Contributed by merdely on from the i > u dept.
Mark Uemura (mtu@) is back with his second installment of his account of the Network Hackathon in Japan:
Network Hackathon (Part 2) - May 5-10, 2008, Ito, Japan
I remember meeting David Gwynne (dlg@) at AUUG (2004). At that time, he was working on USB drivers for OpenBSD. Since then, he's been all over the tree. It is really interesting to see him interact with the other developers at a hackathon. He's really humble and humorous in his subtle way (a hilarious collection of T-Shirts) but very articulate. That is, he knows how to convey his thoughts clearly or argue his position but in a non-confrontational way. I guess that was why he sat right beside Theo during the hackathon or was it because he was in spitting distance to those Tim Tams?
More from Part 2, with pictures, below.
By the end of the week, it was refined even further and I overheard someone saying, "This is great and another first! There are a lot of firewalls that claim that they do 'active-active' firewalling but only OpenBSD does it with state and no one has figured this out yet." David was kind enough to demonstrate this very cool (and very difficult to implement) bit of functionality before my eyes on a few Liantec boxes.
Here is what David had to say about his contributions to the hackathon:
"I came to n2k8 with basically no planning or forethought beyond getting flights and arriving at the airport on time with enough clothes for the week. I hadn't really considered what I would work on until I was sitting in the hack room with nothing to do but eat Tim Tams.
To get things rolling I decided to complete the implementation of interface transmit mitigation. This was a largely mechanical change to the network stack that caused all paths that put packets onto an interfaces send queue to only send them when the queue is full or when packet processing is complete.
After that I was idle again, but somehow got reminded of problems with synced PF firewalls when traffic for one TCP connection goes over two separate machines. For example, if you have two hosts called A and B talking TCP to each other through stateful PF firewalls X and Y, and all the traffic from A to B goes via X, and the packets from B to A go via Y, then things don't work too well. More specifically, each firewall needs information found on the other firewall to be able to know if its own view of half the connection should proceed. Because pfsync updates are relatively slow compared to the actual traffic between A and B, pf on each firewall would drop packets when the real connection moves beyond the TCP window it has learnt from the other firewall.
The traditional solution to this problem is to configure PF firewalls into a master-backup setup, ie, one machine takes all the traffic till it falls over, at which point the backup takes over all the traffic handling. Unfortunately there are situations where such a setup cannot be guaranteed or it is difficult to implement, so having master-master PF configurations would be nice to have.
Since this was my first foray into PF, I spent the following days trying to figure out the code that caused the issue and the various ways to solve it. With the help of basically everyone in the room, we came up with at least four different mechanisms for coping with this problem and a variety of diffs to test them. Eventually on the last day we came up with a working solution to the problem. Special credit must go to Ryan McBride (mcbride@) who helped me understand the code and actually wrote half of the diff for me.
Unfortunately the code needs a bit more work before it can be put in the tree. Enabling this support for master-master setups will probably hurt machines more than help them, so some further work to optimise the stack (and pfsync in particular) for the task must be done first.
I reckon I could have eaten more Tim Tams."
Markus Friedl (markus@) works for GeNUA, a very successful company in Germany that offers sophisticated IT security solutions based on OpenBSD. He is one of the main team members developing and maintaining OpenSSH. He is responsible for many things in OpenSSH such as adding support for the SSH2 protocol and SFTP.
I was extremely happy that Markus was able to make it to the event. He is not just an OpenSSH developer. He has also done quite a lot of work in OpenBSD and continues to do so as you'll see below. As quiet as he is, he was seen moving around the hackathon room alternating between Marco Pfatschbacher (mpf@) and Damien Miller (djm@).
One of the best photos that Sakurai-san took of him was while he was talking with our Japanese ProPolice Stack Protection GURU, Hiroaki Etoh, during the party on the last day of the hackathon.
Here is what Markus Friedl had to say about his work at the 2008 network hackathon:
"...just a few notes. Apart from many discussions I think I did this:
pf(4)-scrub can usually just match the src-, dst-ip or the protocol. Now you can scrub packets based on tags. This way you can tag them on input (based on the port for example) and scrub matching packets on output. Additionally, I added 'set-tos' to scrub so you can enforce 'lowdelay' or other policies with scrub.
For easier support of transparent tcp/udp/ip-proxies, I've added 'divert' support. it allows redirection of packets into the userland without modifying the original packet. Additionally with new socket options you can enforce binding to non-local addresses (see netcat's
-scode for an example -- see nc(1)).
(n2k8 hackathon summary to be continued)
Thanks again to Mark for this excellent write-up.
(Comments are closed)