[virtio-dev] RE: [virtio-comment] RE: [virtio-dev] Re: [virtio-comment] Re: [PATCH v7] virtio-net: support inner header hash

[Parav Pandit]

> From: Michael S. Tsirkin 
> Sent: Wednesday, February 8, 2023 9:09 AM

> > > header: it allow users inside the tunnel control queueing outside.
> > > By observing packet loss some information leaks between tunnels.
> > >
> > I likely didn't understand. Can you please explain?
> >
> > Queuing is always done on the inner header with/without encapsulation.
> > Hash is always reported for inner header.
> > It is only adding the ability to hash even when outer header exists.
> 
> 
> If hashing just on outer header (currently the only option) then a given 
> tunnel
> all lands in a given queue.
> Just keep that queue separate and users of this tunnel can not learn whether
> other queues are overflowing, and can not overflow other queues.
> 
> 
> If you hash inner header then user can flood device with packets of a given
> connection and the same connection in a different tunnel hashes to the same
> queue. Now one tunnel can
> - cause DoS for another tunnel
> - cause packet loss or latency triggering possible security bugs within guest
> - detect that another tunnel is using the connection by
>   detecting its own packet loss or increased latency
> 
Yes. It can lead to above issues.
Steering on inner is on best effort based sw implementations running on top of 
net device.
To avoid above issues, a hierarchical model is needed.
I am not aware of any.
To my knowledge, usually who care for above issues end up using a different net 
device for each VNI and achieve the desired hierarchy.

> 
> > If queuing to be decided based on outer header (hash), then that is 
> > different.
> > Hashing both inner and outer in a flat q structure unlikely works, right?
> > Because both hashes can result in different q selection.
> 
> 
> That's the point.
> 
> Is there any precedent in OSes for configuring things like this that we can 
> look
> at?
> 
ethtool -N (not yet part of virtio) is the closest match that can steer based 
on inner and outer both, but it is not hierarchical, and it is orthogonal to 
this feature.

> 
> > >
> > > Ideas for solving this they all involve hashing both inner and outer
> > > header:
> > > 1- report two sets of hashes. overkill?
> > > 2- hash both headers together
> > > 2- add salt. can come from driver or device itself
> > >
> > > More ideas?
> > >
> > > --
> > > MST


-
To unsubscribe, e-mail: virtio-dev-unsubscr...@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-h...@lists.oasis-open.org

[virtio-dev] Re: [virtio-comment] RE: [virtio-dev] Re: [virtio-comment] Re: [PATCH v7] virtio-net: support inner header hash

[Michael S. Tsirkin]

On Wed, Feb 08, 2023 at 02:05:52PM +, Parav Pandit wrote:
> > From: Michael S. Tsirkin 
> > Sent: Wednesday, February 8, 2023 8:52 AM
> > 
> > On Wed, Feb 08, 2023 at 01:38:36PM +, Parav Pandit wrote:
> > >
> > > > From: Michael S. Tsirkin 
> > > > Sent: Wednesday, February 8, 2023 8:32 AM
> > > >
> > > > On Wed, Feb 08, 2023 at 05:18:32AM +, Parav Pandit wrote:
> > > > > > From: Heng Qi 
> > > > > > Sent: Tuesday, February 7, 2023 10:25 PM
> > > > >
> > > > > [..]
> > > > > > >>
> > > > > > >> Do you think we need both hash_types and hash_tunnel_types?
> > > > > > > In struct virtio_net_config we need two fields.
> > > > > > > a. supported_hash_types (already exists) b.
> > > > > > > supported_hash_tunnel_type
> > > > > > > -> bitmap indicating for which outer headers, inner hash
> > > > > > > -> calculation is
> > > > > > supported.
> > > > > >
> > > > > > Thanks for the suggestion, we seem to have reached an agreement.
> > > > > >
> > > > > > >
> > > > > > > In struct virtio_net_hdr we need two fields.
> > > > > > > a. hash_report (already exists) b. hash_tunnel_type 8 bits ->
> > > > > > > absolute value indicating which outer header
> > > > > > exists when inner header hash calculated.
> > > > > > > You already have it in your patch named as hash_report_tunnel.
> > > > > > > May be better to name as hash_report_tunnel_type to make it
> > > > > > > clearer that its
> > > > > > type.
> > > > > >
> > > > > > Sure.
> > > > > >
> > > > > > Thanks for your reply.
> > > > >
> > > > > I had one last question. Why do we need to inform the
> > > > hash_report_tunnel_type of the outer header in the virtio_net_hdr?
> > > > > Is this for debug? Or is there a use case that will process this 
> > > > > value?
> > > >
> > > > Well we have hash_report which is kind of similar (and also kind of
> > > > pointless but I think it's there because WHQL wants it).
> > > Hash_report is useful. It tells hash_value is in which namespace 
> > > (ipv4-tcp/ipv4
> > udp etc).
> > > OS can use this value to find tcp connection in a given namespace.
> > >
> > > > Maybe we can steal some bits
> > > > from there instead of a new field?
> > > >
> > > I do not have problem adding extra bits. I just don't find that just 
> > > telling that
> > its vxlan or nvgre to the OS is useful.
> > > If OS needs to know about outer header details, it needs to know the VNI
> > information than just telling vxlan.
> > 
> > This does make sense.
> > 
> > 
> > > >
> > > > I have a follow up question though: are we only hashing the inner
> > > > header or both inner and outer header? Somewhat confused on this.
> > > >
> > > I understood as inner header. But worth to describe it. May be there. 
> > > Need to
> > read v8 patch.
> > 
> > Hmm. I just realized that there's a security problem with hashing just the 
> > inner
> > header: it allow users inside the tunnel control queueing outside.
> > By observing packet loss some information leaks between tunnels.
> > 
> Ah I know now.
> We are leaking outer header information inside the virtio net hdr, and outer 
> header might be already stripped off by a different entity.
> 
> I think the use case here is it's the same sw entity that owns the virtio net 
> device does the encap/decap too.

No not exactly, we are leaking info between encap tunnels.

-- 
MST


-
To unsubscribe, e-mail: virtio-dev-unsubscr...@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-h...@lists.oasis-open.org

[virtio-dev] Re: [virtio-comment] RE: [virtio-dev] Re: [virtio-comment] Re: [PATCH v7] virtio-net: support inner header hash

[Michael S. Tsirkin]

On Wed, Feb 08, 2023 at 02:00:14PM +, Parav Pandit wrote:
> > From: Michael S. Tsirkin 
> > Sent: Wednesday, February 8, 2023 8:52 AM
> > 
> > On Wed, Feb 08, 2023 at 01:38:36PM +, Parav Pandit wrote:
> > >
> > > > From: Michael S. Tsirkin 
> > > > Sent: Wednesday, February 8, 2023 8:32 AM
> > > >
> > > > On Wed, Feb 08, 2023 at 05:18:32AM +, Parav Pandit wrote:
> > > > > > From: Heng Qi 
> > > > > > Sent: Tuesday, February 7, 2023 10:25 PM
> > > > >
> > > > > [..]
> > > > > > >>
> > > > > > >> Do you think we need both hash_types and hash_tunnel_types?
> > > > > > > In struct virtio_net_config we need two fields.
> > > > > > > a. supported_hash_types (already exists) b.
> > > > > > > supported_hash_tunnel_type
> > > > > > > -> bitmap indicating for which outer headers, inner hash
> > > > > > > -> calculation is
> > > > > > supported.
> > > > > >
> > > > > > Thanks for the suggestion, we seem to have reached an agreement.
> > > > > >
> > > > > > >
> > > > > > > In struct virtio_net_hdr we need two fields.
> > > > > > > a. hash_report (already exists) b. hash_tunnel_type 8 bits ->
> > > > > > > absolute value indicating which outer header
> > > > > > exists when inner header hash calculated.
> > > > > > > You already have it in your patch named as hash_report_tunnel.
> > > > > > > May be better to name as hash_report_tunnel_type to make it
> > > > > > > clearer that its
> > > > > > type.
> > > > > >
> > > > > > Sure.
> > > > > >
> > > > > > Thanks for your reply.
> > > > >
> > > > > I had one last question. Why do we need to inform the
> > > > hash_report_tunnel_type of the outer header in the virtio_net_hdr?
> > > > > Is this for debug? Or is there a use case that will process this 
> > > > > value?
> > > >
> > > > Well we have hash_report which is kind of similar (and also kind of
> > > > pointless but I think it's there because WHQL wants it).
> > > Hash_report is useful. It tells hash_value is in which namespace 
> > > (ipv4-tcp/ipv4
> > udp etc).
> > > OS can use this value to find tcp connection in a given namespace.
> > >
> > > > Maybe we can steal some bits
> > > > from there instead of a new field?
> > > >
> > > I do not have problem adding extra bits. I just don't find that just 
> > > telling that
> > its vxlan or nvgre to the OS is useful.
> > > If OS needs to know about outer header details, it needs to know the VNI
> > information than just telling vxlan.
> > 
> > This does make sense.
> > 
> > 
> > > >
> > > > I have a follow up question though: are we only hashing the inner
> > > > header or both inner and outer header? Somewhat confused on this.
> > > >
> > > I understood as inner header. But worth to describe it. May be there. 
> > > Need to
> > read v8 patch.
> > 
> > Hmm. I just realized that there's a security problem with hashing just the 
> > inner
> > header: it allow users inside the tunnel control queueing outside.
> > By observing packet loss some information leaks between tunnels.
> > 
> I likely didn't understand. Can you please explain?
> 
> Queuing is always done on the inner header with/without encapsulation.
> Hash is always reported for inner header.
> It is only adding the ability to hash even when outer header exists.


If hashing just on outer header (currently the only option) then
a given tunnel all lands in a given queue.
Just keep that queue separate and users of this tunnel can not
learn whether other queues are overflowing, and can not overflow
other queues.


If you hash inner header then user can flood device with
packets of a given connection and the same connection in a different
tunnel hashes to the same queue. Now one tunnel can
- cause DoS for another tunnel
- cause packet loss or latency triggering possible security bugs within guest
- detect that another tunnel is using the connection by
  detecting its own packet loss or increased latency




> If queuing to be decided based on outer header (hash), then that is different.
> Hashing both inner and outer in a flat q structure unlikely works, right?
> Because both hashes can result in different q selection.


That's the point.

Is there any precedent in OSes for configuring things like this
that we can look at?


> > 
> > Ideas for solving this they all involve hashing both inner and outer
> > header:
> > 1- report two sets of hashes. overkill?
> > 2- hash both headers together
> > 2- add salt. can come from driver or device itself
> > 
> > More ideas?
> > 
> > --
> > MST


-
To unsubscribe, e-mail: virtio-dev-unsubscr...@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-h...@lists.oasis-open.org

[virtio-dev] RE: [virtio-comment] RE: [virtio-dev] Re: [virtio-comment] Re: [PATCH v7] virtio-net: support inner header hash

[Parav Pandit]

> From: Michael S. Tsirkin 
> Sent: Wednesday, February 8, 2023 8:52 AM
> 
> On Wed, Feb 08, 2023 at 01:38:36PM +, Parav Pandit wrote:
> >
> > > From: Michael S. Tsirkin 
> > > Sent: Wednesday, February 8, 2023 8:32 AM
> > >
> > > On Wed, Feb 08, 2023 at 05:18:32AM +, Parav Pandit wrote:
> > > > > From: Heng Qi 
> > > > > Sent: Tuesday, February 7, 2023 10:25 PM
> > > >
> > > > [..]
> > > > > >>
> > > > > >> Do you think we need both hash_types and hash_tunnel_types?
> > > > > > In struct virtio_net_config we need two fields.
> > > > > > a. supported_hash_types (already exists) b.
> > > > > > supported_hash_tunnel_type
> > > > > > -> bitmap indicating for which outer headers, inner hash
> > > > > > -> calculation is
> > > > > supported.
> > > > >
> > > > > Thanks for the suggestion, we seem to have reached an agreement.
> > > > >
> > > > > >
> > > > > > In struct virtio_net_hdr we need two fields.
> > > > > > a. hash_report (already exists) b. hash_tunnel_type 8 bits ->
> > > > > > absolute value indicating which outer header
> > > > > exists when inner header hash calculated.
> > > > > > You already have it in your patch named as hash_report_tunnel.
> > > > > > May be better to name as hash_report_tunnel_type to make it
> > > > > > clearer that its
> > > > > type.
> > > > >
> > > > > Sure.
> > > > >
> > > > > Thanks for your reply.
> > > >
> > > > I had one last question. Why do we need to inform the
> > > hash_report_tunnel_type of the outer header in the virtio_net_hdr?
> > > > Is this for debug? Or is there a use case that will process this value?
> > >
> > > Well we have hash_report which is kind of similar (and also kind of
> > > pointless but I think it's there because WHQL wants it).
> > Hash_report is useful. It tells hash_value is in which namespace 
> > (ipv4-tcp/ipv4
> udp etc).
> > OS can use this value to find tcp connection in a given namespace.
> >
> > > Maybe we can steal some bits
> > > from there instead of a new field?
> > >
> > I do not have problem adding extra bits. I just don't find that just 
> > telling that
> its vxlan or nvgre to the OS is useful.
> > If OS needs to know about outer header details, it needs to know the VNI
> information than just telling vxlan.
> 
> This does make sense.
> 
> 
> > >
> > > I have a follow up question though: are we only hashing the inner
> > > header or both inner and outer header? Somewhat confused on this.
> > >
> > I understood as inner header. But worth to describe it. May be there. Need 
> > to
> read v8 patch.
> 
> Hmm. I just realized that there's a security problem with hashing just the 
> inner
> header: it allow users inside the tunnel control queueing outside.
> By observing packet loss some information leaks between tunnels.
> 
Ah I know now.
We are leaking outer header information inside the virtio net hdr, and outer 
header might be already stripped off by a different entity.

I think the use case here is it's the same sw entity that owns the virtio net 
device does the encap/decap too.


-
To unsubscribe, e-mail: virtio-dev-unsubscr...@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-h...@lists.oasis-open.org

[virtio-dev] RE: [virtio-comment] RE: [virtio-dev] Re: [virtio-comment] Re: [PATCH v7] virtio-net: support inner header hash

[Parav Pandit]

> From: Michael S. Tsirkin 
> Sent: Wednesday, February 8, 2023 8:52 AM
> 
> On Wed, Feb 08, 2023 at 01:38:36PM +, Parav Pandit wrote:
> >
> > > From: Michael S. Tsirkin 
> > > Sent: Wednesday, February 8, 2023 8:32 AM
> > >
> > > On Wed, Feb 08, 2023 at 05:18:32AM +, Parav Pandit wrote:
> > > > > From: Heng Qi 
> > > > > Sent: Tuesday, February 7, 2023 10:25 PM
> > > >
> > > > [..]
> > > > > >>
> > > > > >> Do you think we need both hash_types and hash_tunnel_types?
> > > > > > In struct virtio_net_config we need two fields.
> > > > > > a. supported_hash_types (already exists) b.
> > > > > > supported_hash_tunnel_type
> > > > > > -> bitmap indicating for which outer headers, inner hash
> > > > > > -> calculation is
> > > > > supported.
> > > > >
> > > > > Thanks for the suggestion, we seem to have reached an agreement.
> > > > >
> > > > > >
> > > > > > In struct virtio_net_hdr we need two fields.
> > > > > > a. hash_report (already exists) b. hash_tunnel_type 8 bits ->
> > > > > > absolute value indicating which outer header
> > > > > exists when inner header hash calculated.
> > > > > > You already have it in your patch named as hash_report_tunnel.
> > > > > > May be better to name as hash_report_tunnel_type to make it
> > > > > > clearer that its
> > > > > type.
> > > > >
> > > > > Sure.
> > > > >
> > > > > Thanks for your reply.
> > > >
> > > > I had one last question. Why do we need to inform the
> > > hash_report_tunnel_type of the outer header in the virtio_net_hdr?
> > > > Is this for debug? Or is there a use case that will process this value?
> > >
> > > Well we have hash_report which is kind of similar (and also kind of
> > > pointless but I think it's there because WHQL wants it).
> > Hash_report is useful. It tells hash_value is in which namespace 
> > (ipv4-tcp/ipv4
> udp etc).
> > OS can use this value to find tcp connection in a given namespace.
> >
> > > Maybe we can steal some bits
> > > from there instead of a new field?
> > >
> > I do not have problem adding extra bits. I just don't find that just 
> > telling that
> its vxlan or nvgre to the OS is useful.
> > If OS needs to know about outer header details, it needs to know the VNI
> information than just telling vxlan.
> 
> This does make sense.
> 
> 
> > >
> > > I have a follow up question though: are we only hashing the inner
> > > header or both inner and outer header? Somewhat confused on this.
> > >
> > I understood as inner header. But worth to describe it. May be there. Need 
> > to
> read v8 patch.
> 
> Hmm. I just realized that there's a security problem with hashing just the 
> inner
> header: it allow users inside the tunnel control queueing outside.
> By observing packet loss some information leaks between tunnels.
> 
I likely didn't understand. Can you please explain?

Queuing is always done on the inner header with/without encapsulation.
Hash is always reported for inner header.
It is only adding the ability to hash even when outer header exists.

If queuing to be decided based on outer header (hash), then that is different.
Hashing both inner and outer in a flat q structure unlikely works, right?
Because both hashes can result in different q selection.

> 
> Ideas for solving this they all involve hashing both inner and outer
> header:
> 1- report two sets of hashes. overkill?
> 2- hash both headers together
> 2- add salt. can come from driver or device itself
> 
> More ideas?
> 
> --
> MST


-
To unsubscribe, e-mail: virtio-dev-unsubscr...@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-h...@lists.oasis-open.org

[virtio-dev] Re: [virtio-comment] RE: [virtio-dev] Re: [virtio-comment] Re: [PATCH v7] virtio-net: support inner header hash

[Michael S. Tsirkin]

On Wed, Feb 08, 2023 at 01:38:36PM +, Parav Pandit wrote:
> 
> > From: Michael S. Tsirkin 
> > Sent: Wednesday, February 8, 2023 8:32 AM
> > 
> > On Wed, Feb 08, 2023 at 05:18:32AM +, Parav Pandit wrote:
> > > > From: Heng Qi 
> > > > Sent: Tuesday, February 7, 2023 10:25 PM
> > >
> > > [..]
> > > > >>
> > > > >> Do you think we need both hash_types and hash_tunnel_types?
> > > > > In struct virtio_net_config we need two fields.
> > > > > a. supported_hash_types (already exists) b.
> > > > > supported_hash_tunnel_type
> > > > > -> bitmap indicating for which outer headers, inner hash
> > > > > -> calculation is
> > > > supported.
> > > >
> > > > Thanks for the suggestion, we seem to have reached an agreement.
> > > >
> > > > >
> > > > > In struct virtio_net_hdr we need two fields.
> > > > > a. hash_report (already exists)
> > > > > b. hash_tunnel_type 8 bits -> absolute value indicating which
> > > > > outer header
> > > > exists when inner header hash calculated.
> > > > > You already have it in your patch named as hash_report_tunnel.
> > > > > May be better to name as hash_report_tunnel_type to make it
> > > > > clearer that its
> > > > type.
> > > >
> > > > Sure.
> > > >
> > > > Thanks for your reply.
> > >
> > > I had one last question. Why do we need to inform the
> > hash_report_tunnel_type of the outer header in the virtio_net_hdr?
> > > Is this for debug? Or is there a use case that will process this value?
> > 
> > Well we have hash_report which is kind of similar (and also kind of 
> > pointless
> > but I think it's there because WHQL wants it). 
> Hash_report is useful. It tells hash_value is in which namespace 
> (ipv4-tcp/ipv4 udp etc).
> OS can use this value to find tcp connection in a given namespace.
> 
> > Maybe we can steal some bits
> > from there instead of a new field?
> >
> I do not have problem adding extra bits. I just don't find that just telling 
> that its vxlan or nvgre to the OS is useful.
> If OS needs to know about outer header details, it needs to know the VNI 
> information than just telling vxlan.

This does make sense.


> > 
> > I have a follow up question though: are we only hashing the inner header or
> > both inner and outer header? Somewhat confused on this.
> > 
> I understood as inner header. But worth to describe it. May be there. Need to 
> read v8 patch.

Hmm. I just realized that there's a security problem with hashing
just the inner header: it allow users inside the tunnel control queueing 
outside.
By observing packet loss some information leaks between tunnels.


Ideas for solving this they all involve hashing both inner and outer
header:
1- report two sets of hashes. overkill?
2- hash both headers together
2- add salt. can come from driver or device itself

More ideas?

-- 
MST


-
To unsubscribe, e-mail: virtio-dev-unsubscr...@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-h...@lists.oasis-open.org

[virtio-dev] RE: [virtio-comment] RE: [virtio-dev] Re: [virtio-comment] Re: [PATCH v7] virtio-net: support inner header hash

[Parav Pandit]

> From: Michael S. Tsirkin 
> Sent: Wednesday, February 8, 2023 8:32 AM
> 
> On Wed, Feb 08, 2023 at 05:18:32AM +, Parav Pandit wrote:
> > > From: Heng Qi 
> > > Sent: Tuesday, February 7, 2023 10:25 PM
> >
> > [..]
> > > >>
> > > >> Do you think we need both hash_types and hash_tunnel_types?
> > > > In struct virtio_net_config we need two fields.
> > > > a. supported_hash_types (already exists) b.
> > > > supported_hash_tunnel_type
> > > > -> bitmap indicating for which outer headers, inner hash
> > > > -> calculation is
> > > supported.
> > >
> > > Thanks for the suggestion, we seem to have reached an agreement.
> > >
> > > >
> > > > In struct virtio_net_hdr we need two fields.
> > > > a. hash_report (already exists)
> > > > b. hash_tunnel_type 8 bits -> absolute value indicating which
> > > > outer header
> > > exists when inner header hash calculated.
> > > > You already have it in your patch named as hash_report_tunnel.
> > > > May be better to name as hash_report_tunnel_type to make it
> > > > clearer that its
> > > type.
> > >
> > > Sure.
> > >
> > > Thanks for your reply.
> >
> > I had one last question. Why do we need to inform the
> hash_report_tunnel_type of the outer header in the virtio_net_hdr?
> > Is this for debug? Or is there a use case that will process this value?
> 
> Well we have hash_report which is kind of similar (and also kind of pointless
> but I think it's there because WHQL wants it). 
Hash_report is useful. It tells hash_value is in which namespace (ipv4-tcp/ipv4 
udp etc).
OS can use this value to find tcp connection in a given namespace.

> Maybe we can steal some bits
> from there instead of a new field?
>
I do not have problem adding extra bits. I just don't find that just telling 
that its vxlan or nvgre to the OS is useful.
If OS needs to know about outer header details, it needs to know the VNI 
information than just telling vxlan.
 
> 
> I have a follow up question though: are we only hashing the inner header or
> both inner and outer header? Somewhat confused on this.
> 
I understood as inner header. But worth to describe it. May be there. Need to 
read v8 patch.

-
To unsubscribe, e-mail: virtio-dev-unsubscr...@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-h...@lists.oasis-open.org

[virtio-dev] Re: [virtio-comment] RE: [virtio-dev] Re: [virtio-comment] Re: [PATCH v7] virtio-net: support inner header hash

[Michael S. Tsirkin]

On Wed, Feb 08, 2023 at 05:18:32AM +, Parav Pandit wrote:
> > From: Heng Qi 
> > Sent: Tuesday, February 7, 2023 10:25 PM
> 
> [..]
> > >>
> > >> Do you think we need both hash_types and hash_tunnel_types?
> > > In struct virtio_net_config we need two fields.
> > > a. supported_hash_types (already exists) b. supported_hash_tunnel_type
> > > -> bitmap indicating for which outer headers, inner hash calculation is
> > supported.
> > 
> > Thanks for the suggestion, we seem to have reached an agreement.
> > 
> > >
> > > In struct virtio_net_hdr we need two fields.
> > > a. hash_report (already exists)
> > > b. hash_tunnel_type 8 bits -> absolute value indicating which outer header
> > exists when inner header hash calculated.
> > > You already have it in your patch named as hash_report_tunnel.
> > > May be better to name as hash_report_tunnel_type to make it clearer that 
> > > its
> > type.
> > 
> > Sure.
> > 
> > Thanks for your reply.
> 
> I had one last question. Why do we need to inform the hash_report_tunnel_type 
> of the outer header in the virtio_net_hdr?
> Is this for debug? Or is there a use case that will process this value?

Well we have hash_report which is kind of similar (and also kind of
pointless but I think it's there because WHQL wants it). Maybe we can steal
some bits from there instead of a new field?


I have a follow up question though: are we only hashing the inner header
or both inner and outer header? Somewhat confused on this.

In fact, CC Yuri for thoughts and suggestions from windows side of
things.

-- 
MST


-
To unsubscribe, e-mail: virtio-dev-unsubscr...@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-h...@lists.oasis-open.org

[virtio-dev] Re: [virtio-comment] Re: [virtio-dev] Re: [virtio-comment] Re: [PATCH v7] virtio-net: support inner header hash

[Michael S. Tsirkin]

On Wed, Jan 11, 2023 at 12:45:06PM +0800, Jason Wang wrote:
> On Wed, Jan 11, 2023 at 11:23 AM Heng Qi  wrote:
> >
> >
> >
> > 在 2023/1/10 下午3:26, Heng Qi 写道:
> > > On Tue, Jan 10, 2023 at 12:57:38AM -0500, Michael S. Tsirkin wrote:
> > >> On Tue, Jan 10, 2023 at 12:25:02AM -0500, Michael S. Tsirkin wrote:
> >  This will give extra pressure on the management stack, e.g it requires
> >  the device to have an out of spec way for introspection.
> > 
> >  Thanks
> > >>> As I tried to explain this is already the case. Feature bits do not
> > >>> describe device capabilities fully, some of them are in config space.
> 
> Yes.
> 
> > >> To be precise, this does not necessarily require introspection, but
> > >> it does require management control over config space
> > >> such as supported hash types just like it has control over feature bits.
> > >> E.g. QEMU currently seems to hard-code these to
> > >> #define VIRTIO_NET_RSS_SUPPORTED_HASHES (VIRTIO_NET_RSS_HASH_TYPE_IPv4 | 
> > >> \
> > >>   VIRTIO_NET_RSS_HASH_TYPE_TCPv4 
> > >> | \
> > >>   VIRTIO_NET_RSS_HASH_TYPE_UDPv4 
> > >> | \
> > >>   VIRTIO_NET_RSS_HASH_TYPE_IPv6 
> > >> | \
> > >>   VIRTIO_NET_RSS_HASH_TYPE_TCPv6 
> > >> | \
> > >>   VIRTIO_NET_RSS_HASH_TYPE_UDPv6 
> > >> | \
> > >>   VIRTIO_NET_RSS_HASH_TYPE_IP_EX 
> > >> | \
> > >>   
> > >> VIRTIO_NET_RSS_HASH_TYPE_TCP_EX | \
> > >>   
> > >> VIRTIO_NET_RSS_HASH_TYPE_UDP_EX)
> > >>
> > >> but there's no reason not to give management control over these.
> 
> Note that the management expects the migration compatibility to work
> with machine types. So it needs a way to disable some tunnel hash
> types to make it work for old machine types.

yes. 
This means qemu will need to create properties for these things
and control through machine type compatibility machinery.
For those not hacking qemu - "machine type" is
a string roughly describing a version of guest/host interface used.


> > > Yes, QEMU has requirements for live migration: the PCI config space will 
> > > be
> > > checked in get_pci_config_device(), and if src and dst are inconsistent, 
> > > it
> > > will prompt that the live migration failed.
> 
> It might be too late since it can't work for the second run (unlike 
> subsection).

This is really a low level detail of qemu. I'm not sure how important
this is for the spec.

> >
> > To be clearer, I mean \filed{supported_hash_types} in structure
> > virtio_net_config.
> 
> Yes.
> 
> Thanks
> 
> >
> > Thanks.
> >
> > > In fact, this is also done within our group. Live migration requires that
> > > the two VMs have the same rss configuration, otherwise the migration will 
> > > fail.
> > >
> > > Therefore, it seems that we can regularize the description of 
> > > VIRTIO_NET_F_HASH_TUNNEL into
> > > "[VIRTIO_NET_F_HASH_TUNNEL(52)] Device supports inner header hash for 
> > > tunnel-encapsulated packets.",
> > > and use different hash_types to help the migration determine whether it 
> > > can succeed.
> > >
> > > Thanks.
> > >
> > >> --
> > >> MST
> > > This publicly archived list offers a means to provide input to the
> > > OASIS Virtual I/O Device (VIRTIO) TC.
> > >
> > > In order to verify user consent to the Feedback License terms and
> > > to minimize spam in the list archive, subscription is required
> > > before posting.
> > >
> > > Subscribe: virtio-comment-subscr...@lists.oasis-open.org
> > > Unsubscribe: virtio-comment-unsubscr...@lists.oasis-open.org
> > > List help: virtio-comment-h...@lists.oasis-open.org
> > > List archive: https://lists.oasis-open.org/archives/virtio-comment/
> > > Feedback License: https://www.oasis-open.org/who/ipr/feedback_license.pdf
> > > List Guidelines: 
> > > https://www.oasis-open.org/policies-guidelines/mailing-lists
> > > Committee: https://www.oasis-open.org/committees/virtio/
> > > Join OASIS: https://www.oasis-open.org/join/
> >


-
To unsubscribe, e-mail: virtio-dev-unsubscr...@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-h...@lists.oasis-open.org

[virtio-dev] Re: [virtio-comment] Re: [virtio-dev] Re: [virtio-comment] Re: [PATCH v7] virtio-net: support inner header hash

[Jason Wang]

On Wed, Jan 11, 2023 at 11:23 AM Heng Qi  wrote:
>
>
>
> 在 2023/1/10 下午3:26, Heng Qi 写道:
> > On Tue, Jan 10, 2023 at 12:57:38AM -0500, Michael S. Tsirkin wrote:
> >> On Tue, Jan 10, 2023 at 12:25:02AM -0500, Michael S. Tsirkin wrote:
>  This will give extra pressure on the management stack, e.g it requires
>  the device to have an out of spec way for introspection.
> 
>  Thanks
> >>> As I tried to explain this is already the case. Feature bits do not
> >>> describe device capabilities fully, some of them are in config space.

Yes.

> >> To be precise, this does not necessarily require introspection, but
> >> it does require management control over config space
> >> such as supported hash types just like it has control over feature bits.
> >> E.g. QEMU currently seems to hard-code these to
> >> #define VIRTIO_NET_RSS_SUPPORTED_HASHES (VIRTIO_NET_RSS_HASH_TYPE_IPv4 | \
> >>   VIRTIO_NET_RSS_HASH_TYPE_TCPv4 | 
> >> \
> >>   VIRTIO_NET_RSS_HASH_TYPE_UDPv4 | 
> >> \
> >>   VIRTIO_NET_RSS_HASH_TYPE_IPv6 | \
> >>   VIRTIO_NET_RSS_HASH_TYPE_TCPv6 | 
> >> \
> >>   VIRTIO_NET_RSS_HASH_TYPE_UDPv6 | 
> >> \
> >>   VIRTIO_NET_RSS_HASH_TYPE_IP_EX | 
> >> \
> >>   VIRTIO_NET_RSS_HASH_TYPE_TCP_EX 
> >> | \
> >>   VIRTIO_NET_RSS_HASH_TYPE_UDP_EX)
> >>
> >> but there's no reason not to give management control over these.

Note that the management expects the migration compatibility to work
with machine types. So it needs a way to disable some tunnel hash
types to make it work for old machine types.

> > Yes, QEMU has requirements for live migration: the PCI config space will be
> > checked in get_pci_config_device(), and if src and dst are inconsistent, it
> > will prompt that the live migration failed.

It might be too late since it can't work for the second run (unlike subsection).

>
> To be clearer, I mean \filed{supported_hash_types} in structure
> virtio_net_config.

Yes.

Thanks

>
> Thanks.
>
> > In fact, this is also done within our group. Live migration requires that
> > the two VMs have the same rss configuration, otherwise the migration will 
> > fail.
> >
> > Therefore, it seems that we can regularize the description of 
> > VIRTIO_NET_F_HASH_TUNNEL into
> > "[VIRTIO_NET_F_HASH_TUNNEL(52)] Device supports inner header hash for 
> > tunnel-encapsulated packets.",
> > and use different hash_types to help the migration determine whether it can 
> > succeed.
> >
> > Thanks.
> >
> >> --
> >> MST
> > This publicly archived list offers a means to provide input to the
> > OASIS Virtual I/O Device (VIRTIO) TC.
> >
> > In order to verify user consent to the Feedback License terms and
> > to minimize spam in the list archive, subscription is required
> > before posting.
> >
> > Subscribe: virtio-comment-subscr...@lists.oasis-open.org
> > Unsubscribe: virtio-comment-unsubscr...@lists.oasis-open.org
> > List help: virtio-comment-h...@lists.oasis-open.org
> > List archive: https://lists.oasis-open.org/archives/virtio-comment/
> > Feedback License: https://www.oasis-open.org/who/ipr/feedback_license.pdf
> > List Guidelines: 
> > https://www.oasis-open.org/policies-guidelines/mailing-lists
> > Committee: https://www.oasis-open.org/committees/virtio/
> > Join OASIS: https://www.oasis-open.org/join/
>


-
To unsubscribe, e-mail: virtio-dev-unsubscr...@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-h...@lists.oasis-open.org

[virtio-dev] Re: [virtio-comment] Re: [virtio-dev] Re: [virtio-comment] Re: [PATCH v7] virtio-net: support inner header hash

[Heng Qi]

在 2023/1/10 下午3:26, Heng Qi 写道:

On Tue, Jan 10, 2023 at 12:57:38AM -0500, Michael S. Tsirkin wrote:

On Tue, Jan 10, 2023 at 12:25:02AM -0500, Michael S. Tsirkin wrote:

This will give extra pressure on the management stack, e.g it requires
the device to have an out of spec way for introspection.

Thanks

As I tried to explain this is already the case. Feature bits do not
describe device capabilities fully, some of them are in config space.

To be precise, this does not necessarily require introspection, but
it does require management control over config space
such as supported hash types just like it has control over feature bits.
E.g. QEMU currently seems to hard-code these to
#define VIRTIO_NET_RSS_SUPPORTED_HASHES (VIRTIO_NET_RSS_HASH_TYPE_IPv4 | \
  VIRTIO_NET_RSS_HASH_TYPE_TCPv4 | \
  VIRTIO_NET_RSS_HASH_TYPE_UDPv4 | \
  VIRTIO_NET_RSS_HASH_TYPE_IPv6 | \
  VIRTIO_NET_RSS_HASH_TYPE_TCPv6 | \
  VIRTIO_NET_RSS_HASH_TYPE_UDPv6 | \
  VIRTIO_NET_RSS_HASH_TYPE_IP_EX | \
  VIRTIO_NET_RSS_HASH_TYPE_TCP_EX | \
  VIRTIO_NET_RSS_HASH_TYPE_UDP_EX)

but there's no reason not to give management control over these.

Yes, QEMU has requirements for live migration: the PCI config space will be
checked in get_pci_config_device(), and if src and dst are inconsistent, it
will prompt that the live migration failed.


To be clearer, I mean \filed{supported_hash_types} in structure 
virtio_net_config.


Thanks.


In fact, this is also done within our group. Live migration requires that
the two VMs have the same rss configuration, otherwise the migration will fail.

Therefore, it seems that we can regularize the description of 
VIRTIO_NET_F_HASH_TUNNEL into
"[VIRTIO_NET_F_HASH_TUNNEL(52)] Device supports inner header hash for 
tunnel-encapsulated packets.",
and use different hash_types to help the migration determine whether it can 
succeed.

Thanks.


--
MST

This publicly archived list offers a means to provide input to the
OASIS Virtual I/O Device (VIRTIO) TC.

In order to verify user consent to the Feedback License terms and
to minimize spam in the list archive, subscription is required
before posting.

Subscribe: virtio-comment-subscr...@lists.oasis-open.org
Unsubscribe: virtio-comment-unsubscr...@lists.oasis-open.org
List help: virtio-comment-h...@lists.oasis-open.org
List archive: https://lists.oasis-open.org/archives/virtio-comment/
Feedback License: https://www.oasis-open.org/who/ipr/feedback_license.pdf
List Guidelines: https://www.oasis-open.org/policies-guidelines/mailing-lists
Committee: https://www.oasis-open.org/committees/virtio/
Join OASIS: https://www.oasis-open.org/join/



-
To unsubscribe, e-mail: virtio-dev-unsubscr...@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-h...@lists.oasis-open.org