From: Leonard Crestez <cdleonard@gmail.com>
To: David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Philip Paeps <philip@trouble.is>,
Dmitry Safonov <0x7f454c46@gmail.com>
Cc: Shuah Khan <shuah@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Jakub Kicinski <kuba@kernel.org>,
Yuchung Cheng <ycheng@google.com>,
Francesco Ruggeri <fruggeri@arista.com>,
Mat Martineau <mathew.j.martineau@linux.intel.com>,
Christoph Paasch <cpaasch@apple.com>,
Ivan Delalande <colona@arista.com>,
Priyaranjan Jha <priyarjha@google.com>,
netdev@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v5 02/20] docs: Add user documentation for tcp_authopt
Date: Mon, 24 Jan 2022 14:12:48 +0200 [thread overview]
Message-ID: <067cf4a231834baa1fb0e7c51842a6b5571bcbcd.1643026076.git.cdleonard@gmail.com> (raw)
In-Reply-To: <cover.1643026076.git.cdleonard@gmail.com>
The .rst documentation contains a brief description of the user
interface and includes kernel-doc generated from uapi header.
Signed-off-by: Leonard Crestez <cdleonard@gmail.com>
---
Documentation/networking/index.rst | 1 +
Documentation/networking/tcp_authopt.rst | 51 ++++++++++++++++++++++++
2 files changed, 52 insertions(+)
create mode 100644 Documentation/networking/tcp_authopt.rst
diff --git a/Documentation/networking/index.rst b/Documentation/networking/index.rst
index 58bc8cd367c6..f5c324a060d8 100644
--- a/Documentation/networking/index.rst
+++ b/Documentation/networking/index.rst
@@ -100,10 +100,11 @@ Contents:
strparser
switchdev
sysfs-tagging
tc-actions-env-rules
tcp-thin
+ tcp_authopt
team
timestamping
tipc
tproxy
tuntap
diff --git a/Documentation/networking/tcp_authopt.rst b/Documentation/networking/tcp_authopt.rst
new file mode 100644
index 000000000000..72adb7a891ce
--- /dev/null
+++ b/Documentation/networking/tcp_authopt.rst
@@ -0,0 +1,51 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+=========================
+TCP Authentication Option
+=========================
+
+The TCP Authentication option specified by RFC5925 replaces the TCP MD5
+Signature option. It similar in goals but not compatible in either wire formats
+or ABI.
+
+Interface
+=========
+
+Individual keys can be added to or removed through an TCP socket by using
+TCP_AUTHOPT_KEY setsockopt and a struct tcp_authopt_key. There is no
+support for reading back keys and updates always replace the old key. These
+structures represent "Master Key Tuples (MKTs)" as described by the RFC.
+
+Per-socket options can set or read using the TCP_AUTHOPT sockopt and a struct
+tcp_authopt. This is optional: doing setsockopt TCP_AUTHOPT_KEY is sufficient to
+enable the feature.
+
+Configuration associated with TCP Authentication is global for each network
+namespace, this means that all sockets for which TCP_AUTHOPT is enabled will
+be affected by the same set of keys.
+
+Manipulating keys requires ``CAP_NET_ADMIN``.
+
+Key binding
+-----------
+
+Keys can be bound to remote addresses in a way that is somewhat similar to
+``TCP_MD5SIG``. By default a key matches all connections but matching criteria can
+be specified as fields inside struct tcp_authopt_key together with matching
+flags in tcp_authopt_key.flags. The sort of these "matching criteria" can
+expand over time by increasing the size of `struct tcp_authopt_key` and adding
+new flags.
+
+ * Address binding is optional, by default keys match all addresses
+ * Local address is ignored, matching is done by remote address
+ * Ports are ignored
+
+RFC5925 requires that key ids do not overlap when tcp identifiers (addr/port)
+overlap. This is not enforced by linux, configuring ambiguous keys will result
+in packet drops and lost connections.
+
+ABI Reference
+=============
+
+.. kernel-doc:: include/uapi/linux/tcp.h
+ :identifiers: tcp_authopt tcp_authopt_flag tcp_authopt_key tcp_authopt_key_flag tcp_authopt_alg
--
2.25.1
next prev parent reply other threads:[~2022-01-24 12:13 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-24 12:12 [PATCH v5 00/20] tcp: Initial support for RFC5925 auth option Leonard Crestez
2022-01-24 12:12 ` [PATCH v5 01/20] tcp: authopt: Initial support and key management Leonard Crestez
2022-01-24 12:12 ` Leonard Crestez [this message]
2022-01-24 12:12 ` [PATCH v5 03/20] tcp: authopt: Add crypto initialization Leonard Crestez
2022-01-24 12:12 ` [PATCH v5 04/20] tcp: md5: Refactor tcp_sig_hash_skb_data for AO Leonard Crestez
2022-01-24 12:12 ` [PATCH v5 05/20] tcp: authopt: Compute packet signatures Leonard Crestez
2022-01-24 12:12 ` [PATCH v5 06/20] tcp: authopt: Hook into tcp core Leonard Crestez
2022-01-24 12:12 ` [PATCH v5 07/20] tcp: authopt: Disable via sysctl by default Leonard Crestez
2022-01-24 12:12 ` [PATCH v5 08/20] tcp: authopt: Implement Sequence Number Extension Leonard Crestez
2022-01-24 12:12 ` [PATCH v5 09/20] tcp: ipv6: Add AO signing for tcp_v6_send_response Leonard Crestez
2022-01-24 12:12 ` [PATCH v5 10/20] tcp: authopt: Add support for signing skb-less replies Leonard Crestez
2022-01-24 12:12 ` [PATCH v5 11/20] tcp: ipv4: Add AO signing for " Leonard Crestez
2022-01-24 12:12 ` [PATCH v5 12/20] tcp: authopt: Add key selection controls Leonard Crestez
2022-01-24 12:12 ` [PATCH v5 13/20] tcp: authopt: Add initial l3index support Leonard Crestez
2022-01-24 12:13 ` [PATCH v5 14/20] tcp: authopt: Add NOSEND/NORECV flags Leonard Crestez
2022-01-24 12:13 ` [PATCH v5 15/20] tcp: authopt: Add prefixlen support Leonard Crestez
2022-01-24 12:13 ` [PATCH v5 16/20] tcp: authopt: Add /proc/net/tcp_authopt listing all keys Leonard Crestez
2022-01-24 12:13 ` [PATCH v5 17/20] selftests: nettest: Rename md5_prefix to key_addr_prefix Leonard Crestez
2022-01-24 12:13 ` [PATCH v5 18/20] selftests: nettest: Initial tcp_authopt support Leonard Crestez
2022-01-24 12:13 ` [PATCH v5 19/20] selftests: net/fcnal: " Leonard Crestez
2022-01-24 12:13 ` [PATCH v5 20/20] tcp: authopt: Try to respect rnextkeyid from SYN on SYNACK Leonard Crestez
2022-01-24 18:39 ` [PATCH v5 00/20] tcp: Initial support for RFC5925 auth option Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=067cf4a231834baa1fb0e7c51842a6b5571bcbcd.1643026076.git.cdleonard@gmail.com \
--to=cdleonard@gmail.com \
--cc=0x7f454c46@gmail.com \
--cc=colona@arista.com \
--cc=cpaasch@apple.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=fruggeri@arista.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.co.jp \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=mathew.j.martineau@linux.intel.com \
--cc=netdev@vger.kernel.org \
--cc=philip@trouble.is \
--cc=priyarjha@google.com \
--cc=shuah@kernel.org \
--cc=ycheng@google.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).