All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jakub Kicinski <jakub.kicinski@netronome.com>
To: Sabrina Dubroca <sd@queasysnail.net>
Cc: David Miller <davem@davemloft.net>,
	netdev@vger.kernel.org, herbert@gondor.apana.org.au,
	steffen.klassert@secunet.com
Subject: Re: [PATCH net-next v4 0/6] ipsec: add TCP encapsulation support (RFC 8229)
Date: Tue, 15 Oct 2019 11:46:57 -0700	[thread overview]
Message-ID: <20191015114657.45954831@cakuba.netronome.com> (raw)
In-Reply-To: <20191015082424.GA435630@bistromath.localdomain>

On Tue, 15 Oct 2019 10:24:24 +0200, Sabrina Dubroca wrote:
> 2019-10-14, 14:43:27 -0400, David Miller wrote:
> > From: Sabrina Dubroca <sd@queasysnail.net>
> > Date: Fri, 11 Oct 2019 16:57:23 +0200
> >   
> > > This patchset introduces support for TCP encapsulation of IKE and ESP
> > > messages, as defined by RFC 8229 [0]. It is an evolution of what
> > > Herbert Xu proposed in January 2018 [1] that addresses the main
> > > criticism against it, by not interfering with the TCP implementation
> > > at all. The networking stack now has infrastructure for this: TCP ULPs
> > > and Stream Parsers.  
> > 
> > So this will bring up a re-occurring nightmare in that now we have another
> > situation where stacking ULPs would be necessary (kTLS over TCP encap) and
> > the ULP mechanism simply can't do this.
> > 
> > Last time this came up, it had to do with sock_map.  No way could be found
> > to stack ULPs properly, so instead sock_map was implemented via something
> > other than ULPs.
> > 
> > I fear we have the same situation here again and this issue must be
> > addressed before these patches are included.
> > 
> > Thanks.  
> 
> I don't think there's any problem here. We're not stacking ULPs on the
> same socket. There's a TCP encap socket for IPsec, which belongs to
> the IKE daemon. The traffic on that socket is composed of IKE messages
> and ESP packets. Then there's whatever userspace sockets (doesn't have
> to be TCP), and the whole IPsec and TCP encap is completely invisible
> to them.
> 
> Where we would probably need ULP stacking is if we implement ESP over
> TLS [1], but we're not there.
> 
> [1] https://tools.ietf.org/html/rfc8229#appendix-A

But can there be any potential issues if the TCP socket with esp ULP is
also inserted into a sockmap? (well, I think sockmap socket gets a ULP,
I think we prevent sockmap on top of ULP but not the other way around..)

Is there any chance we could see some selftests here?

  reply	other threads:[~2019-10-15 18:47 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-11 14:57 [PATCH net-next v4 0/6] ipsec: add TCP encapsulation support (RFC 8229) Sabrina Dubroca
2019-10-11 14:57 ` [PATCH net-next v4 1/6] net: add queue argument to __skb_wait_for_more_packets and __skb_{,try_}recv_datagram Sabrina Dubroca
2019-10-11 14:57 ` [PATCH net-next v4 2/6] xfrm: introduce xfrm_trans_queue_net Sabrina Dubroca
2019-10-11 14:57 ` [PATCH net-next v4 3/6] xfrm: add route lookup to xfrm4_rcv_encap Sabrina Dubroca
2019-10-11 14:57 ` [PATCH net-next v4 4/6] esp4: prepare esp_input_done2 for non-UDP encapsulation Sabrina Dubroca
2019-10-11 14:57 ` [PATCH net-next v4 5/6] esp4: split esp_output_udp_encap and introduce esp_output_encap Sabrina Dubroca
2019-10-11 14:57 ` [PATCH net-next v4 6/6] xfrm: add espintcp (RFC 8229) Sabrina Dubroca
2019-10-14 18:43 ` [PATCH net-next v4 0/6] ipsec: add TCP encapsulation support " David Miller
2019-10-15  8:24   ` Sabrina Dubroca
2019-10-15 18:46     ` Jakub Kicinski [this message]
2019-10-17 14:33       ` Sabrina Dubroca
2019-10-17 16:00         ` Jakub Kicinski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191015114657.45954831@cakuba.netronome.com \
    --to=jakub.kicinski@netronome.com \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=netdev@vger.kernel.org \
    --cc=sd@queasysnail.net \
    --cc=steffen.klassert@secunet.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.