[systemd-devel] Systemd setting up two Microchip switch ports as individual network interfaces and then bonding them
Brian Hutchinson
b.hutchman at gmail.com
Tue Oct 13 20:06:07 UTC 2020
On Tue, Oct 13, 2020 at 10:06 AM Brian Hutchinson <b.hutchman at gmail.com>
wrote:
>
> On Tue, Oct 13, 2020 at 9:16 AM Kevin P. Fleming <kevin at km6g.us> wrote:
>
>> While I can't comment on the specifics of configuring systemd-networkd
>> to use ports through DSA (although the linked GitHub issue shows that
>> it can be done), I really doubt you are going to be able to
>> successfully bond any group of such ports, because they all have the
>> same MAC address. In your proposed configuration, you have a NIC
>> connected to a switch (internal to your system), which would then have
>> multiple ports connected to *another* switch. Unless the switches
>> involved support STP or some other loop-avoidance mechanism, you will
>> get a switching loop in this configuration.
>>
>> Connecting multiple ports between two switches requires cooperation in
>> the switches (STP, or LACP, or something else).ds,
>>
>>
> So a primer on DSA:
>
> https://docs.phyglos.org/kernel/networking/dsa/configuration.html
>
> You can make the switch ports act as individual network interfaces (called
> single port in that web link) that won't create switch loops.
>
> The pre-cursor to DSA that the OpenWRT guys use does the same thing. It
> can bust a switch up into individual ports ... then you can do whatever you
> want with them.
>
> Regards,
>
> Brian
>
Kevin,
I believe some of your concerns can also be handled by bonding:
This is from kernel Documentation directory ... but a link to same
https://www.kernel.org/doc/Documentation/networking/bonding.txt
3.7 Configuring LACP for 802.3ad mode in a more secure way
----------------------------------------------------------
When using 802.3ad bonding mode, the Actor (host) and Partner (switch)
exchange LACPDUs. These LACPDUs cannot be sniffed, because they are
destined to link local mac addresses (which switches/bridges are not
supposed to forward). However, most of the values are easily predictable
or are simply the machine's MAC address (which is trivially known to all
other hosts in the same L2). This implies that other machines in the L2
domain can spoof LACPDU packets from other hosts to the switch and potentially
cause mayhem by joining (from the point of view of the switch) another
machine's aggregate, thus receiving a portion of that hosts incoming
traffic and / or spoofing traffic from that machine themselves (potentially
even successfully terminating some portion of flows). Though this is not
a likely scenario, one could avoid this possibility by simply configuring
few bonding parameters:
(a) ad_actor_system : You can set a random mac-address that can be used for
these LACPDU exchanges. The value can not be either NULL or Multicast.
Also it's preferable to set the local-admin bit. Following shell code
generates a random mac-address as described above.
# sys_mac_addr=$(printf '%02x:%02x:%02x:%02x:%02x:%02x' \
$(( (RANDOM & 0xFE) | 0x02 )) \
$(( RANDOM & 0xFF )) \
$(( RANDOM & 0xFF )) \
$(( RANDOM & 0xFF )) \
$(( RANDOM & 0xFF )) \
$(( RANDOM & 0xFF )))
# echo $sys_mac_addr > /sys/class/net/bond0/bonding/ad_actor_system
(b) ad_actor_sys_prio : Randomize the system priority. The default value
is 65535, but system can take the value from 1 - 65535. Following shell
code generates random priority and sets it.
# sys_prio=$(( 1 + RANDOM + RANDOM ))
# echo $sys_prio > /sys/class/net/bond0/bonding/ad_actor_sys_prio
(c) ad_user_port_key : Use the user portion of the port-key. The default
keeps this empty. These are the upper 10 bits of the port-key and value
ranges from 0 - 1023. Following shell code generates these 10 bits and
sets it.
# usr_port_key=$(( RANDOM & 0x3FF ))
# echo $usr_port_key > /sys/class/net/bond0/bonding/ad_user_port_key
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20201013/6d0f0aa7/attachment.htm>
More information about the systemd-devel
mailing list