From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from gandalf.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id EC5225A026D
	for <passt-dev@passt.top>; Thu, 12 Oct 2023 06:36:22 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=201602; t=1697085379;
	bh=SWR8OckRSzhR4LpkmyM4yxRxwVLtVmAyPKbYBgBV3Ls=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=Hf3erNPz9s8+tk8RW0JYIWz0Gpt1/gK+spcglN81C9ks6Bopt+c+EmrzIfilMAbzA
	 +9T/W6T1NeKTkiSB4qYwcXO4lo6e9rJnU0264w6rrHwJYqBz5yBRwPRq+ceCzY3xWj
	 NGjUgQMJndphQYAAoliZNkbZApICrEo7kDG/ZhJo=
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4S5cKH121gz4xZg; Thu, 12 Oct 2023 15:36:19 +1100 (AEDT)
Date: Thu, 12 Oct 2023 15:35:57 +1100
From: David Gibson <david@gibson.dropbear.id.au>
To: Nikolay Edigaryev <edigaryev@gmail.com>
Subject: Re: [PATCH] arp: only send ARP replies for --gateway address
Message-ID: <ZSd3rTVEV/vUtT0/@zatzit>
References: <20230915142045.73457-1-edigaryev@gmail.com>
 <ZQe1O6CqIqQWmcaM@zatzit>
 <20230918160134.09d2b706@elisabeth>
 <CAFX5hXTaeKqWh_mPE2A155MaVowFi-LR53Xj6RoseKtYCpSAGw@mail.gmail.com>
 <ZQkCvSvtXyh8ROmn@zatzit>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="2UdxpE/uPw7lx4+L"
Content-Disposition: inline
In-Reply-To: <ZQkCvSvtXyh8ROmn@zatzit>
Message-ID-Hash: 56IK6HYU6OLBQAHASZSPUI3F5TN6HBLP
X-Message-ID-Hash: 56IK6HYU6OLBQAHASZSPUI3F5TN6HBLP
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Stefano Brivio <sbrivio@redhat.com>, passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/ZSd3rTVEV/vUtT0/@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/56IK6HYU6OLBQAHASZSPUI3F5TN6HBLP/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--2UdxpE/uPw7lx4+L
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 19, 2023 at 12:09:01PM +1000, David Gibson wrote:
> On Mon, Sep 18, 2023 at 07:52:23PM +0400, Nikolay Edigaryev wrote:
> > Hello Stefano, I will try to clarify:
> >=20
> > I have a single host machine, a dedicated amd64 server, capable of
> > running multiple Cloud Hypervisor virtual machines backed by /dev/kvm.
> >=20
> > I also have a daemon-less CLI software that can provision as many VM
> > instances as the user wants, e.g. by running "mycli create --kernel
> > ... --disk ... ubuntu".
> >=20
> > To run a VM, the user types "mycli run ubuntu", which results in the
> > creation of two TAP interfaces: one is for passt, one is for Cloud
> > Hypervisor
> >=20
> > "mycli run" then creates a bridge(8) interface, assigns a free IP from
> > /29 network to it (for example, 10.0.0.3/29), and adds both the TAP
> > interfaces to that bridge forming up a virtual switch, which allows
> > passt <-> VM and host <-> communication.
>=20
> Ok.  So, to check my understanding: the VM only has a single virtual
> NIC, which connects to this bridge, then you're connecting the bridge
> to the outside world using passt.  Is that correct?
>=20
> > "mycli run ubuntu" also invokes the passt with the following arguments:
> >=20
> > >passt --foreground --address 10.0.0.2 --netmask 255.255.255.248 --gate=
way 10.0.0.1 --mac-addr 52:f1:18:34:28:0b -4 --mtu 1500 --tap-fd 3
>=20
> What owns the address 10.0.0.1 here?  I'm assuming that's an address
> of the host, but is it on an external interface, or on this special
> bridge?  Or somewhere else?
>=20
> [Btw, clamping the passt mtu to 1500 is probably going to be pretty
> bad for TCP throughput]
>=20
> > Now to the issue: if the user wants to access the VM, for provisioning
> > purposes, e.g. by running "ssh 10.0.0.2", there's a race between the
> > real ARP reply from that VM and an ARP reply from passt due to the
> > code fixed in the patch above.
> >=20
> > And even if we add a static ARP entry for that VM on the host, there's
> > still exist a race on the VM's side.
> >=20
> > Here the VM looks up the host's ethernet address and receives one
> > reply from host (ba:46:4e:27:8b:93) and another from passt
> > (52:f1:18:34:28:0b):
> >=20
> > 17:26:42.685718 5a:b7:e3:dc:bb:9f > ba:46:4e:27:8b:93, ethertype ARP
> > (0x0806), length 42: Request who-has 10.0.0.3 tell 10.0.0.2, length 28
> > 17:26:42.685744 ba:46:4e:27:8b:93 > 5a:b7:e3:dc:bb:9f, ethertype ARP
> > (0x0806), length 42: Reply 10.0.0.3 is-at ba:46:4e:27:8b:93, length 28
> > 17:26:42.685908 52:f1:18:34:28:0b > 5a:b7:e3:dc:bb:9f, ethertype ARP
> > (0x0806), length 42: Reply 10.0.0.3 is-at 52:f1:18:34:28:0b, length 28
>=20
> Right.
>=20
> Ok, so Stefano mentioned that this change will break the case of a
> guest not using the gateway it's supposed to.  That's true, but
> there's certainly a pretty strong case that no-one has any right to
> expect that case to work anyway, so we need not consider it.
>=20
> I believe there's some other rare but legitimate cases it can also
> break though.  For now I think these can only occur with pasta, not
> passt, but they'd still be affected:
>=20
>  * Although it's not common, it's possible to have a default route
>    with an interface, but no gateway (this can occur if the host has
>    connectivity over a point to point link like a VPN).  With pasta
>    --config-net we'll copy that gateway-less default route to the
>    namespace, and it will then ARP for *everything*.  That will work
>    now, because we'll answer all those arps, but would not if we only
>    arp the gateway address.
>=20
>  * A lesser version of the same same thing: even if we have a normal
>    default gateway, we may also have specific subnet routes on the
>    host which override it.  With pasta --config-net again we will copy
>    those routes to the namespace, and so packets routed that way will
>    induce ARPs for something other than the default gateway (either
>    for the destination address or for the route specific gateway).
>=20
>=20
> Apart from the ARP issues, I think there's at least one other
> fragility in the setup you've described.  This is what I was thinking
> about when I mentioned elsewhere that I don't think ARP will be the
> only issue with having a non-trivial broadcast domain on the guest
> side of passt:
>=20
> If from the host you to send packets on the bridge addressed to
> passt's address, rather than the host, I believe that would cause
> passt to update its 'addr_seen' to that of the host.  That could then
> cause packets which should be going to the guest to be sent to the
> host instead.  That could have a variety of effects from just a brief
> interruption to essentially breaking connectivity.


To summarise where we're at with this issue (including some points
Stefano and I discussed elsewhere):

Because of the case described above (default route with no gateway),
we're not going to apply this patch for the time being

Of course, we'd like to support cloud-hypervisor and, eventually more
general broadcast domains behind passt.  However, while the change
here might be sufficient for the specific case, it's extremely fragile:

At present, passt/pasta expects only a single addressable machine to
be on its guest side, and not just in the handling of ARP.  For
example if anything in the broadcast domain other than the expected
guest contacted passt for any reason, the 'ip[46]_seen' variables
would be update causing further traffic from passt to be misdirected.

Fixing this robustly requires substantial changes to how we keep track
of what addresses exist on the guest side.  We're working on that, for
this reason amongst others, but it's going to be a while before it's
ready.

In the shorter term, I think the most likely way forward for clh is to
only use passt in configurations where the guest side broadcast domain
has nothing on it, except for a single VM and passt.

--=20
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

--2UdxpE/uPw7lx4+L
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmUnd6YACgkQzQJF27ox
2GeytA//Ypaes0PkXUyex0ayhAYykIpYkt/vixzk6TxHsR6LdFT4o69lvSclVkgP
pqhlSCQ4+Xan4IuWHn9V9JcTyOn7Pnymix1dtNN14jca6LcenIDMXsicsTgBadKx
ssLWsJzWFa2k9zzgAIO2WEyv6LKUAGkgOf1Fz5m3KKPqGGOFtbbIanny9/Cn50P7
3xbX99TRmeZ72wNK9QmDe9oNd/npeqIsjhKsZHTeAwL7v7ZdQAstmqkv/s8AtIlT
Pjx3tGgF0nNU/ZaTicsy5PXn/X4YHnB46eV6B8eh7hbJ+Y+CnriBsejbkgz+Hndq
HzmhaRZtT2k0o5O98x4o+2Zgykio1oD2wk7cUSQLxTeDzYSNCluAzb9oujIWQ4EC
Y5LV5GRSxYt2+iWZ1MLbhkCovREM9zkU6GRWaY+BkxWf9bOMSbTmxkkYysU3chc3
/N8ZGm8EDi1Vgq6MG94ws0p2m4QTOuBKgSNzqevn95jdvKnIxUghB0b5Rnhyvv2K
h5Q1nX1szTsTZGDexV1gFFv9Yqs78Z3C8WI1nWOy9JcaSGH4ZnjSQQag7udm+W4/
JGJ6p1Upx9Cdn6MHXKThS5D6zfUc7s8KVP/WNMX/EzuojiUXqyDje6yg843LGfo9
nPVwnaIja7v3KT+CY6X0YcGGKv2ZSG8wJIWkDDvmlLxVD3jPOLc=
=5wMC
-----END PGP SIGNATURE-----

--2UdxpE/uPw7lx4+L--