Weekly Edition
Return to the Front page
| |||||||||||||
LCE: Challenges for Linux networking
It's common to think of networking as being essentially a solved problem
for Linux. But, like the rest of the computing environment, networking is
evolving quickly over time, and Linux will have to evolve with it. Marcel
Holtmann used his LinuxCon Europe slot to talk about some of the work that
is being done to ensure that Linux networking remains second to none.
In particular, Marcel is concerned with improving networking on mobile devices. He is staying away from enterprise networking, which, he said, is pretty well worked out. It's mostly based on cabled connections with "no crazy stuff" to worry about. But mobile networking is different. The environment is far more dynamic, there is much more user interaction involved, and there is a long list of tools needed to manage it — and many of those tools are old and not up to the task. That said, some of the problems are nicely solved at this point. The "networking basics" are in place; these include Ethernet and WiFi support, along with Bluetooth, cellular protocols, and higher-level protocols like DHCP, DNS, and NTP. IPv6 support is mostly there, and tethering support is now in good shape. We also have the beginnings of support for the WISPr protocol which enables automatic login to wireless hotspots. Things are quite good, Marcel said, for the simpler use cases. The problem is that, increasingly, the common use cases are not so simple, so there are a number of challenges to be overcome before Linux can take the next step. The first of those is being able to answer a simple question: is the system actually online? Simply being associated with an access point is often not enough if that access point requires authentication. It is not an uncommon experience to have a smartphone hook up to an access point with a recognized SSID and, since the authentication step has not yet happened, lose connectivity entirely. The problem is that, at this point, there is no easy way to know if a system is actually on the net or not. An additional complication is the concept of a locally-connected network; a mobile device may be connected to local devices (a television, say) without having access to the wider Internet. We don't currently have a way to detect that situation or to communicate it to applications. Connectivity is currently thought of at a global level — the system is either online or it is not. But different applications have different connectivity needs, so we need to move toward a concept of per-application connectivity. The system should be able to go online for a specific task (synchronizing an important application, say) without necessarily opening the floodgates for any other application that may want to talk to the world. We currently have no way to do that because Linux networking is based around systems, not around applications. An additional irritation is that, once connectivity is established, all applications are notified of the availability of the net at the same time. That creates a sort of thundering herd problem where a whole range of processes try to open connections simultaneously. The result can be a clogged link and frustrated users. We really need a one-at-a-time waking mechanism for applications, with the more important ones being notified first. There is a real need for finer-grained usage statistics for the net; currently all statistics are global, which tends not to be helpful in the mobile environment. There are no per-user or per-application statistics, and no way to distinguish home-network traffic from roaming traffic. Android has a solution of sorts for this problem, Marcel said, but it is "a horrible nasty hack" that will never make it upstream. Somehow we need to come up with a cleaner implementation. Time is simple in the data center; one just has to fire up NTP and forget about it. But it is a more challenging concept on a mobile system. Those systems can move between time zones; it can be hard to know what time it actually is. For added fun, many of the available sources of time information — cellular networks, for example — are often simply wrong. So the system needs to find a way to look at data from multiple sources before concluding that it is safe to change the current time zone. Time confusion can also create trouble for applications, especially those with complex synchronization requirements. To avoid problems, the system really needs to figure out the correct time before notifying applications that the network is available. The concept of network routing must become more sophisticated in the mobile environment. Some applications, for example, should only be run if the virtual private network (VPN) is available, while others can run over any network. Other applications should not be allowed to use the VPN regardless of its availability; the same is true of Bluetooth and other types of connections. If a WiFi connection becomes available, some applications may want to use it immediately, but an application in the middle of a conversation over the cellular connection should be allowed to wrap things up before being switched to the new route. So there needs to be something like per-application routing tables, something that a tool like ConnMan can change easily, but, Marcel said, the current network namespace implementation is too strict. What bugs Marcel the most, though, is the Linux firewall mechanism. He wants to be able to set up personal firewalls that differ based on the current location; a configuration that works at home or in the office may be entirely inappropriate in a coffee shop. He didn't have much good to say about the Linux firewall implementation; it's highly capable, but impossible to configure in a reasonable way. There are, he said, lots of race conditions; reconfiguring the firewall involves clearing the old configuration and leaving things open for a period. He is hoping for a conversion to nftables, but progress on that front is slow. Marcel would also like to see the easy creation of per-application firewalls; just because a port is opened for one application does not mean that others should be able to use it. Local WiFi networks, for applications like sending video streams to a television, are coming. That requires support for protocols like WiFi Direct. The good news is that the kernel has fairly nice support at this point; unfortunately, the user interface work has not been done. So only expert users can make use of this capability now. Making it work properly for all users will require a lot of integration work into a lot of subsystems, much like full Bluetooth support needed. Speaking of Bluetooth, it now has support for pairing via the near-field communications (NFC) protocol. Essentially, devices can be paired by touching them together. NFC-based authentication for WiFi access points is on its way. There is also work being done to support sensor networks over protocols like 802.15.4 and 6LoWPAN. To summarize the talk, there is a lot of work to be done to provide the best mobile networking experience with Linux. Happily, that work is being done and the pieces are falling into place. Lest anybody think that there will be nothing for anybody to complain about, though, it is worth noting an admonition that Marcel saved for the very end of the talk: in the future, the use of systemd and control groups will be mandatory to get good mobile networking with Linux. [Your editor would like to thank the Linux Foundation for funding his travel to the event.] (Log in to post comments)
LCE: Challenges for Linux networking Posted Nov 8, 2012 3:03 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
> reconfiguring the firewall involves clearing the old configuration and leaving things open for a period
This is only the case if you are doing it wrong.
the right way to do this is to set the default policies to 'drop everything', then flush the rules (at this point, nothing goes through), then set the new rules, and if needed, change the default policies.
by setting the default policies to 'drop' not 'reject' packets sent by anything will just be silently dropped, and will retry in a little bit (by which time the new rules should be in place)
In addition to this, it is possible to insert or remove rules into the existing ruleset, but figuring the right way to do this is hard.
There is also the 'owner' module that lets you set rules by a number of criteria
from man iptables
owner
[!] --uid-owner username
[!] --uid-owner userid[-userid]
[!] --gid-owner groupname
[!] --gid-owner groupid[-groupid]
[!] --socket-exists
In addition to this I see refrences to --cmd-owner that lets you set rules based on the name of the program running it.
LCE: Challenges for Linux networking Posted Nov 8, 2012 9:47 UTC (Thu) by smurf (subscriber, #17840) [Link]
It's even easier than that.
You simply create real-input-company and real-input-internetcafe and ... rules, then redirect everything from INPUT to real-input-whatever.
Switching between rulesets is an atomic "delete old redirect, insert new"; do this for all built-in rules, commit". Not exactly rocket science.
The interesting bit is, of course, per-application routing ("no, online games may not use the company WLAN") or even per-connection routing (i.e. "keep the existing connections on the old default route, but run everything else on the new route"). We can't do that. Yet. (Owner rules might work on Android, but not on a desktop where everything runs as the same user.)
LCE: Challenges for Linux networking Posted Nov 8, 2012 3:36 UTC (Thu) by bjencks (subscriber, #80303) [Link]
> reconfiguring the firewall involves clearing the old configuration and leaving things open for a period
I'm pretty sure iptables-restore does atomic updates of an entire table. It doesn't let you synchronize across multiple tables (nat, filter, mangle), but I'd hardly call it "leaving things open".
LCE: Challenges for Linux networking Posted Nov 8, 2012 9:18 UTC (Thu) by rusty (✭ supporter ✭, #26) [Link]
Yes, you can atomically update each table. It was designed that way.
That doesn't mean that applications use the kernel API appropriately; for a long time libiptc didn't give you a great way to do atomic updates of more than one rule at a time.
Changing NAT rules is a weird one, because for radical changes you really want to kill all old connections. Figuring out which existing connections would be NATed differently and resetting them might be a nice twist if people were seeing problems here.
Cheers,
LCE: Challenges for Linux networking Posted Nov 8, 2012 12:48 UTC (Thu) by jengelh (subscriber, #33263) [Link]
>Figuring out which existing connections would be NATed differently and resetting them might be a nice twist
I do not think you can actually solve this "twist". The fact that NFCT mappings - and thus TCP tuples - do not change when the nat table is changed could be considered a feature in itself. Sort of like an RCU for tuples.
LCE: Challenges for Linux networking Posted Nov 8, 2012 4:14 UTC (Thu) by swmike (subscriber, #57335) [Link]
I tried to raise some TCP related issues in <http://www.spinics.net/lists/netdev/msg213615.html> which didn't get much traction unfortunately. I think avoiding hung TCP sessions would improve user experience a lot.
LCE: Challenges for Linux networking Posted Nov 8, 2012 9:57 UTC (Thu) by yaap (subscriber, #71398) [Link]
I'm not sure the needed support is fully there for DNS for a mobile device or even a desktop.
The current situation is that there is only a global list of DNS servers (/etc/resolv.conf). But this is for redundancy only: a next entry in the list is used if no previous entry replied (down), but not if they replied negatively. And this is a limitation with VPN.
Let's say you have a VPN to mycompany.com. Ideally, you would want requests for anything in the mycompany.com domain to go to your company DNS servers. But your personal / non-work related request would go to your regular ISP. Today this is not possible easily as far as I can see (if you have a solution, please share). So what one do is to send all request to your company DNS.
But now let's say you're on the road, and want a personal VPN to your home, while having your company VPN on and regular (local) Internet access.
The issue here is that DNS configuration is global, and mutliple DNS servers is only for failure protection. You would want DNS local configuration per interface, with some policy configuration (sending request in a domain advertized for an interface would be enough to address all scenarios above).
This handling is common to all Unix, and is sufficient for servers but not for fancier (but still possible) configurations.
LCE: Challenges for Linux networking Posted Nov 8, 2012 10:55 UTC (Thu) by Fowl (subscriber, #65667) [Link]
dnsmasq has a configuration to forward queries for certain domains to different dns server. I use it on my OpenWRT router to forward AD related queries to the Windows box without suffering when it enviably has a senior's moment.
I believe dnsmasq is now being used as a local dns cache on some distros with ::0/127.0.0.1 being the address in /etc/resolv.conf. By combining these features and with the correct configuration/integration it looks like the dns side could be solved entirely in userspace.
ie. a local resolver could use the source of a query and current interface/vpn state to route queries properly. As an aside; DNS seems like a good place for "happy eyeballs"/sending requests on multiple interfaces and letting them race for least latency.
LCE: Challenges for Linux networking Posted Nov 8, 2012 12:38 UTC (Thu) by erwbgy (subscriber, #4104) [Link] The PowerDNS recursive resolver has similar functionality. For example I have: $ cat /etc/pdns-recursor/recursor.conf setuid=pdns-recursor setgid=pdns-recursor local-address=127.0.0.1 dont-query=127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128 forward-zones-file=/etc/pdns-recursor/forward_zones $ cat /etc/pdns-recursor/forward_zones local=10.7.96.21 10.in-addr.arpa=10.7.96.21 $ cat /etc/resolv.conf nameserver 127.0.0.1 search localfor my '.local' domain managed using the pdns puppet module.
LCE: Challenges for Linux networking Posted Nov 9, 2012 0:33 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]
I got tired of it and simply linked my AD domain subtree into the global DNS. I've been living happily ever after.
LCE: Challenges for Linux networking Posted Nov 9, 2012 9:20 UTC (Fri) by yaap (subscriber, #71398) [Link]
Thanks a lot, I didn't know about that dnsmasq feature.
I looked a bit about dnsmasq and NetworkManager, and it seems there is already some integration supported. The following page for Ubuntu shows some integration is in the works where indeed dnsmasq is used to handle DNS request routing:
With a bit of time (for upstreaming too as I use Debian) it looks as this will be handled out of the box. Nice!
LCE: Challenges for Linux networking Posted Nov 8, 2012 14:02 UTC (Thu) by foom (subscriber, #14868) [Link]
> You would want DNS local configuration per interface, with some policy configuration (sending request in a domain advertized for an interface would be enough to address all scenarios above).
Yup, MacOSX does just that, out of the box.
LCE: Challenges for Linux networking Posted Nov 8, 2012 18:33 UTC (Thu) by Russ.Dill@gmail.com (subscriber, #52805) [Link]
I usually use SOCKS5 to solve VPN issues. For some VPNs, that means using ssh to forward a connection, for others, it means running a VPN client in linux.uml and exporting that via SOCKS5. Then, applications can be directed to a specific connection by specifying a proxy, or more complex rules can be used for applications that support a proxy.pac file.
LCE: Challenges for Linux networking Posted Nov 8, 2012 11:40 UTC (Thu) by gb (subscriber, #58328) [Link]
What is the meaning of 'application' in unix environment? Particular process? Process created from particular file? From set of files? What is the point of such "firewall" if applications are not in sandbox?
It's interesting, why all this 'mobile' articles of happy networkmanager users are full of such frustrating concepts, not well thought, not UNIX-way.
Linux is based on very well established standards, like POSIX or system V. Now then something should be added, everything goes thought childish approach "we need x let's add y" without investigation is the y really best solution to solve x. That's why replacing sysvinit with systemd is a problem, and this article look like praising attempt to replace network with something out of windows-oriented minds, overcomplicated, not well thought, and based on weak concepts of "per-application firewall". Makes me worry about Linux future.
LCE: Challenges for Linux networking Posted Nov 8, 2012 13:00 UTC (Thu) by vonbrand (subscriber, #4458) [Link] The "Oh so badly thought out, unavailable in $OTHER_OS, so useless" Linux control groups should get their own network gunk, so they can set their own configuration. Sure, that means reachitecting most of the network handling (from user commands and configuration files living in /etc all the way down to the kernel's network stack). Sorry, but Unix networking was a poorly integrated kludge, and the Internet was supposed to connect machines (not individual processes), assuming a civilized environment (no script kiddies nor outright criminals out to get at your bank account). And yes, the only sane way to go about this I can see is to integrate it in your despised systemd.
LCE: Challenges for Linux networking Posted Nov 9, 2012 15:32 UTC (Fri) by gerv (subscriber, #3376) [Link]
Yes, this. All of it. Yesterday.
Reading this article felt like a crystallization of my nebulous personal list of networking wishes:
- Auto-logon for captive Wifi access points
Rescue me! :-)
Gerv
LCE: Challenges for Linux networking Posted Nov 10, 2012 21:48 UTC (Sat) by zlynx (subscriber, #2285) [Link]
Auto-logon of access points is a dangerous thing.
Do you really want your computer agreeing to whatever is in the agreement license page?
For example, I once helped a guy set his up with some fun things like a transparent proxy that reversed image files. The agreement page had all kinds of crazy things like agreeing to full network traffic capture and use of all captured data for any purpose including access of network accounts.
People should at least read the page before clicking the button.
LCE: Challenges for Linux networking Posted Nov 11, 2012 15:24 UTC (Sun) by gerv (subscriber, #3376) [Link]
Sure. But you can imagine a system which shows you the legalese first time, and then auto logs you on when it sees the same identifiers the next times.
Gerv
LCE: Challenges for Linux networking Posted Nov 13, 2012 16:17 UTC (Tue) by Funcan (subscriber, #44209) [Link]
If my computer auto-agreed with it, then it is not a valid contract. A contract requires a meeting-of-minds.
Anybody accessing a wireless AP they don't control is better off expecting all of the above is already done and acting accordingly...
LCE: Challenges for Linux networking Posted Nov 13, 2012 16:35 UTC (Tue) by gerv (subscriber, #3376) [Link]
My point is that you could agree to it manually on first contact, and then auto-log-in would be enabled if the conditions had not changed (which would be the vast majority of times).
Gerv
|
|||||||||||||