Re: [ovs-discuss] openvswitch-2.5.0, mcast-snooping patch isn't validating IP checksum

[my_ovs_discuss]

Thanks Cascardo.It is not only in IGMP code, even in bfd and tunnel modules 
also, it is probably required, the IP header checksum and even UDP checksum 
validations.
For now, I will add it in xlate_normal() under if (mcast_snooping_enabled() 
...) and drop bad IP header checksum packets.

-Thanks
 

      From: Thadeu Lima de Souza Cascardo <casca...@redhat.com>
 To: my_ovs_disc...@yahoo.com 
Cc: Discuss <discuss@openvswitch.org>
 Sent: Friday, October 28, 2016 1:50 AM
 Subject: Re: [ovs-discuss] openvswitch-2.5.0, mcast-snooping patch isn't 
validating IP checksum
   
On Fri, Oct 28, 2016 at 12:17:39AM +0000, my_ovs_disc...@yahoo.com wrote:
> Thanks Thadeu. 
> 
> If we have to fix it, where should we add the code to validate the IP header 
> checksum?
> -Thanks
>   

Deciding where to do it is part of the solution. I haven't put too much thought
on this yet. But I guess that once we decide in the code that we are snooping
and using the data, then we should check. As per RFC4541, we could either drop
them or flood them. I think dropping is fine if snooping is on.

Cascardo.

> 
>      From: Thadeu Lima de Souza Cascardo <casca...@redhat.com>
>  To: my_ovs_disc...@yahoo.com 
> Cc: Discuss <discuss@openvswitch.org>
>  Sent: Thursday, October 27, 2016 4:53 PM
>  Subject: Re: [ovs-discuss] openvswitch-2.5.0, mcast-snooping patch isn't 
>validating IP checksum
>    
> On Thu, Oct 27, 2016 at 10:10:19PM +0000, my_ovs_disc...@yahoo.com wrote:
> > Using openvswitch-2.5.0, user-space mode with Linux 2.6 based kernels.IGMP 
> > packets from NIC driver are handed over to Linux stack using netif_rx(). 
> > openvswitch is picking packets from net_device using netlink.
> > As this path bypasses Linux kernel's IP stack, Linux kernel isn't 
> > validating IP checksum.
> > Looks like, when packet enters vswitchd, it doesn't seem to validate IP 
> > header checksum for the IGMP packets and 
> > is directly delivering them to mcast-snoop module.
> > Is this a deliberate one to skip validating IP header checksum for IGMP 
> > packets in this scenario or I am missing something here.
> > -Thanks
> >  
> 
> That could be considered a bug. Thanks for the report.
> 
> Thadeu Cascardo.
> 
> 
>    


   
_______________________________________________
discuss mailing list
discuss@openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss