Skip to content

Send a RST when receiving a spurious TCP packet#32

Draft
hlef wants to merge 2 commits intomainfrom
hlefeuvre/send-RST-reset-draft
Draft

Send a RST when receiving a spurious TCP packet#32
hlef wants to merge 2 commits intomainfrom
hlefeuvre/send-RST-reset-draft

Conversation

@hlef
Copy link
Collaborator

@hlef hlef commented Aug 13, 2024

One of the limitations of the network stack reset as it is now is that we do not close TCP connections (#31). This leads remote servers to send us retransmissions after the reset which, in the case of several consecutive resets, can result in packet flooding.

To address this limitation, we should send RST packets to remote hosts as part of the network stack reset process.

This Draft PR

This draft PR explores a solution to this problem where we send a RST packet upon receiving spurious TCP packets. As discussed with @davidchisnall this is not something we want to merge for the following reasons:

  1. We actually want the RST packets to be sent during the reset, not upon receiving the spurious retransmissions. Doing so also increases the attack surface for DoS through packet flooding.
  2. The current implementation of the checksum code is ugly because we want to reuse the FreeRTOS code-base, but have to work-around their somewhat specialized API (see the horrible memcpy).

Looking Forward

The reason why things are like this is time constraints (I did this at the end of my visit at SCI) and implementation complexity:

  1. This requires TCP/IP stack internal state (to know which connections are open). Plugging into the TCP/IP stack to retrieve this state is tricky.
  2. This requires to either change the FreeRTOS internal API upstream, or to import some separate checksum code into the network stack specifically for this purpose, which is something we should ideally avoid for memory usage reasons. @davidchisnall also mentioned that we may be able to get away with a smart way to build the final packet checksums from the known checksum value of the template, but this requires a bit of thinking.

I am not able to pick up this PR and do these changes right now, but we can just keep the draft PR around so that whoever does so can re-use some of the code.

@hlef hlef force-pushed the hlefeuvre/send-RST-reset-draft branch 2 times, most recently from cce7dd9 to 0819835 Compare August 13, 2024 20:30
hlef added 2 commits August 13, 2024 13:32
@hlef
Expose FreeRTOS+TCP checksum APIs to the firewall.
bd6e40d 
Signed-off-by: Hugo Lefeuvre <hugo.lefeuvre@scisemi.com>
(cherry picked from commit af215ef)
@hlef
Reply to spurious TCP packets with a RST.
1e43540 
Spurious TCP packets appear when the system is force-restarting due to
an error. In such a case, open TCP connections are not properly teared
down, and the remote TCP endpoint sends retransmissions to the newly
restarted system. These spurious TCP packets are problematic because
they fill packet buffers and quickly cause packet drops.

This commit enables the firewall to reply to spurious TCP packets with
TCP RST to stop the flow of spurious packets.

We do this with a TCP RST "packet template" which we pre-set at startup
and complete with MAC address, IP address, port, sequence number, and
checksum, when sending the RST.

To do this, we need to:
- add needed 32-bit `ntohs` and `htons`
- add a representation of a TCP header in the firewall compartment

Signed-off-by: Hugo Lefeuvre <hugo.lefeuvre@scisemi.com>
(cherry picked from commit ec54006)
@hlef hlef force-pushed the hlefeuvre/send-RST-reset-draft branch from 0819835 to 1e43540 Compare August 13, 2024 20:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hlef