From: David Ahern <dsahern@gmail.com>
To: Leonard Crestez <cdleonard@gmail.com>,
Dmitry Safonov <0x7f454c46@gmail.com>
Cc: Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
David Ahern <dsahern@kernel.org>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Jakub Kicinski <kuba@kernel.org>,
Yuchung Cheng <ycheng@google.com>,
Francesco Ruggeri <fruggeri@arista.com>,
Mat Martineau <mathew.j.martineau@linux.intel.com>,
Christoph Paasch <cpaasch@apple.com>,
Ivan Delalande <colona@arista.com>,
Priyaranjan Jha <priyarjha@google.com>,
Menglong Dong <dong.menglong@zte.com.cn>,
open list <linux-kernel@vger.kernel.org>,
linux-crypto@vger.kernel.org,
Network Development <netdev@vger.kernel.org>,
Dmitry Safonov <dima@arista.com>
Subject: Re: [RFCv2 1/9] tcp: authopt: Initial support and key management
Date: Wed, 11 Aug 2021 14:26:16 -0600 [thread overview]
Message-ID: <c268842b-c699-8d83-6b48-a2205fbf8f21@gmail.com> (raw)
In-Reply-To: <18235a42-72ad-8471-c940-c70b476cf0e0@gmail.com>
On 8/11/21 1:11 PM, Leonard Crestez wrote:
> On 11.08.2021 16:42, David Ahern wrote:
>> On 8/11/21 2:29 AM, Leonard Crestez wrote:
>>> On 8/10/21 11:41 PM, Dmitry Safonov wrote:
>>>> Hi Leonard,
>>>>
>>>> On Tue, 10 Aug 2021 at 02:50, Leonard Crestez <cdleonard@gmail.com>
>>>> wrote:
>>>> [..]
>>>>> +/* Representation of a Master Key Tuple as per RFC5925 */
>>>>> +struct tcp_authopt_key_info {
>>>>> + struct hlist_node node;
>>>>> + /* Local identifier */
>>>>> + u32 local_id;
>>>>
>>>> There is no local_id in RFC5925, what's that?
>>>> An MKT is identified by (send_id, recv_id), together with
>>>> (src_addr/src_port, dst_addr/dst_port).
>>>> Why introducing something new to already complicated RFC?
>>>
>>> It was there to simplify user interface and initial implementation.
>>>
>>> But it seems that BGP listeners already needs to support multiple
>>> keychains for different peers so identifying the key by (send_id,
>>> recv_id, binding) is easier for userspace to work with. Otherwise they
>>> need to create their own local_id mapping internally.
>>>
>>
>> any proposed simplification needs to be well explained and how it
>> relates to the RFC spec.
>
> The local_id only exists between userspace and kernel so it's not really
> covered by the RFC.
My point is that you need to document the uapi (however it ends up) and
how it is used to achieve the intent of the RFC.
>
> There are objections to this and it seems to be unhelpful for userspace
> zo I will replace it with match by binding.
>
> BTW: another somewhat dubious simplification is that I offloaded the RFC
> requirement to never add overlapping keys to userspace. So if userspace
> adds keys with same recvid that match the same TCP 4-tuple then
> connections will just start failing.
>
> It's arguably fine to allow userspace misconfiguration to cause failures.
>
> --
> Regards,
> Leonard
next prev parent reply other threads:[~2021-08-11 20:26 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-09 21:35 [RFCv2 0/9] tcp: Initial support for RFC5925 auth option Leonard Crestez
2021-08-09 21:35 ` [RFCv2 1/9] tcp: authopt: Initial support and key management Leonard Crestez
2021-08-10 0:59 ` kernel test robot
2021-08-10 20:41 ` Dmitry Safonov
2021-08-11 8:29 ` Leonard Crestez
2021-08-11 13:42 ` David Ahern
2021-08-11 19:11 ` Leonard Crestez
2021-08-11 20:26 ` Dmitry Safonov
2021-08-11 20:26 ` David Ahern [this message]
2021-08-11 14:31 ` Dmitry Safonov
2021-08-11 17:15 ` David Ahern
2021-08-11 20:12 ` Dmitry Safonov
2021-08-11 20:23 ` David Ahern
2021-08-11 19:08 ` Leonard Crestez
2021-08-12 19:46 ` Leonard Crestez
2021-08-09 21:35 ` [RFCv2 2/9] docs: Add user documentation for tcp_authopt Leonard Crestez
2021-08-09 21:35 ` [RFCv2 3/9] tcp: authopt: Add crypto initialization Leonard Crestez
2021-08-09 21:35 ` [RFCv2 4/9] tcp: authopt: Compute packet signatures Leonard Crestez
2021-08-10 1:33 ` kernel test robot
2021-08-09 21:35 ` [RFCv2 5/9] tcp: authopt: Hook into tcp core Leonard Crestez
2021-08-10 2:17 ` kernel test robot
2021-08-09 21:35 ` [RFCv2 6/9] tcp: authopt: Add key selection controls Leonard Crestez
2021-08-09 21:35 ` [RFCv2 7/9] tcp: authopt: Add snmp counters Leonard Crestez
2021-08-09 21:35 ` [RFCv2 8/9] selftests: Initial TCP-AO support for nettest Leonard Crestez
2021-08-09 21:35 ` [RFCv2 9/9] selftests: Initial TCP-AO support for fcnal-test Leonard Crestez
2021-08-11 13:46 ` David Ahern
2021-08-11 19:09 ` Leonard Crestez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c268842b-c699-8d83-6b48-a2205fbf8f21@gmail.com \
--to=dsahern@gmail.com \
--cc=0x7f454c46@gmail.com \
--cc=cdleonard@gmail.com \
--cc=colona@arista.com \
--cc=cpaasch@apple.com \
--cc=davem@davemloft.net \
--cc=dima@arista.com \
--cc=dong.menglong@zte.com.cn \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=fruggeri@arista.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.co.jp \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mathew.j.martineau@linux.intel.com \
--cc=netdev@vger.kernel.org \
--cc=priyarjha@google.com \
--cc=ycheng@google.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.