From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <edumazet@google.com>
Received: from mail-it0-x22f.google.com (mail-it0-x22f.google.com
 [IPv6:2607:f8b0:4001:c0b::22f])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by lists.bufferbloat.net (Postfix) with ESMTPS id 0F0673B2A4
 for <cake@lists.bufferbloat.net>; Fri, 20 Jan 2017 16:36:29 -0500 (EST)
Received: by mail-it0-x22f.google.com with SMTP id d9so13314226itc.0
 for <cake@lists.bufferbloat.net>; Fri, 20 Jan 2017 13:36:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc:content-transfer-encoding;
 bh=yynogJCYd+h9iGvs9MLwEE929RRpODjYO/NuLQ/mdyg=;
 b=Bb7ikcRgb+juXl3cjGVmftRMjEbCOVUF6OvcTz08OE1JG0B0TeXA8lux84NyyQ0cx8
 NWzE+HAsjcFR/faty2vYFi2fU3vHIC2+1X4TbuKHnKob3OVc6IZuZUNkjAW/ZWbVEeX0
 7Dbg5yawOrEQjuqOu3DjoxED3u8JKA13SsySs/1mCfKi5QN3DjnUYKVOu/c9YYla+Jea
 EnJtW5avk5Emex/bFad6ViCVbJzNjufQP3Jd7DJZMudpNLeP4waefOIWZleHhiURjXwt
 R2R2veOkda07C8tcrQaGtram2pPPjs68hYiKjqmuaadpAZoFtbvg34d0TjxojZDjPoFJ
 DMxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc:content-transfer-encoding;
 bh=yynogJCYd+h9iGvs9MLwEE929RRpODjYO/NuLQ/mdyg=;
 b=QhP1jVBPd9o3C0mfs2fmbzOse9M9WbSp06U7pyOL6KvOc5YGq8sIJf37RYO+sHURSV
 rzRLqPXhMMVPN1+PUF6cbKMnFzDKPp2VD0kZ3nTGNfhCjKDys1jtbMMrzRHuoi/CtrQ1
 2XjjA3aUzqlsXlWGxE9IxQ8K8NkZEePLFWwcbvYxjGsyoUnXxIybeJycS5yYhM2RFsgr
 E77f0BD0urzHe4GzKNH966NMTAX7edUOsVy6SD5A0Y+pAF9DoZYggJRBn5lt5mEwHe3S
 Tt34ehiw87OQWGWbA+0Ft3lEWupXB2A8SISghPCuz1J/6c8/9lGLu2dDzukOk6NbGbnz
 ZM/g==
X-Gm-Message-State: AIkVDXIetyu7I3v48uj3EaLykaU0tlbKl4tvBk3ncL9yipfdTAte3GO3xSX/hgggGqURo+M53wwSp+hPW3KePOXd
X-Received: by 10.36.57.10 with SMTP id l10mr5676679ita.8.1484948189356; Fri,
 20 Jan 2017 13:36:29 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.93.2 with HTTP; Fri, 20 Jan 2017 13:36:28 -0800 (PST)
In-Reply-To: <CAA93jw4ryET29Xck4SzCKh2THUV3aqSr4c_Rr821y+HgvOjNXQ@mail.gmail.com>
References: <CAA93jw4ryET29Xck4SzCKh2THUV3aqSr4c_Rr821y+HgvOjNXQ@mail.gmail.com>
From: Eric Dumazet <edumazet@google.com>
Date: Fri, 20 Jan 2017 13:36:28 -0800
Message-ID: <CANn89i+2_9-zOQsSmo2q976aOc8XL_W0m=eiL2uiJmiOtJb3Dw@mail.gmail.com>
To: Dave Taht <dave.taht@gmail.com>
Cc: cake@lists.bufferbloat.net
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Fri, 20 Jan 2017 16:38:08 -0500
Subject: Re: [Cake] fq_codel leveraging the skb->hash now in net-next
X-BeenThere: cake@lists.bufferbloat.net
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Cake - FQ_codel the next generation <cake.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cake>,
 <mailto:cake-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cake>
List-Post: <mailto:cake@lists.bufferbloat.net>
List-Help: <mailto:cake-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cake>,
 <mailto:cake-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Fri, 20 Jan 2017 21:36:30 -0000

The 0 case is checked.

If skb->hash =3D=3D 0 or a non L4 hash was stored in skb->hash, we call
the same flow dissector code than before ;)

And each host has normally :

1) Boot time generated RSS keys on NIC providing skb->hash
2) A boot time random number
static u32 hashrnd __read_mostly;
static __always_inline void __flow_hash_secret_init(void)
{
        net_get_random_once(&hashrnd, sizeof(hashrnd));
}

u32 flow_hash_from_keys(struct flow_keys *keys)
{
        __flow_hash_secret_init();
        return __flow_hash_from_keys(keys, hashrnd);
}
EXPORT_SYMBOL(flow_hash_from_keys);

static inline u32 ___skb_get_hash(const struct sk_buff *skb,
                                  struct flow_keys *keys, u32 keyval)
{
        skb_flow_dissect_flow_keys(skb, keys,
                                   FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL);

        return __flow_hash_from_keys(keys, keyval);
}


So an attacker has no way to guess in which slot of the hash table a
particular flow will end up.


For the record, I will add (optional) pacing to fq_codel.

On Fri, Jan 20, 2017 at 1:29 PM, Dave Taht <dave.taht@gmail.com> wrote:
> It's not clear to me if all the encapsulation types (6rd for
> example?), or drivers? are generating an skb->hash (or as of what
> release of linux they did), and there's no error checking for 0, and
> whether or not they are being permuted in skb->hash,  (otherwise all
> linux implementations in the world will end up hashing the same way on
> the same combination of ips and ports),
>
> but I tend to trust eric to get it right, and hashing here was always
> the 2nd or 3rd biggest hotspot in fq_codel.
>
> https://www.mail-archive.com/netdev@vger.kernel.org/msg148598.html
>
> --
> Dave T=C3=A4ht
> Let's go make home routers and wifi faster! With better software!
> http://blog.cerowrt.org