Cake - FQ_codel the next generation
 help / color / mirror / Atom feed
From: Eric Dumazet <edumazet@google.com>
To: Dave Taht <dave.taht@gmail.com>
Cc: cake@lists.bufferbloat.net
Subject: Re: [Cake] fq_codel leveraging the skb->hash now in net-next
Date: Fri, 20 Jan 2017 13:36:28 -0800	[thread overview]
Message-ID: <CANn89i+2_9-zOQsSmo2q976aOc8XL_W0m=eiL2uiJmiOtJb3Dw@mail.gmail.com> (raw)
In-Reply-To: <CAA93jw4ryET29Xck4SzCKh2THUV3aqSr4c_Rr821y+HgvOjNXQ@mail.gmail.com>

The 0 case is checked.

If skb->hash == 0 or a non L4 hash was stored in skb->hash, we call
the same flow dissector code than before ;)

And each host has normally :

1) Boot time generated RSS keys on NIC providing skb->hash
2) A boot time random number
static u32 hashrnd __read_mostly;
static __always_inline void __flow_hash_secret_init(void)
{
        net_get_random_once(&hashrnd, sizeof(hashrnd));
}

u32 flow_hash_from_keys(struct flow_keys *keys)
{
        __flow_hash_secret_init();
        return __flow_hash_from_keys(keys, hashrnd);
}
EXPORT_SYMBOL(flow_hash_from_keys);

static inline u32 ___skb_get_hash(const struct sk_buff *skb,
                                  struct flow_keys *keys, u32 keyval)
{
        skb_flow_dissect_flow_keys(skb, keys,
                                   FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL);

        return __flow_hash_from_keys(keys, keyval);
}


So an attacker has no way to guess in which slot of the hash table a
particular flow will end up.


For the record, I will add (optional) pacing to fq_codel.

On Fri, Jan 20, 2017 at 1:29 PM, Dave Taht <dave.taht@gmail.com> wrote:
> It's not clear to me if all the encapsulation types (6rd for
> example?), or drivers? are generating an skb->hash (or as of what
> release of linux they did), and there's no error checking for 0, and
> whether or not they are being permuted in skb->hash,  (otherwise all
> linux implementations in the world will end up hashing the same way on
> the same combination of ips and ports),
>
> but I tend to trust eric to get it right, and hashing here was always
> the 2nd or 3rd biggest hotspot in fq_codel.
>
> https://www.mail-archive.com/netdev@vger.kernel.org/msg148598.html
>
> --
> Dave Täht
> Let's go make home routers and wifi faster! With better software!
> http://blog.cerowrt.org

  reply	other threads:[~2017-01-20 21:36 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-20 21:29 Dave Taht
2017-01-20 21:36 ` Eric Dumazet [this message]
2017-01-20 21:47   ` Dave Taht

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.bufferbloat.net/postorius/lists/cake.lists.bufferbloat.net/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CANn89i+2_9-zOQsSmo2q976aOc8XL_W0m=eiL2uiJmiOtJb3Dw@mail.gmail.com' \
    --to=edumazet@google.com \
    --cc=cake@lists.bufferbloat.net \
    --cc=dave.taht@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox