[bmwg] security issues of iptables and Jool -- Re: I-D Action: draft-ietf-bmwg-benchmarking-stateful-01.txt
Gabor LENCSE <lencse@hit.bme.hu> Mon, 05 December 2022 12:24 UTC
Return-Path: <lencse@hit.bme.hu>
X-Original-To: bmwg@ietfa.amsl.com
Delivered-To: bmwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD23CC1522BA for <bmwg@ietfa.amsl.com>; Mon, 5 Dec 2022 04:24:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cmdKxeEkcuYJ for <bmwg@ietfa.amsl.com>; Mon, 5 Dec 2022 04:24:23 -0800 (PST)
Received: from frogstar.hit.bme.hu (frogstar.hit.bme.hu [IPv6:2001:738:2001:4020::2c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EE89C1522B4 for <bmwg@ietf.org>; Mon, 5 Dec 2022 04:24:22 -0800 (PST)
Received: from [192.168.11.2] (M106153182152.v4.enabler.ne.jp [106.153.182.152]) (authenticated bits=0) by frogstar.hit.bme.hu (8.17.1/8.17.1) with ESMTPSA id 2B5CO5Ke063381 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for <bmwg@ietf.org>; Mon, 5 Dec 2022 13:24:13 +0100 (CET) (envelope-from lencse@hit.bme.hu)
X-Authentication-Warning: frogstar.hit.bme.hu: Host M106153182152.v4.enabler.ne.jp [106.153.182.152] claimed to be [192.168.11.2]
Content-Type: multipart/alternative; boundary="------------pdoFVr3M63969mBKLrdDry0N"
Message-ID: <26d72c8f-b2a4-eb5d-eb47-f060f103bc06@hit.bme.hu>
Date: Mon, 05 Dec 2022 21:24:01 +0900
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.5.1
Content-Language: en-US
To: "bmwg@ietf.org" <bmwg@ietf.org>
References: <166623206196.44847.13266883730319756483@ietfa.amsl.com> <8d135160fba94fa089f8901a66668200@huawei.com> <9668432a-df92-c717-6e87-a7c5cb7b442e@hit.bme.hu> <632bb5d7a1144ed2a5eed6ba62b951ab@huawei.com> <0CFE6971-68F4-4FDB-9D32-6A6573625672@wide.ad.jp> <7c04167c6edf4b51a5d71d13d08864a5@huawei.com>
From: Gabor LENCSE <lencse@hit.bme.hu>
In-Reply-To: <7c04167c6edf4b51a5d71d13d08864a5@huawei.com>
X-Virus-Scanned: clamav-milter 0.103.7 at frogstar.hit.bme.hu
X-Virus-Status: Clean
Received-SPF: pass (frogstar.hit.bme.hu: authenticated connection) receiver=frogstar.hit.bme.hu; client-ip=106.153.182.152; helo=[192.168.11.2]; envelope-from=lencse@hit.bme.hu; x-software=spfmilter 2.001 http://www.acme.com/software/spfmilter/ with libspf2-1.2.11;
X-DCC-debian-Metrics: frogstar.hit.bme.hu; whitelist
X-Scanned-By: MIMEDefang 2.86 on 152.66.248.44
Archived-At: <https://mailarchive.ietf.org/arch/msg/bmwg/WWjAdIKo_RbMsGHpLbuua0Zbuy8>
Subject: [bmwg] security issues of iptables and Jool -- Re: I-D Action: draft-ietf-bmwg-benchmarking-stateful-01.txt
X-BeenThere: bmwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Benchmarking Methodology Working Group <bmwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bmwg>, <mailto:bmwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bmwg/>
List-Post: <mailto:bmwg@ietf.org>
List-Help: <mailto:bmwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bmwg>, <mailto:bmwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Dec 2022 12:24:25 -0000
Dear Eduard,
Sorry for not responding for a long time. I would like to clarify the
security issues of ipables and Jool. In fact, they are radically different.
As for iptables, its default values for hashsize and nf_conntrack_max
are safe. Leaving them untouched guarantees that the memory of the Linux
system will not be exhausted. They can be changed with root privileges
to unsafe values, but then it is the responsibility of the system
administrator.
As for Jool, I have not found any way to set the maximum number of
connections. (It may exist, but I do not know about it. I would be happy
to know, if such a setting exists.) Using Jool with its default values
one can exhaust the memory of the Linux system by using too many
connections. So you are completely right, this is a serious vulnerability!
I was aware of this problem and thus our algorithm for measuring the
connection tracking table capacity can theoretically handle the problem
like this:
if ( DUT_collapsed || RT < RS*beta )
break;
In practice, the Tester can detect if the DUT has been collapsed. (E.g.
it does not reply to ping.) However, it has some practical difficulty to
restart it. Currently I use Dell PowerEdge 430 servers, that have iDRAC
8 (Integrated Dell Remote Access Controller 8) management software. I
can easily restart it manually after logging in and clicking the to
right place in the GUI. However, I would need to do it remotely from the
bash shell script that performs the measurement.
Best regards,
Gábor
On 11/21/2022 5:12 PM, Vasilenko Eduard wrote:
>
> Hi Keiichi,
>
> It is a good point that BMWG typically tests just one parameter at a
> time. Or else a huge permutation of possible tests may become a reality.
>
> For me, it looks important to stay in the linear proportion region (if
> possible). It gives the possibility to combine test results for the
> estimation of something in the business.
>
> For example, if the box has X FIB routes for IPv4, typically it has
> X/4 FIB routes for IPv6. Then it is possible to guess about a mixed
> environment (combination of Y IPv6 and Z IPv4) creating a proportion
> where IPv6 occupies 4x FIB resources. X=Z+4Y.
>
> I am just trying to find an orthogonal basis for tests.
>
> If the basic tests for the stateful device would be “maximum sessions
> connection and teardown per second in the stable load environment”
> then this number could participate in other calculations that are real
> for business.
>
> Unfortunately, for stateful devices, the correlation between cps
> (connection + teardown) and pps is very tight. I believe linear.
>
> Hence, if we have maximum pps and maximum cps (connection + teardown)
> then we would be capable to estimate some real business situations (in
> a linear proportion).
>
> If we would have a separate “maximum connection rate” and “maximum
> teardown rate” then the network owner would have more challenges to
> guess the performance in his environment. It is still possible to
> create a linear proportion from 3 parameters, just it would be more
> difficult and the error would be bigger because could be some
> dependency between the session connection and teardown.
>
> I am not asking to bloat the tests.
>
> I am asking for 2 tests (just connection, and connection + teardown)
> instead of the other 2 tests (connection, and teardown).
>
> because it gives more value to the business.
>
> But the test for “connection + teardown” looks already mixed. That
> formally breaks BMWG's practice to test only one parameter at a time.
>
> Hence, it is up to the group's consensus. Maybe I am wrong here and we
> should stay in the pure theoretical zone.
>
> PS: not all my comments below are related to this problem.
>
> Eduard
>
> *From:*Keiichi SHIMA [mailto:shima@wide.ad.jp]
> *Sent:* Monday, November 21, 2022 9:33 AM
> *To:* Vasilenko Eduard <vasilenko.eduard@huawei.com>
> *Cc:* Keiichi SHIMA <shima@wide.ad.jp>; Gabor LENCSE
> <lencse@hit.bme.hu>; bmwg@ietf.org
> *Subject:* Re: [bmwg] I-D Action:
> draft-ietf-bmwg-benchmarking-stateful-01.txt
>
> Hello Vasilenko Eduard
>
> I am Keiichi SHIMA, co-author of the draft.
>
> In my understandings, you are trying to define methodology to measure
> the performance of a translator box under the similar traffic patterns
> (and similar device configuration) to the real traffic pattern /
> device configuration. But our draft
> (draft-ietf-bmwg-benchmarking-stateful) is focusing on the same
> methodology defined in RFC8219 (and RFC5180, RFC2544) with some
> enhancements for supporting random port numbers (suggested in RFC4814)
> and some additional metrics (e.g. connection establishment rate). So
> we basically follow the same benchmarking methods defined in RFC8219
> (and former RFCs).
>
> Actually RFC8219 doesn’t consider the traffic patters you mentioned
> and doesn’t support device configurations which multiple ports are
> connected to one routing (or translating) engine. It may be a new
> discussion point to enhance RFC8219 (and/or former RFCs). Probably in
> a separate Internet Draft.
>
> Regards,
>
> ---
>
> Keiichi SHIMA (島慶一)
>
> WIDE project <shima@wide.ad.jp>
>
> PGP: 9D95 8544 A5CE D530 9230 DF1C BB6E ABE1 D91F EDFC
>
>
- [bmwg] I-D Action: draft-ietf-bmwg-benchmarking-s… internet-drafts
- Re: [bmwg] I-D Action: draft-ietf-bmwg-benchmarki… Vasilenko Eduard
- Re: [bmwg] I-D Action: draft-ietf-bmwg-benchmarki… Gabor LENCSE
- Re: [bmwg] I-D Action: draft-ietf-bmwg-benchmarki… Vasilenko Eduard
- Re: [bmwg] I-D Action: draft-ietf-bmwg-benchmarki… Keiichi SHIMA
- Re: [bmwg] I-D Action: draft-ietf-bmwg-benchmarki… Vasilenko Eduard
- [bmwg] security issues of iptables and Jool -- Re… Gabor LENCSE