From: Leonard Crestez <cdleonard@gmail.com>
To: Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
David Ahern <dsahern@kernel.org>
Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Jakub Kicinski <kuba@kernel.org>,
Yuchung Cheng <ycheng@google.com>,
Francesco Ruggeri <fruggeri@arista.com>,
Mat Martineau <mathew.j.martineau@linux.intel.com>,
Christoph Paasch <cpaasch@apple.com>,
Ivan Delalande <colona@arista.com>,
Priyaranjan Jha <priyarjha@google.com>,
Menglong Dong <dong.menglong@zte.com.cn>,
linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
netdev@vger.kernel.org
Subject: [RFCv2 0/9] tcp: Initial support for RFC5925 auth option
Date: Tue, 10 Aug 2021 00:35:29 +0300 [thread overview]
Message-ID: <cover.1628544649.git.cdleonard@gmail.com> (raw)
This is similar to TCP MD5 in functionality but it's sufficiently
different that userspace interface and wire formats are incompatible.
Compared to TCP-MD5 more algorithms are supported and multiple keys can
be used on the same connection but there is still no negotiation
mechanism. Expected use-case is protecting long-duration BGP/LDP
connections between routers using pre-shared keys.
This version is mostly functional though more testing is required. Many
obvious optimizations were skipped in favor of adding functionality.
Here are several flaws:
* RST and TIMEWAIT are mostly unhandled
* A lock might be required for tcp_authopt
* Sequence Number Extension not implemented
* User is responsible for ensuring keys do not overlap (could be fine)
* Traffic key is not cached (reducing performance)
Test suite used during development is here: https://github.com/cdleonard/tcp-authopt-test
Tests are written in python using pytest and scapy and check the API in
detail and validate packet captures.
Limited kselftest support for tcp_authopt in nettest/fcnal-test.sh is
also included in this series. Those tests are slow and cover very
little.
Changes for yabgp are here:
https://github.com/cdleonard/yabgp/commits/tcp_authopt
The patched version of yabgp can establish a BGP session protected by
TCP Authentication Option with a Cisco IOS-XR router.
Changes since RFC:
* Split into per-topic commits for ease of review. The intermediate
commits compile with a few "unused function" warnings and don't do
anything useful by themselves.
* Add ABI documention including kernel-doc on uapi
* Fix lockdep warnings from crypto by creating pools with one shash for
each cpu
* Accept short options to setsockopt by padding with zeros; this
approach allows increasing the size of the structs in the future.
* Support for aes-128-cmac-96
* Support for binding addresses to keys in a way similar to old tcp_md5
* Add support for retrieving received keyid/rnextkeyid and controling
the keyid/rnextkeyid being sent.
The key control support is not based on the requirements of any
particular app (a routing daemon) but rather the recommendations of
RFC5925. Several vendors implement key chain management similar to
RFC8177 but this belongs in userspace.
Previously: https://lore.kernel.org/netdev/01383a8751e97ef826ef2adf93bfde3a08195a43.1626693859.git.cdleonard@gmail.com/
Leonard Crestez (9):
tcp: authopt: Initial support and key management
docs: Add user documentation for tcp_authopt
tcp: authopt: Add crypto initialization
tcp: authopt: Compute packet signatures
tcp: authopt: Hook into tcp core
tcp: authopt: Add key selection controls
tcp: authopt: Add snmp counters
selftests: Initial TCP-AO support for nettest
selftests: Initial TCP-AO support for fcnal-test
Documentation/networking/index.rst | 1 +
Documentation/networking/tcp_authopt.rst | 69 ++
include/linux/tcp.h | 6 +
include/net/tcp.h | 1 +
include/net/tcp_authopt.h | 121 +++
include/uapi/linux/snmp.h | 1 +
include/uapi/linux/tcp.h | 103 ++
net/ipv4/Kconfig | 14 +
net/ipv4/Makefile | 1 +
net/ipv4/proc.c | 1 +
net/ipv4/tcp.c | 27 +
net/ipv4/tcp_authopt.c | 1091 +++++++++++++++++++++
net/ipv4/tcp_input.c | 17 +
net/ipv4/tcp_ipv4.c | 5 +
net/ipv4/tcp_minisocks.c | 2 +
net/ipv4/tcp_output.c | 56 +-
net/ipv6/tcp_ipv6.c | 4 +
tools/testing/selftests/net/fcnal-test.sh | 22 +
tools/testing/selftests/net/nettest.c | 43 +-
19 files changed, 1583 insertions(+), 2 deletions(-)
create mode 100644 Documentation/networking/tcp_authopt.rst
create mode 100644 include/net/tcp_authopt.h
create mode 100644 net/ipv4/tcp_authopt.c
base-commit: 2a2b6e3640c43a808dcb5226963e2cc0669294b1
--
2.25.1
next reply other threads:[~2021-08-09 21:35 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-09 21:35 Leonard Crestez [this message]
2021-08-09 21:35 ` [RFCv2 1/9] tcp: authopt: Initial support and key management Leonard Crestez
2021-08-10 0:59 ` kernel test robot
2021-08-10 20:41 ` Dmitry Safonov
2021-08-11 8:29 ` Leonard Crestez
2021-08-11 13:42 ` David Ahern
2021-08-11 19:11 ` Leonard Crestez
2021-08-11 20:26 ` Dmitry Safonov
2021-08-11 20:26 ` David Ahern
2021-08-11 14:31 ` Dmitry Safonov
2021-08-11 17:15 ` David Ahern
2021-08-11 20:12 ` Dmitry Safonov
2021-08-11 20:23 ` David Ahern
2021-08-11 19:08 ` Leonard Crestez
2021-08-12 19:46 ` Leonard Crestez
2021-08-09 21:35 ` [RFCv2 2/9] docs: Add user documentation for tcp_authopt Leonard Crestez
2021-08-09 21:35 ` [RFCv2 3/9] tcp: authopt: Add crypto initialization Leonard Crestez
2021-08-09 21:35 ` [RFCv2 4/9] tcp: authopt: Compute packet signatures Leonard Crestez
2021-08-10 1:33 ` kernel test robot
2021-08-09 21:35 ` [RFCv2 5/9] tcp: authopt: Hook into tcp core Leonard Crestez
2021-08-10 2:17 ` kernel test robot
2021-08-09 21:35 ` [RFCv2 6/9] tcp: authopt: Add key selection controls Leonard Crestez
2021-08-09 21:35 ` [RFCv2 7/9] tcp: authopt: Add snmp counters Leonard Crestez
2021-08-09 21:35 ` [RFCv2 8/9] selftests: Initial TCP-AO support for nettest Leonard Crestez
2021-08-09 21:35 ` [RFCv2 9/9] selftests: Initial TCP-AO support for fcnal-test Leonard Crestez
2021-08-11 13:46 ` David Ahern
2021-08-11 19:09 ` Leonard Crestez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1628544649.git.cdleonard@gmail.com \
--to=cdleonard@gmail.com \
--cc=colona@arista.com \
--cc=cpaasch@apple.com \
--cc=davem@davemloft.net \
--cc=dong.menglong@zte.com.cn \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=fruggeri@arista.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.co.jp \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mathew.j.martineau@linux.intel.com \
--cc=netdev@vger.kernel.org \
--cc=priyarjha@google.com \
--cc=ycheng@google.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.