From: Chuck Lever III <chuck.lever@oracle.com>
To: Jakub Kicinski <kuba@kernel.org>
Cc: netdev <netdev@vger.kernel.org>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
"linux-nvme@lists.infradead.org" <linux-nvme@lists.infradead.org>,
"linux-cifs@vger.kernel.org" <linux-cifs@vger.kernel.org>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"ak@tempesta-tech.com" <ak@tempesta-tech.com>,
"borisp@nvidia.com" <borisp@nvidia.com>,
"simo@redhat.com" <simo@redhat.com>
Subject: Re: [PATCH RFC 4/5] net/tls: Add support for PF_TLSH (a TLS handshake listener)
Date: Tue, 26 Apr 2022 13:48:20 +0000 [thread overview]
Message-ID: <E8809EC2-D49A-4171-8C88-D5E24FFA4079@oracle.com> (raw)
In-Reply-To: <20220425101459.15484d17@kernel.org>
Hi Jakub-
> On Apr 25, 2022, at 1:14 PM, Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Mon, 18 Apr 2022 12:49:50 -0400 Chuck Lever wrote:
>> In-kernel TLS consumers need a way to perform a TLS handshake. In
>> the absence of a handshake implementation in the kernel itself, a
>> mechanism to perform the handshake in user space, using an existing
>> TLS handshake library, is necessary.
>>
>> I've designed a way to pass a connected kernel socket endpoint to
>> user space using the traditional listen/accept mechanism. accept(2)
>> gives us a well-understood way to materialize a socket endpoint as a
>> normal file descriptor in a specific user space process. Like any
>> open socket descriptor, the accepted FD can then be passed to a
>> library such as openSSL to perform a TLS handshake.
>>
>> This prototype currently handles only initiating client-side TLS
>> handshakes. Server-side handshakes and key renegotiation are left
>> to do.
>>
>> Security Considerations
>> ~~~~~~~~ ~~~~~~~~~~~~~~
>>
>> This prototype is net-namespace aware.
>>
>> The kernel has no mechanism to attest that the listening user space
>> agent is trustworthy.
>>
>> Currently the prototype does not handle multiple listeners that
>> overlap -- multiple listeners in the same net namespace that have
>> overlapping bind addresses.
>
> Create the socket in user space, do all the handshakes you need there
> and then pass it to the kernel. This is how NBD + TLS works. Scales
> better and requires much less kernel code.
The RPC-with-TLS standard allows unencrypted RPC traffic on the connection
before sending ClientHello. I think we'd like to stick with creating the
socket in the kernel, for this reason and for the reasons Hannes mentions
in his reply.
--
Chuck Lever
next prev parent reply other threads:[~2022-04-26 13:48 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-18 16:49 [PATCH RFC 0/5] Implement a TLS handshake upcall Chuck Lever
2022-04-18 16:49 ` [PATCH RFC 1/5] net: Add distinct sk_psock field Chuck Lever
2022-04-21 7:35 ` Hannes Reinecke
2022-07-13 4:46 ` Hawkins Jiawei
2022-04-18 16:49 ` [PATCH RFC 2/5] tls: build proto after context has been initialized Chuck Lever
2022-04-25 17:11 ` Jakub Kicinski
2022-04-25 17:51 ` Chuck Lever III
2022-05-20 16:39 ` Chuck Lever III
2022-04-18 16:49 ` [PATCH RFC 3/5] net/tls: Add an AF_TLSH address family Chuck Lever
2022-04-21 7:35 ` Hannes Reinecke
2022-04-18 16:49 ` [PATCH RFC 4/5] net/tls: Add support for PF_TLSH (a TLS handshake listener) Chuck Lever
2022-04-21 7:36 ` Hannes Reinecke
2022-04-25 17:14 ` Jakub Kicinski
2022-04-26 9:43 ` Hannes Reinecke
2022-04-26 14:29 ` Sagi Grimberg
2022-04-26 15:02 ` Jakub Kicinski
2022-04-26 15:58 ` Hannes Reinecke
2022-04-27 0:03 ` Jakub Kicinski
2022-04-27 15:24 ` Chuck Lever III
2022-04-28 7:26 ` Hannes Reinecke
2022-04-28 13:30 ` Jakub Kicinski
2022-04-28 13:51 ` Hannes Reinecke
2022-04-28 14:09 ` Benjamin Coddington
2022-04-28 21:08 ` Jakub Kicinski
2022-05-24 10:05 ` [ovs-dev] " Ilya Maximets
2022-04-26 14:55 ` Jakub Kicinski
2022-04-26 13:48 ` Chuck Lever III [this message]
2022-04-26 14:55 ` Jakub Kicinski
2022-04-26 15:58 ` Chuck Lever III
2022-04-26 23:47 ` Jakub Kicinski
2022-04-27 14:42 ` Chuck Lever III
2022-04-27 23:53 ` Jakub Kicinski
2022-04-28 1:29 ` Chuck Lever III
2022-04-28 21:08 ` Jakub Kicinski
2022-04-28 21:54 ` Chuck Lever III
2022-04-28 8:49 ` Boris Pismenny
2022-04-28 13:12 ` Simo Sorce
2022-04-29 15:19 ` Chuck Lever III
2022-04-28 15:24 ` Chuck Lever III
2022-04-29 6:25 ` Hannes Reinecke
2022-04-18 16:49 ` [PATCH RFC 5/5] net/tls: Add observability for AF_TLSH sockets Chuck Lever
2022-04-21 7:36 ` Hannes Reinecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=E8809EC2-D49A-4171-8C88-D5E24FFA4079@oracle.com \
--to=chuck.lever@oracle.com \
--cc=ak@tempesta-tech.com \
--cc=borisp@nvidia.com \
--cc=kuba@kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=netdev@vger.kernel.org \
--cc=simo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).