0001 .. SPDX-License-Identifier: GPL-2.0
0002
0003 ====
0004 XFRM
0005 ====
0006
0007 The sync patches work is based on initial patches from
0008 Krisztian <hidden@balabit.hu> and others and additional patches
0009 from Jamal <hadi@cyberus.ca>.
0010
0011 The end goal for syncing is to be able to insert attributes + generate
0012 events so that the SA can be safely moved from one machine to another
0013 for HA purposes.
0014 The idea is to synchronize the SA so that the takeover machine can do
0015 the processing of the SA as accurate as possible if it has access to it.
0016
0017 We already have the ability to generate SA add/del/upd events.
0018 These patches add ability to sync and have accurate lifetime byte (to
0019 ensure proper decay of SAs) and replay counters to avoid replay attacks
0020 with as minimal loss at failover time.
0021 This way a backup stays as closely up-to-date as an active member.
0022
0023 Because the above items change for every packet the SA receives,
0024 it is possible for a lot of the events to be generated.
0025 For this reason, we also add a nagle-like algorithm to restrict
0026 the events. i.e we are going to set thresholds to say "let me
0027 know if the replay sequence threshold is reached or 10 secs have passed"
0028 These thresholds are set system-wide via sysctls or can be updated
0029 per SA.
0030
0031 The identified items that need to be synchronized are:
0032 - the lifetime byte counter
0033 note that: lifetime time limit is not important if you assume the failover
0034 machine is known ahead of time since the decay of the time countdown
0035 is not driven by packet arrival.
0036 - the replay sequence for both inbound and outbound
0037
0038 1) Message Structure
0039 ----------------------
0040
0041 nlmsghdr:aevent_id:optional-TLVs.
0042
0043 The netlink message types are:
0044
0045 XFRM_MSG_NEWAE and XFRM_MSG_GETAE.
0046
0047 A XFRM_MSG_GETAE does not have TLVs.
0048
0049 A XFRM_MSG_NEWAE will have at least two TLVs (as is
0050 discussed further below).
0051
0052 aevent_id structure looks like::
0053
0054 struct xfrm_aevent_id {
0055 struct xfrm_usersa_id sa_id;
0056 xfrm_address_t saddr;
0057 __u32 flags;
0058 __u32 reqid;
0059 };
0060
0061 The unique SA is identified by the combination of xfrm_usersa_id,
0062 reqid and saddr.
0063
0064 flags are used to indicate different things. The possible
0065 flags are::
0066
0067 XFRM_AE_RTHR=1, /* replay threshold*/
0068 XFRM_AE_RVAL=2, /* replay value */
0069 XFRM_AE_LVAL=4, /* lifetime value */
0070 XFRM_AE_ETHR=8, /* expiry timer threshold */
0071 XFRM_AE_CR=16, /* Event cause is replay update */
0072 XFRM_AE_CE=32, /* Event cause is timer expiry */
0073 XFRM_AE_CU=64, /* Event cause is policy update */
0074
0075 How these flags are used is dependent on the direction of the
0076 message (kernel<->user) as well the cause (config, query or event).
0077 This is described below in the different messages.
0078
0079 The pid will be set appropriately in netlink to recognize direction
0080 (0 to the kernel and pid = processid that created the event
0081 when going from kernel to user space)
0082
0083 A program needs to subscribe to multicast group XFRMNLGRP_AEVENTS
0084 to get notified of these events.
0085
0086 2) TLVS reflect the different parameters:
0087 -----------------------------------------
0088
0089 a) byte value (XFRMA_LTIME_VAL)
0090
0091 This TLV carries the running/current counter for byte lifetime since
0092 last event.
0093
0094 b)replay value (XFRMA_REPLAY_VAL)
0095
0096 This TLV carries the running/current counter for replay sequence since
0097 last event.
0098
0099 c)replay threshold (XFRMA_REPLAY_THRESH)
0100
0101 This TLV carries the threshold being used by the kernel to trigger events
0102 when the replay sequence is exceeded.
0103
0104 d) expiry timer (XFRMA_ETIMER_THRESH)
0105
0106 This is a timer value in milliseconds which is used as the nagle
0107 value to rate limit the events.
0108
0109 3) Default configurations for the parameters:
0110 ---------------------------------------------
0111
0112 By default these events should be turned off unless there is
0113 at least one listener registered to listen to the multicast
0114 group XFRMNLGRP_AEVENTS.
0115
0116 Programs installing SAs will need to specify the two thresholds, however,
0117 in order to not change existing applications such as racoon
0118 we also provide default threshold values for these different parameters
0119 in case they are not specified.
0120
0121 the two sysctls/proc entries are:
0122
0123 a) /proc/sys/net/core/sysctl_xfrm_aevent_etime
0124 used to provide default values for the XFRMA_ETIMER_THRESH in incremental
0125 units of time of 100ms. The default is 10 (1 second)
0126
0127 b) /proc/sys/net/core/sysctl_xfrm_aevent_rseqth
0128 used to provide default values for XFRMA_REPLAY_THRESH parameter
0129 in incremental packet count. The default is two packets.
0130
0131 4) Message types
0132 ----------------
0133
0134 a) XFRM_MSG_GETAE issued by user-->kernel.
0135 XFRM_MSG_GETAE does not carry any TLVs.
0136
0137 The response is a XFRM_MSG_NEWAE which is formatted based on what
0138 XFRM_MSG_GETAE queried for.
0139
0140 The response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.
0141 * if XFRM_AE_RTHR flag is set, then XFRMA_REPLAY_THRESH is also retrieved
0142 * if XFRM_AE_ETHR flag is set, then XFRMA_ETIMER_THRESH is also retrieved
0143
0144 b) XFRM_MSG_NEWAE is issued by either user space to configure
0145 or kernel to announce events or respond to a XFRM_MSG_GETAE.
0146
0147 i) user --> kernel to configure a specific SA.
0148
0149 any of the values or threshold parameters can be updated by passing the
0150 appropriate TLV.
0151
0152 A response is issued back to the sender in user space to indicate success
0153 or failure.
0154
0155 In the case of success, additionally an event with
0156 XFRM_MSG_NEWAE is also issued to any listeners as described in iii).
0157
0158 ii) kernel->user direction as a response to XFRM_MSG_GETAE
0159
0160 The response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.
0161
0162 The threshold TLVs will be included if explicitly requested in
0163 the XFRM_MSG_GETAE message.
0164
0165 iii) kernel->user to report as event if someone sets any values or
0166 thresholds for an SA using XFRM_MSG_NEWAE (as described in #i above).
0167 In such a case XFRM_AE_CU flag is set to inform the user that
0168 the change happened as a result of an update.
0169 The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.
0170
0171 iv) kernel->user to report event when replay threshold or a timeout
0172 is exceeded.
0173
0174 In such a case either XFRM_AE_CR (replay exceeded) or XFRM_AE_CE (timeout
0175 happened) is set to inform the user what happened.
0176 Note the two flags are mutually exclusive.
0177 The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.
0178
0179 Exceptions to threshold settings
0180 --------------------------------
0181
0182 If you have an SA that is getting hit by traffic in bursts such that
0183 there is a period where the timer threshold expires with no packets
0184 seen, then an odd behavior is seen as follows:
0185 The first packet arrival after a timer expiry will trigger a timeout
0186 event; i.e we don't wait for a timeout period or a packet threshold
0187 to be reached. This is done for simplicity and efficiency reasons.
0188
0189 -JHS
