From: Alexander Clouter <alex@digriz•org.uk>
To: Philip Prindeville <philipp_subx@redfish-solutions•com>
Cc: netdev@vger•kernel.org
Subject: Re: setsockopt(IP_TOS) being privileged or distinct capability?
Date: Sun, 4 Jul 2010 00:48:13 +0100 [thread overview]
Message-ID: <20100703234813.GJ24655@chipmunk> (raw)
In-Reply-To: <4C2FC2C8.8080203@redfish-solutions.com>
Hi,
* Philip Prindeville <philipp_subx@redfish-solutions•com> [2010-07-03 17:07:52-0600]:
>
> On 7/3/10 12:55 PM, Alexander Clouter wrote:
>>
>>> Does anyone else think that setsockopt(IP_TOS) should be a privileged
>>> operation, perhaps using CAP_NET_ADMIN, or maybe even adding separate
>>> granularity as CAP_NET_TOS?
>>>
>>>
>> I really would prefer not having to run telnet and ssh *clients* as
>> root. :)
>
> Don't ping and traceroute -I currently run as root?
>
Indeed, but I have no idea what that has to do with ToS/DSCP flags?
ping and (old skool) traceroute use ICMP where you need to open a
privileged socket; to send and receive ICMP packets. Opening a UDP/TCP
is an unprivileged operation and so is setsockopt(IP_TOS).
I'm guessing, if you excuse me Google-stalking you), this is all linked
to:
https://bugzilla.mindrot.org/show_bug.cgi?id=1733
You have to bear in mind ToS is a marking that userland can utilise to
request that the network provides it with a particular QoS, this does
not mean for an instant the network has to honour that (I know my ISP
does not and neither does my work network I sysadmin for)...otherwise
nothing would stop me using:
iptables -t mangle -I POSTROUTING -j DSCP --set-dscp-class EF
QoS is meaningless unless you place boundaries on the policies; the
ToS/DSCP marking should only be used as a *hint* for classification of
traffic flows.
For example, 'interactive' and 'low latency' (in the case of SSH or
telnet) should not exceed 10kB/s...unless you like to play 0verkill :)
Anything marking it's traffic as interactive but shutting traffic at
500kB/s is obviously telling lies. If you build your policing rules to
blindly accept whatever is in the ToS/DSCP field, you are configuring a
DoS vector on your network.
Cheers
--
Alexander Clouter
.sigmonster says: A rolling stone gathers momentum.
next prev parent reply other threads:[~2010-07-03 23:57 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-03 17:58 setsockopt(IP_TOS) being privileged or distinct capability? Philip Prindeville
2010-07-03 18:55 ` Alexander Clouter
2010-07-03 23:07 ` Philip Prindeville
2010-07-03 23:48 ` Alexander Clouter [this message]
2010-07-05 18:04 ` Philip Prindeville
2010-07-06 2:07 ` Hagen Paul Pfeifer
2010-07-06 3:08 ` Philip Prindeville
2010-07-06 3:13 ` David Miller
2010-07-06 10:56 ` Benny Amorsen
2010-07-05 18:08 ` Philip Prindeville
2010-07-06 8:17 ` Rémi Denis-Courmont
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100703234813.GJ24655@chipmunk \
--to=alex@digriz$(echo .)org.uk \
--cc=netdev@vger$(echo .)kernel.org \
--cc=philipp_subx@redfish-solutions$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox