ovs_rwlock_rdlock(&sw->ml->rwlock);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
mac_learning_wait(sw->ml);
|
2013-07-22 11:11:54 -07:00
|
|
|
|
ovs_rwlock_unlock(&sw->ml->rwlock);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
2012-08-07 10:38:35 -07:00
|
|
|
|
rconn_run_wait(sw->rconn);
|
2012-07-24 16:15:37 -07:00
|
|
|
|
rconn_recv_wait(sw->rconn);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Processes 'msg', which should be an OpenFlow received on 'rconn', according
|
|
|
|
|
|
* to the learning switch state in 'sw'. The most likely result of processing
|
|
|
|
|
|
* is that flow-setup and packet-out OpenFlow messages will be sent out on
|
|
|
|
|
|
* 'rconn'. */
|
2012-07-24 16:15:37 -07:00
|
|
|
|
static void
|
|
|
|
|
|
lswitch_process_packet(struct lswitch *sw, const struct ofpbuf *msg)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2012-07-19 23:23:17 -07:00
|
|
|
|
enum ofptype type;
|
|
|
|
|
|
struct ofpbuf b;
|
|
|
|
|
|
|
|
|
|
|
|
b = *msg;
|
|
|
|
|
|
if (ofptype_pull(&type, &b)) {
|
|
|
|
|
|
return;
|
|
|
|
|
|
}
|
2010-12-06 10:20:20 -08:00
|
|
|
|
|
2012-08-07 10:38:35 -07:00
|
|
|
|
if (sw->state == S_FEATURES_REPLY
|
2012-07-19 23:23:17 -07:00
|
|
|
|
&& type != OFPTYPE_ECHO_REQUEST
|
|
|
|
|
|
&& type != OFPTYPE_FEATURES_REPLY) {
|
2009-07-08 13:19:16 -07:00
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-07-19 23:23:17 -07:00
|
|
|
|
switch (type) {
|
|
|
|
|
|
case OFPTYPE_ECHO_REQUEST:
|
2014-03-30 01:31:50 -07:00
|
|
|
|
process_echo_request(sw, ofpbuf_data(msg));
|
2010-12-06 10:20:20 -08:00
|
|
|
|
break;
|
|
|
|
|
|
|
2012-07-19 23:23:17 -07:00
|
|
|
|
case OFPTYPE_FEATURES_REPLY:
|
2012-08-07 10:38:35 -07:00
|
|
|
|
if (sw->state == S_FEATURES_REPLY) {
|
2014-03-30 01:31:50 -07:00
|
|
|
|
if (!process_switch_features(sw, ofpbuf_data(msg))) {
|
2012-08-07 10:38:35 -07:00
|
|
|
|
sw->state = S_SWITCHING;
|
|
|
|
|
|
} else {
|
|
|
|
|
|
rconn_disconnect(sw->rconn);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2010-12-06 10:20:20 -08:00
|
|
|
|
break;
|
|
|
|
|
|
|
2012-07-19 23:23:17 -07:00
|
|
|
|
case OFPTYPE_PACKET_IN:
|
2014-03-30 01:31:50 -07:00
|
|
|
|
process_packet_in(sw, ofpbuf_data(msg));
|
2010-12-06 10:20:20 -08:00
|
|
|
|
break;
|
|
|
|
|
|
|
2012-07-19 23:23:17 -07:00
|
|
|
|
case OFPTYPE_FLOW_REMOVED:
|
2010-12-06 10:20:20 -08:00
|
|
|
|
/* Nothing to do. */
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
2012-07-19 23:23:17 -07:00
|
|
|
|
case OFPTYPE_HELLO:
|
|
|
|
|
|
case OFPTYPE_ERROR:
|
|
|
|
|
|
case OFPTYPE_ECHO_REPLY:
|
|
|
|
|
|
case OFPTYPE_FEATURES_REQUEST:
|
|
|
|
|
|
case OFPTYPE_GET_CONFIG_REQUEST:
|
|
|
|
|
|
case OFPTYPE_GET_CONFIG_REPLY:
|
|
|
|
|
|
case OFPTYPE_SET_CONFIG:
|
|
|
|
|
|
case OFPTYPE_PORT_STATUS:
|
|
|
|
|
|
case OFPTYPE_PACKET_OUT:
|
|
|
|
|
|
case OFPTYPE_FLOW_MOD:
|
2013-09-01 18:30:17 -07:00
|
|
|
|
case OFPTYPE_GROUP_MOD:
|
2012-07-19 23:23:17 -07:00
|
|
|
|
case OFPTYPE_PORT_MOD:
|
2013-09-07 03:02:32 -07:00
|
|
|
|
case OFPTYPE_TABLE_MOD:
|
2012-07-19 23:23:17 -07:00
|
|
|
|
case OFPTYPE_BARRIER_REQUEST:
|
|
|
|
|
|
case OFPTYPE_BARRIER_REPLY:
|
2012-12-07 15:48:21 +02:00
|
|
|
|
case OFPTYPE_QUEUE_GET_CONFIG_REQUEST:
|
|
|
|
|
|
case OFPTYPE_QUEUE_GET_CONFIG_REPLY:
|
2012-07-19 23:23:17 -07:00
|
|
|
|
case OFPTYPE_DESC_STATS_REQUEST:
|
|
|
|
|
|
case OFPTYPE_DESC_STATS_REPLY:
|
|
|
|
|
|
case OFPTYPE_FLOW_STATS_REQUEST:
|
|
|
|
|
|
case OFPTYPE_FLOW_STATS_REPLY:
|
|
|
|
|
|
case OFPTYPE_AGGREGATE_STATS_REQUEST:
|
|
|
|
|
|
case OFPTYPE_AGGREGATE_STATS_REPLY:
|
|
|
|
|
|
case OFPTYPE_TABLE_STATS_REQUEST:
|
|
|
|
|
|
case OFPTYPE_TABLE_STATS_REPLY:
|
|
|
|
|
|
case OFPTYPE_PORT_STATS_REQUEST:
|
|
|
|
|
|
case OFPTYPE_PORT_STATS_REPLY:
|
|
|
|
|
|
case OFPTYPE_QUEUE_STATS_REQUEST:
|
|
|
|
|
|
case OFPTYPE_QUEUE_STATS_REPLY:
|
|
|
|
|
|
case OFPTYPE_PORT_DESC_STATS_REQUEST:
|
|
|
|
|
|
case OFPTYPE_PORT_DESC_STATS_REPLY:
|
|
|
|
|
|
case OFPTYPE_ROLE_REQUEST:
|
|
|
|
|
|
case OFPTYPE_ROLE_REPLY:
|
2013-10-22 11:40:02 +03:00
|
|
|
|
case OFPTYPE_ROLE_STATUS:
|
2012-07-19 23:23:17 -07:00
|
|
|
|
case OFPTYPE_SET_FLOW_FORMAT:
|
|
|
|
|
|
case OFPTYPE_FLOW_MOD_TABLE_ID:
|
|
|
|
|
|
case OFPTYPE_SET_PACKET_IN_FORMAT:
|
|
|
|
|
|
case OFPTYPE_FLOW_AGE:
|
|
|
|
|
|
case OFPTYPE_SET_CONTROLLER_ID:
|
|
|
|
|
|
case OFPTYPE_FLOW_MONITOR_STATS_REQUEST:
|
|
|
|
|
|
case OFPTYPE_FLOW_MONITOR_STATS_REPLY:
|
|
|
|
|
|
case OFPTYPE_FLOW_MONITOR_CANCEL:
|
|
|
|
|
|
case OFPTYPE_FLOW_MONITOR_PAUSED:
|
|
|
|
|
|
case OFPTYPE_FLOW_MONITOR_RESUMED:
|
2012-11-27 17:44:22 +02:00
|
|
|
|
case OFPTYPE_GET_ASYNC_REQUEST:
|
|
|
|
|
|
case OFPTYPE_GET_ASYNC_REPLY:
|
|
|
|
|
|
case OFPTYPE_SET_ASYNC_CONFIG:
|
|
|
|
|
|
case OFPTYPE_METER_MOD:
|
2013-06-28 13:41:53 -07:00
|
|
|
|
case OFPTYPE_GROUP_STATS_REQUEST:
|
|
|
|
|
|
case OFPTYPE_GROUP_STATS_REPLY:
|
|
|
|
|
|
case OFPTYPE_GROUP_DESC_STATS_REQUEST:
|
|
|
|
|
|
case OFPTYPE_GROUP_DESC_STATS_REPLY:
|
|
|
|
|
|
case OFPTYPE_GROUP_FEATURES_STATS_REQUEST:
|
|
|
|
|
|
case OFPTYPE_GROUP_FEATURES_STATS_REPLY:
|
|
|
|
|
|
case OFPTYPE_METER_STATS_REQUEST:
|
|
|
|
|
|
case OFPTYPE_METER_STATS_REPLY:
|
|
|
|
|
|
case OFPTYPE_METER_CONFIG_STATS_REQUEST:
|
|
|
|
|
|
case OFPTYPE_METER_CONFIG_STATS_REPLY:
|
|
|
|
|
|
case OFPTYPE_METER_FEATURES_STATS_REQUEST:
|
|
|
|
|
|
case OFPTYPE_METER_FEATURES_STATS_REPLY:
|
|
|
|
|
|
case OFPTYPE_TABLE_FEATURES_STATS_REQUEST:
|
|
|
|
|
|
case OFPTYPE_TABLE_FEATURES_STATS_REPLY:
|
2014-05-02 09:54:27 +03:00
|
|
|
|
case OFPTYPE_BUNDLE_CONTROL:
|
|
|
|
|
|
case OFPTYPE_BUNDLE_ADD_MESSAGE:
|
2010-12-06 10:20:20 -08:00
|
|
|
|
default:
|
|
|
|
|
|
if (VLOG_IS_DBG_ENABLED()) {
|
2014-03-30 01:31:50 -07:00
|
|
|
|
char *s = ofp_to_string(ofpbuf_data(msg), ofpbuf_size(msg), 2);
|
2010-12-06 10:20:20 -08:00
|
|
|
|
VLOG_DBG_RL(&rl, "%016llx: OpenFlow packet ignored: %s",
|
|
|
|
|
|
sw->datapath_id, s);
|
|
|
|
|
|
free(s);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
�
|
|
|
|
|
|
static void
|
2012-07-24 16:15:37 -07:00
|
|
|
|
send_features_request(struct lswitch *sw)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2012-08-07 10:38:35 -07:00
|
|
|
|
struct ofpbuf *b;
|
|
|
|
|
|
struct ofp_switch_config *osc;
|
|
|
|
|
|
int ofp_version = rconn_get_version(sw->rconn);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2012-11-06 13:14:55 -08:00
|
|
|
|
ovs_assert(ofp_version > 0 && ofp_version < 0xff);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2012-08-07 10:38:35 -07:00
|
|
|
|
/* Send OFPT_FEATURES_REQUEST. */
|
|
|
|
|
|
b = ofpraw_alloc(OFPRAW_OFPT_FEATURES_REQUEST, ofp_version, 0);
|
|
|
|
|
|
queue_tx(sw, b);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2012-08-07 10:38:35 -07:00
|
|
|
|
/* Send OFPT_SET_CONFIG. */
|
|
|
|
|
|
b = ofpraw_alloc(OFPRAW_OFPT_SET_CONFIG, ofp_version, sizeof *osc);
|
|
|
|
|
|
osc = ofpbuf_put_zeros(b, sizeof *osc);
|
|
|
|
|
|
osc->miss_send_len = htons(OFP_DEFAULT_MISS_SEND_LEN);
|
|
|
|
|
|
queue_tx(sw, b);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
2012-07-24 16:15:37 -07:00
|
|
|
|
queue_tx(struct lswitch *sw, struct ofpbuf *b)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2012-07-24 16:15:37 -07:00
|
|
|
|
int retval = rconn_send_with_limit(sw->rconn, b, sw->queued, 10);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
if (retval && retval != ENOTCONN) {
|
|
|
|
|
|
if (retval == EAGAIN) {
|
2009-11-13 13:21:13 -08:00
|
|
|
|
VLOG_INFO_RL(&rl, "%016llx: %s: tx queue overflow",
|
2012-07-24 16:15:37 -07:00
|
|
|
|
sw->datapath_id, rconn_get_name(sw->rconn));
|
2009-07-08 13:19:16 -07:00
|
|
|
|
} else {
|
2009-11-13 13:21:13 -08:00
|
|
|
|
VLOG_WARN_RL(&rl, "%016llx: %s: send: %s",
|
2012-07-24 16:15:37 -07:00
|
|
|
|
sw->datapath_id, rconn_get_name(sw->rconn),
|
2013-06-24 10:54:49 -07:00
|
|
|
|
ovs_strerror(retval));
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-02-15 16:33:04 -08:00
|
|
|
|
static enum ofperr
|
2012-07-19 23:23:17 -07:00
|
|
|
|
process_switch_features(struct lswitch *sw, struct ofp_header *oh)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2012-02-15 16:33:04 -08:00
|
|
|
|
struct ofputil_switch_features features;
|
|
|
|
|
|
struct ofputil_phy_port port;
|
|
|
|
|
|
enum ofperr error;
|
|
|
|
|
|
struct ofpbuf b;
|
|
|
|
|
|
|
2012-07-19 23:23:17 -07:00
|
|
|
|
error = ofputil_decode_switch_features(oh, &features, &b);
|
2012-02-15 16:33:04 -08:00
|
|
|
|
if (error) {
|
|
|
|
|
|
VLOG_ERR("received invalid switch feature reply (%s)",
|
|
|
|
|
|
ofperr_to_string(error));
|
|
|
|
|
|
return error;
|
|
|
|
|
|
}
|
2010-10-01 13:41:40 -07:00
|
|
|
|
|
2012-02-15 16:33:04 -08:00
|
|
|
|
sw->datapath_id = features.datapath_id;
|
2010-10-01 13:41:40 -07:00
|
|
|
|
|
2012-07-19 23:23:17 -07:00
|
|
|
|
while (!ofputil_pull_phy_port(oh->version, &b, &port)) {
|
2012-02-15 16:33:04 -08:00
|
|
|
|
struct lswitch_port *lp = shash_find_data(&sw->queue_names, port.name);
|
2010-10-01 13:41:40 -07:00
|
|
|
|
if (lp && hmap_node_is_null(&lp->hmap_node)) {
|
2012-02-15 16:33:04 -08:00
|
|
|
|
lp->port_no = port.port_no;
|
2010-10-01 13:41:40 -07:00
|
|
|
|
hmap_insert(&sw->queue_numbers, &lp->hmap_node,
|
2013-06-22 10:33:27 -07:00
|
|
|
|
hash_ofp_port(lp->port_no));
|
2010-10-01 13:41:40 -07:00
|
|
|
|
}
|
|
|
|
|
|
}
|
2012-02-15 16:33:04 -08:00
|
|
|
|
return 0;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
2013-06-19 16:58:44 -07:00
|
|
|
|
static ofp_port_t
|
2010-09-03 11:30:02 -07:00
|
|
|
|
lswitch_choose_destination(struct lswitch *sw, const struct flow *flow)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2013-06-19 16:58:44 -07:00
|
|
|
|
ofp_port_t out_port;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2010-07-20 11:10:45 -07:00
|
|
|
|
/* Learn the source MAC. */
|
2013-10-08 23:52:40 +08:00
|
|
|
|
if (sw->ml) {
|
|
|
|
|
|
ovs_rwlock_wrlock(&sw->ml->rwlock);
|
|
|
|
|
|
if (mac_learning_may_learn(sw->ml, flow->dl_src, 0)) {
|
|
|
|
|
|
struct mac_entry *mac = mac_learning_insert(sw->ml, flow->dl_src,
|
|
|
|
|
|
0);
|
mac-learning: Implement per-port MAC learning fairness.
In "MAC flooding", an attacker transmits an overwhelming number of frames
with unique Ethernet source address on a switch port. The goal is to
force the switch to evict all useful MAC learning table entries, so that
its behavior degenerates to that of a hub, flooding all traffic. In turn,
that allows an attacker to eavesdrop on the traffic of other hosts attached
to the switch, with all the risks that that entails.
Before this commit, the Open vSwitch "normal" action that implements its
standalone switch behavior (and that can be used by OpenFlow controllers
as well) was vulnerable to MAC flooding attacks. This commit fixes the
problem by implementing per-port fairness for MAC table entries: when
the MAC table is at its maximum size, MAC table eviction always deletes an
entry from the port with the most entries. Thus, MAC entries will never
be evicted from ports with only a few entries if a port with a huge number
of entries exists.
Controllers could introduce their own MAC flooding vulnerabilities into
OVS. For a controller that adds destination MAC based flows to an OpenFlow
flow table as a reaction to "packet-in" events, such a bug, if it exists,
would be in the controller code itself and would need to be fixed in the
controller. For a controller that relies on the Open vSwitch "learn"
action to add destination MAC based flows, Open vSwitch has existing
support for eviction policy similar to that implemented in this commit
through the "groups" column in the Flow_Table table documented in
ovs-vswitchd.conf.db(5); we recommend that users of "learn" not already
familiar with eviction groups to read that documentation.
In addition to implementation of per-port MAC learning fairness,
this commit includes some closely related changes:
- Access to client-provided "port" data in struct mac_entry
is now abstracted through helper functions, which makes it
easier to ensure that the per-port data structures are maintained
consistently.
- The mac_learning_changed() function, which had become trivial,
vestigial, and confusing, was removed. Its functionality was folded
into the new function mac_entry_set_port().
- Many comments were added and improved; there had been a lot of
comment rot in previous versions.
CERT: VU#784996
Reported-by: "Ronny L. Bull - bullrl" <bullrl@clarkson.edu>
Reported-at: http://www.irongeek.com/i.php?page=videos/derbycon4/t314-exploring-layer-2-network-security-in-virtualized-environments-ronny-l-bull-dr-jeanna-n-matthews
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
2015-02-11 23:34:50 -08:00
|
|
|
|
if (get_mac_entry_ofp_port(sw->ml, mac)
|
|
|
|
|
|
!= flow->in_port.ofp_port) {
|
2013-10-08 23:52:40 +08:00
|
|
|
|
VLOG_DBG_RL(&rl, "%016llx: learned that "ETH_ADDR_FMT" is on "
|
|
|
|
|
|
"port %"PRIu16, sw->datapath_id,
|
|
|
|
|
|
ETH_ADDR_ARGS(flow->dl_src),
|
|
|
|
|
|
flow->in_port.ofp_port);
|
|
|
|
|
|
|
mac-learning: Implement per-port MAC learning fairness.
In "MAC flooding", an attacker transmits an overwhelming number of frames
with unique Ethernet source address on a switch port. The goal is to
force the switch to evict all useful MAC learning table entries, so that
its behavior degenerates to that of a hub, flooding all traffic. In turn,
that allows an attacker to eavesdrop on the traffic of other hosts attached
to the switch, with all the risks that that entails.
Before this commit, the Open vSwitch "normal" action that implements its
standalone switch behavior (and that can be used by OpenFlow controllers
as well) was vulnerable to MAC flooding attacks. This commit fixes the
problem by implementing per-port fairness for MAC table entries: when
the MAC table is at its maximum size, MAC table eviction always deletes an
entry from the port with the most entries. Thus, MAC entries will never
be evicted from ports with only a few entries if a port with a huge number
of entries exists.
Controllers could introduce their own MAC flooding vulnerabilities into
OVS. For a controller that adds destination MAC based flows to an OpenFlow
flow table as a reaction to "packet-in" events, such a bug, if it exists,
would be in the controller code itself and would need to be fixed in the
controller. For a controller that relies on the Open vSwitch "learn"
action to add destination MAC based flows, Open vSwitch has existing
support for eviction policy similar to that implemented in this commit
through the "groups" column in the Flow_Table table documented in
ovs-vswitchd.conf.db(5); we recommend that users of "learn" not already
familiar with eviction groups to read that documentation.
In addition to implementation of per-port MAC learning fairness,
this commit includes some closely related changes:
- Access to client-provided "port" data in struct mac_entry
is now abstracted through helper functions, which makes it
easier to ensure that the per-port data structures are maintained
consistently.
- The mac_learning_changed() function, which had become trivial,
vestigial, and confusing, was removed. Its functionality was folded
into the new function mac_entry_set_port().
- Many comments were added and improved; there had been a lot of
comment rot in previous versions.
CERT: VU#784996
Reported-by: "Ronny L. Bull - bullrl" <bullrl@clarkson.edu>
Reported-at: http://www.irongeek.com/i.php?page=videos/derbycon4/t314-exploring-layer-2-network-security-in-virtualized-environments-ronny-l-bull-dr-jeanna-n-matthews
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
2015-02-11 23:34:50 -08:00
|
|
|
|
set_mac_entry_ofp_port(sw->ml, mac, flow->in_port.ofp_port);
|
2013-10-08 23:52:40 +08:00
|
|
|
|
}
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
2013-10-08 23:52:40 +08:00
|
|
|
|
ovs_rwlock_unlock(&sw->ml->rwlock);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
2010-07-15 16:02:46 -07:00
|
|
|
|
/* Drop frames for reserved multicast addresses. */
|
2010-07-20 11:10:45 -07:00
|
|
|
|
if (eth_addr_is_reserved(flow->dl_dst)) {
|
|
|
|
|
|
return OFPP_NONE;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
2010-07-20 11:10:45 -07:00
|
|
|
|
out_port = OFPP_FLOOD;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
if (sw->ml) {
|
2011-03-22 09:47:02 -07:00
|
|
|
|
struct mac_entry *mac;
|
|
|
|
|
|
|
2013-07-22 11:11:54 -07:00
|
|
|
|
ovs_rwlock_rdlock(&sw->ml->rwlock);
|
2013-08-01 18:04:07 -07:00
|
|
|
|
mac = mac_learning_lookup(sw->ml, flow->dl_dst, 0);
|
2011-03-22 09:47:02 -07:00
|
|
|
|
if (mac) {
|
mac-learning: Implement per-port MAC learning fairness.
In "MAC flooding", an attacker transmits an overwhelming number of frames
with unique Ethernet source address on a switch port. The goal is to
force the switch to evict all useful MAC learning table entries, so that
its behavior degenerates to that of a hub, flooding all traffic. In turn,
that allows an attacker to eavesdrop on the traffic of other hosts attached
to the switch, with all the risks that that entails.
Before this commit, the Open vSwitch "normal" action that implements its
standalone switch behavior (and that can be used by OpenFlow controllers
as well) was vulnerable to MAC flooding attacks. This commit fixes the
problem by implementing per-port fairness for MAC table entries: when
the MAC table is at its maximum size, MAC table eviction always deletes an
entry from the port with the most entries. Thus, MAC entries will never
be evicted from ports with only a few entries if a port with a huge number
of entries exists.
Controllers could introduce their own MAC flooding vulnerabilities into
OVS. For a controller that adds destination MAC based flows to an OpenFlow
flow table as a reaction to "packet-in" events, such a bug, if it exists,
would be in the controller code itself and would need to be fixed in the
controller. For a controller that relies on the Open vSwitch "learn"
action to add destination MAC based flows, Open vSwitch has existing
support for eviction policy similar to that implemented in this commit
through the "groups" column in the Flow_Table table documented in
ovs-vswitchd.conf.db(5); we recommend that users of "learn" not already
familiar with eviction groups to read that documentation.
In addition to implementation of per-port MAC learning fairness,
this commit includes some closely related changes:
- Access to client-provided "port" data in struct mac_entry
is now abstracted through helper functions, which makes it
easier to ensure that the per-port data structures are maintained
consistently.
- The mac_learning_changed() function, which had become trivial,
vestigial, and confusing, was removed. Its functionality was folded
into the new function mac_entry_set_port().
- Many comments were added and improved; there had been a lot of
comment rot in previous versions.
CERT: VU#784996
Reported-by: "Ronny L. Bull - bullrl" <bullrl@clarkson.edu>
Reported-at: http://www.irongeek.com/i.php?page=videos/derbycon4/t314-exploring-layer-2-network-security-in-virtualized-environments-ronny-l-bull-dr-jeanna-n-matthews
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
2015-02-11 23:34:50 -08:00
|
|
|
|
out_port = get_mac_entry_ofp_port(sw->ml, mac);
|
2013-06-19 16:58:44 -07:00
|
|
|
|
if (out_port == flow->in_port.ofp_port) {
|
2010-07-20 11:10:45 -07:00
|
|
|
|
/* Don't send a packet back out its input port. */
|
2013-07-22 11:11:54 -07:00
|
|
|
|
ovs_rwlock_unlock(&sw->ml->rwlock);
|
2010-07-20 11:10:45 -07:00
|
|
|
|
return OFPP_NONE;
|
|
|
|
|
|
}
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
2013-07-22 11:11:54 -07:00
|
|
|
|
ovs_rwlock_unlock(&sw->ml->rwlock);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
2010-07-20 11:10:45 -07:00
|
|
|
|
/* Check if we need to use "NORMAL" action. */
|
|
|
|
|
|
if (sw->action_normal && out_port != OFPP_FLOOD) {
|
|
|
|
|
|
return OFPP_NORMAL;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return out_port;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2010-10-01 13:41:40 -07:00
|
|
|
|
static uint32_t
|
2013-06-19 16:58:44 -07:00
|
|
|
|
get_queue_id(const struct lswitch *sw, ofp_port_t in_port)
|
2010-10-01 13:41:40 -07:00
|
|
|
|
{
|
|
|
|
|
|
const struct lswitch_port *port;
|
|
|
|
|
|
|
2013-06-22 10:33:27 -07:00
|
|
|
|
HMAP_FOR_EACH_WITH_HASH (port, hmap_node, hash_ofp_port(in_port),
|
2010-10-01 13:41:40 -07:00
|
|
|
|
&sw->queue_numbers) {
|
|
|
|
|
|
if (port->port_no == in_port) {
|
|
|
|
|
|
return port->queue_id;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return sw->default_queue;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2010-07-20 11:10:45 -07:00
|
|
|
|
static void
|
2012-07-24 16:15:37 -07:00
|
|
|
|
process_packet_in(struct lswitch *sw, const struct ofp_header *oh)
|
2010-07-20 11:10:45 -07:00
|
|
|
|
{
|
2012-07-03 22:17:14 -07:00
|
|
|
|
struct ofputil_packet_in pi;
|
2010-10-01 13:41:40 -07:00
|
|
|
|
uint32_t queue_id;
|
2013-06-19 16:58:44 -07:00
|
|
|
|
ofp_port_t out_port;
|
2010-07-20 11:10:45 -07:00
|
|
|
|
|
2012-07-03 22:17:14 -07:00
|
|
|
|
uint64_t ofpacts_stub[64 / 8];
|
|
|
|
|
|
struct ofpbuf ofpacts;
|
2010-07-20 11:18:24 -07:00
|
|
|
|
|
2012-02-06 14:17:49 -08:00
|
|
|
|
struct ofputil_packet_out po;
|
2012-07-03 22:17:14 -07:00
|
|
|
|
enum ofperr error;
|
2012-02-06 14:17:49 -08:00
|
|
|
|
|
2015-02-22 03:21:09 -08:00
|
|
|
|
struct dp_packet pkt;
|
2010-09-03 11:30:02 -07:00
|
|
|
|
struct flow flow;
|
2010-07-20 11:10:45 -07:00
|
|
|
|
|
2012-07-03 22:17:14 -07:00
|
|
|
|
error = ofputil_decode_packet_in(&pi, oh);
|
|
|
|
|
|
if (error) {
|
|
|
|
|
|
VLOG_WARN_RL(&rl, "failed to decode packet-in: %s",
|
|
|
|
|
|
ofperr_to_string(error));
|
|
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2010-08-10 11:23:02 -07:00
|
|
|
|
/* Ignore packets sent via output to OFPP_CONTROLLER. This library never
|
|
|
|
|
|
* uses such an action. You never know what experiments might be going on,
|
|
|
|
|
|
* though, and it seems best not to interfere with them. */
|
2012-07-03 22:17:14 -07:00
|
|
|
|
if (pi.reason != OFPR_NO_MATCH) {
|
2010-08-10 11:23:02 -07:00
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2010-07-20 11:10:45 -07:00
|
|
|
|
/* Extract flow data from 'opi' into 'flow'. */
|
2015-02-22 03:21:09 -08:00
|
|
|
|
dp_packet_use_const(&pkt, pi.packet, pi.packet_len);
|
|
|
|
|
|
flow_extract(&pkt, &flow);
|
2014-02-26 18:08:04 -08:00
|
|
|
|
flow.in_port.ofp_port = pi.fmd.in_port;
|
2012-09-13 20:11:08 -07:00
|
|
|
|
flow.tunnel.tun_id = pi.fmd.tun_id;
|
2010-07-20 11:10:45 -07:00
|
|
|
|
|
|
|
|
|
|
/* Choose output port. */
|
|
|
|
|
|
out_port = lswitch_choose_destination(sw, &flow);
|
|
|
|
|
|
|
2010-07-20 11:18:24 -07:00
|
|
|
|
/* Make actions. */
|
2012-07-03 22:17:14 -07:00
|
|
|
|
queue_id = get_queue_id(sw, pi.fmd.in_port);
|
|
|
|
|
|
ofpbuf_use_stack(&ofpacts, ofpacts_stub, sizeof ofpacts_stub);
|
2010-07-20 11:18:24 -07:00
|
|
|
|
if (out_port == OFPP_NONE) {
|
2012-07-03 22:17:14 -07:00
|
|
|
|
/* No actions. */
|
2013-06-19 16:58:44 -07:00
|
|
|
|
} else if (queue_id == UINT32_MAX
|
|
|
|
|
|
|| ofp_to_u16(out_port) >= ofp_to_u16(OFPP_MAX)) {
|
2012-07-03 22:17:14 -07:00
|
|
|
|
ofpact_put_OUTPUT(&ofpacts)->port = out_port;
|
2010-07-20 11:18:24 -07:00
|
|
|
|
} else {
|
2012-07-03 22:17:14 -07:00
|
|
|
|
struct ofpact_enqueue *enqueue = ofpact_put_ENQUEUE(&ofpacts);
|
|
|
|
|
|
enqueue->port = out_port;
|
|
|
|
|
|
enqueue->queue = queue_id;
|
2010-07-20 11:18:24 -07:00
|
|
|
|
}
|
2012-07-03 22:17:14 -07:00
|
|
|
|
ofpact_pad(&ofpacts);
|
2010-07-20 11:18:24 -07:00
|
|
|
|
|
2012-02-06 14:17:49 -08:00
|
|
|
|
/* Prepare packet_out in case we need one. */
|
2012-07-03 22:17:14 -07:00
|
|
|
|
po.buffer_id = pi.buffer_id;
|
2012-02-06 14:17:49 -08:00
|
|
|
|
if (po.buffer_id == UINT32_MAX) {
|
2015-02-22 03:21:09 -08:00
|
|
|
|
po.packet = dp_packet_data(&pkt);
|
|
|
|
|
|
po.packet_len = dp_packet_size(&pkt);
|
2012-02-06 14:17:49 -08:00
|
|
|
|
} else {
|
|
|
|
|
|
po.packet = NULL;
|
|
|
|
|
|
po.packet_len = 0;
|
|
|
|
|
|
}
|
2012-07-03 22:17:14 -07:00
|
|
|
|
po.in_port = pi.fmd.in_port;
|
2014-03-30 01:31:50 -07:00
|
|
|
|
po.ofpacts = ofpbuf_data(&ofpacts);
|
|
|
|
|
|
po.ofpacts_len = ofpbuf_size(&ofpacts);
|
2012-02-06 14:17:49 -08:00
|
|
|
|
|
2010-07-20 11:10:45 -07:00
|
|
|
|
/* Send the packet, and possibly the whole flow, to the output port. */
|
|
|
|
|
|
if (sw->max_idle >= 0 && (!sw->ml || out_port != OFPP_FLOOD)) {
|
2012-07-03 22:17:14 -07:00
|
|
|
|
struct ofputil_flow_mod fm;
|
2009-11-19 12:48:32 -08:00
|
|
|
|
struct ofpbuf *buffer;
|
|
|
|
|
|
|
2009-07-08 13:19:16 -07:00
|
|
|
|
/* The output port is known, or we always flood everything, so add a
|
|
|
|
|
|
* new flow. */
|
2012-07-03 22:17:14 -07:00
|
|
|
|
memset(&fm, 0, sizeof fm);
|
2012-08-07 15:28:18 -07:00
|
|
|
|
match_init(&fm.match, &flow, &sw->wc);
|
|
|
|
|
|
ofputil_normalize_match_quiet(&fm.match);
|
2014-10-31 13:46:43 -07:00
|
|
|
|
fm.priority = 1; /* Must be > 0 because of table-miss flow entry. */
|
2012-07-03 22:17:14 -07:00
|
|
|
|
fm.table_id = 0xff;
|
|
|
|
|
|
fm.command = OFPFC_ADD;
|
|
|
|
|
|
fm.idle_timeout = sw->max_idle;
|
|
|
|
|
|
fm.buffer_id = pi.buffer_id;
|
|
|
|
|
|
fm.out_port = OFPP_NONE;
|
2014-03-30 01:31:50 -07:00
|
|
|
|
fm.ofpacts = ofpbuf_data(&ofpacts);
|
|
|
|
|
|
fm.ofpacts_len = ofpbuf_size(&ofpacts);
|
2012-07-03 22:17:14 -07:00
|
|
|
|
buffer = ofputil_encode_flow_mod(&fm, sw->protocol);
|
|
|
|
|
|
|
2012-07-24 16:15:37 -07:00
|
|
|
|
queue_tx(sw, buffer);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
|
|
|
|
|
/* If the switch didn't buffer the packet, we need to send a copy. */
|
2012-07-03 22:17:14 -07:00
|
|
|
|
if (pi.buffer_id == UINT32_MAX && out_port != OFPP_NONE) {
|
2012-08-08 12:19:57 +09:00
|
|
|
|
queue_tx(sw, ofputil_encode_packet_out(&po, sw->protocol));
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
} else {
|
|
|
|
|
|
/* We don't know that MAC, or we don't set up flows. Send along the
|
|
|
|
|
|
* packet without setting up a flow. */
|
2012-07-03 22:17:14 -07:00
|
|
|
|
if (pi.buffer_id != UINT32_MAX || out_port != OFPP_NONE) {
|
2012-08-08 12:19:57 +09:00
|
|
|
|
queue_tx(sw, ofputil_encode_packet_out(&po, sw->protocol));
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
2012-07-24 16:15:37 -07:00
|
|
|
|
process_echo_request(struct lswitch *sw, const struct ofp_header *rq)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2012-07-24 16:15:37 -07:00
|
|
|
|
queue_tx(sw, make_echo_reply(rq));
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
mac-learning: Implement per-port MAC learning fairness.
In "MAC flooding", an attacker transmits an overwhelming number of frames
with unique Ethernet source address on a switch port. The goal is to
force the switch to evict all useful MAC learning table entries, so that
its behavior degenerates to that of a hub, flooding all traffic. In turn,
that allows an attacker to eavesdrop on the traffic of other hosts attached
to the switch, with all the risks that that entails.
Before this commit, the Open vSwitch "normal" action that implements its
standalone switch behavior (and that can be used by OpenFlow controllers
as well) was vulnerable to MAC flooding attacks. This commit fixes the
problem by implementing per-port fairness for MAC table entries: when
the MAC table is at its maximum size, MAC table eviction always deletes an
entry from the port with the most entries. Thus, MAC entries will never
be evicted from ports with only a few entries if a port with a huge number
of entries exists.
Controllers could introduce their own MAC flooding vulnerabilities into
OVS. For a controller that adds destination MAC based flows to an OpenFlow
flow table as a reaction to "packet-in" events, such a bug, if it exists,
would be in the controller code itself and would need to be fixed in the
controller. For a controller that relies on the Open vSwitch "learn"
action to add destination MAC based flows, Open vSwitch has existing
support for eviction policy similar to that implemented in this commit
through the "groups" column in the Flow_Table table documented in
ovs-vswitchd.conf.db(5); we recommend that users of "learn" not already
familiar with eviction groups to read that documentation.
In addition to implementation of per-port MAC learning fairness,
this commit includes some closely related changes:
- Access to client-provided "port" data in struct mac_entry
is now abstracted through helper functions, which makes it
easier to ensure that the per-port data structures are maintained
consistently.
- The mac_learning_changed() function, which had become trivial,
vestigial, and confusing, was removed. Its functionality was folded
into the new function mac_entry_set_port().
- Many comments were added and improved; there had been a lot of
comment rot in previous versions.
CERT: VU#784996
Reported-by: "Ronny L. Bull - bullrl" <bullrl@clarkson.edu>
Reported-at: http://www.irongeek.com/i.php?page=videos/derbycon4/t314-exploring-layer-2-network-security-in-virtualized-environments-ronny-l-bull-dr-jeanna-n-matthews
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
2015-02-11 23:34:50 -08:00
|
|
|
|
|
|
|
|
|
|
static ofp_port_t
|
|
|
|
|
|
get_mac_entry_ofp_port(const struct mac_learning *ml,
|
|
|
|
|
|
const struct mac_entry *e)
|
|
|
|
|
|
OVS_REQ_RDLOCK(ml->rwlock)
|
|
|
|
|
|
{
|
|
|
|
|
|
void *port = mac_entry_get_port(ml, e);
|
|
|
|
|
|
return (OVS_FORCE ofp_port_t) (uintptr_t) port;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
|
set_mac_entry_ofp_port(struct mac_learning *ml,
|
|
|
|
|
|
struct mac_entry *e, ofp_port_t ofp_port)
|
|
|
|
|
|
OVS_REQ_WRLOCK(ml->rwlock)
|
|
|
|
|
|
{
|
|
|
|
|
|
mac_entry_set_port(ml, e, (void *) (OVS_FORCE uintptr_t) ofp_port);
|
|
|
|
|
|
}
|
