[systemd-devel] Systemd setting up two Microchip switch ports as individual network interfaces and then bonding them

Tue Oct 13 20:09:33 UTC 2020

... would be nice if someone could add a systemd-networkd section to
Documentation/networking/bonding.txt

Looks like all methods but systemd-networkd are covered.

Regards,

Brian

On Tue, Oct 13, 2020 at 4:06 PM Brian Hutchinson <b.hutchman at gmail.com>
wrote:

>
>
> On Tue, Oct 13, 2020 at 10:06 AM Brian Hutchinson <b.hutchman at gmail.com>
> wrote:
>
>>
>> On Tue, Oct 13, 2020 at 9:16 AM Kevin P. Fleming <kevin at km6g.us> wrote:
>>
>>> While I can't comment on the specifics of configuring systemd-networkd
>>> to use ports through DSA (although the linked GitHub issue shows that
>>> it can be done), I really doubt you are going to be able to
>>> successfully bond any group of such ports, because they all have the
>>> same MAC address. In your proposed configuration, you have a NIC
>>> connected to a switch (internal to your system), which would then have
>>> multiple ports connected to *another* switch. Unless the switches
>>> involved support STP or some other loop-avoidance mechanism, you will
>>> get a switching loop in this configuration.
>>>
>>> Connecting multiple ports between two switches requires cooperation in
>>> the switches (STP, or LACP, or something else).ds,
>>>
>>>
>> So a primer on DSA:
>>
>> https://docs.phyglos.org/kernel/networking/dsa/configuration.html
>>
>> You can make the switch ports act as individual network interfaces
>> (called single port in that web link) that won't create switch loops.
>>
>> The pre-cursor to DSA that the OpenWRT guys use does the same thing.  It
>> can bust a switch up into individual ports ... then you can do whatever you
>> want with them.
>>
>> Regards,
>>
>> Brian
>>
>
> Kevin,
>
> I believe some of your concerns can also be handled by bonding:
>
> This is from kernel Documentation directory ... but a link to same
> https://www.kernel.org/doc/Documentation/networking/bonding.txt
>
> 3.7 Configuring LACP for 802.3ad mode in a more secure way
> ----------------------------------------------------------
>
> When using 802.3ad bonding mode, the Actor (host) and Partner (switch)
> exchange LACPDUs.  These LACPDUs cannot be sniffed, because they are
> destined to link local mac addresses (which switches/bridges are not
> supposed to forward).  However, most of the values are easily predictable
> or are simply the machine's MAC address (which is trivially known to all
> other hosts in the same L2).  This implies that other machines in the L2
> domain can spoof LACPDU packets from other hosts to the switch and potentially
> cause mayhem by joining (from the point of view of the switch) another
> machine's aggregate, thus receiving a portion of that hosts incoming
> traffic and / or spoofing traffic from that machine themselves (potentially
> even successfully terminating some portion of flows). Though this is not
> a likely scenario, one could avoid this possibility by simply configuring
> few bonding parameters:
>
>    (a) ad_actor_system : You can set a random mac-address that can be used for
>        these LACPDU exchanges. The value can not be either NULL or Multicast.
>        Also it's preferable to set the local-admin bit. Following shell code
>        generates a random mac-address as described above.
>
>        # sys_mac_addr=$(printf '%02x:%02x:%02x:%02x:%02x:%02x' \
>                                 $(( (RANDOM & 0xFE) | 0x02 )) \
>                                 $(( RANDOM & 0xFF )) \
>                                 $(( RANDOM & 0xFF )) \
>                                 $(( RANDOM & 0xFF )) \
>                                 $(( RANDOM & 0xFF )) \
>                                 $(( RANDOM & 0xFF )))
>        # echo $sys_mac_addr > /sys/class/net/bond0/bonding/ad_actor_system
>
>    (b) ad_actor_sys_prio : Randomize the system priority. The default value
>        is 65535, but system can take the value from 1 - 65535. Following shell
>        code generates random priority and sets it.
>
>        # sys_prio=$(( 1 + RANDOM + RANDOM ))
>        # echo $sys_prio > /sys/class/net/bond0/bonding/ad_actor_sys_prio
>
>    (c) ad_user_port_key : Use the user portion of the port-key. The default
>        keeps this empty. These are the upper 10 bits of the port-key and value
>        ranges from 0 - 1023. Following shell code generates these 10 bits and
>        sets it.
>
>        # usr_port_key=$(( RANDOM & 0x3FF ))
>        # echo $usr_port_key > /sys/class/net/bond0/bonding/ad_user_port_key
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20201013/fcdf9dab/attachment.htm>