Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
0.20.0, 0.20.1, 0.21.0, 0.21.1, 0.21.2, 0.22.0, 0.22.1, 0.22.2, 0.23.0, 0.23.1, 0.24.0, 0.24.1, 0.25.0
-
None
-
None
Description
The optional network isolator (network/port_mapping) will let corrupt TCP packets reach the application. This could lead to data corruption in applications. Normally these packets are dropped immediately by the network stack and do not reach the application.
Networks may have a very low level of corrupt packets (a few per million) or, may have very high levels if there are hardware or software errors in networking equipment.
1) We receive a corrupt packet externally
2) The hardware driver is able to checksum it and notices it has a bad checksum
3) The driver delivers this packet anyway to wait for TCP layer to checksum it again and then drop it
4) This packet is moved to a veth interface because it is for a container
5) Both sides of the veth pair have RX checksum offloading enabled by default
6) The veth_xmit() marks the packet's checksum as UNNECESSARY since its peer device has rx checksum offloading
7) Packet is moved into the container TCP/IP stack
8) TCP layer is not going to checksum it since it is not necessary
9) The packet gets delivered to application layer
Attachments
Issue Links
- is related to
-
MESOS-3365 Export per container SNMP statistics
-
- Resolved
-