netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Sabrina Dubroca <sd@queasysnail.net>
To: Jakub Kicinski <jakub.kicinski@netronome.com>
Cc: David Miller <davem@davemloft.net>,
	netdev@vger.kernel.org, herbert@gondor.apana.org.au,
	steffen.klassert@secunet.com
Subject: Re: [PATCH net-next v4 0/6] ipsec: add TCP encapsulation support (RFC 8229)
Date: Thu, 17 Oct 2019 16:33:14 +0200	[thread overview]
Message-ID: <20191017143314.GA621051@bistromath.localdomain> (raw)
In-Reply-To: <20191015114657.45954831@cakuba.netronome.com>

2019-10-15, 11:46:57 -0700, Jakub Kicinski wrote:
> On Tue, 15 Oct 2019 10:24:24 +0200, Sabrina Dubroca wrote:
> > 2019-10-14, 14:43:27 -0400, David Miller wrote:
> > > From: Sabrina Dubroca <sd@queasysnail.net>
> > > Date: Fri, 11 Oct 2019 16:57:23 +0200
> > >   
> > > > This patchset introduces support for TCP encapsulation of IKE and ESP
> > > > messages, as defined by RFC 8229 [0]. It is an evolution of what
> > > > Herbert Xu proposed in January 2018 [1] that addresses the main
> > > > criticism against it, by not interfering with the TCP implementation
> > > > at all. The networking stack now has infrastructure for this: TCP ULPs
> > > > and Stream Parsers.  
> > > 
> > > So this will bring up a re-occurring nightmare in that now we have another
> > > situation where stacking ULPs would be necessary (kTLS over TCP encap) and
> > > the ULP mechanism simply can't do this.
> > > 
> > > Last time this came up, it had to do with sock_map.  No way could be found
> > > to stack ULPs properly, so instead sock_map was implemented via something
> > > other than ULPs.
> > > 
> > > I fear we have the same situation here again and this issue must be
> > > addressed before these patches are included.
> > > 
> > > Thanks.  
> > 
> > I don't think there's any problem here. We're not stacking ULPs on the
> > same socket. There's a TCP encap socket for IPsec, which belongs to
> > the IKE daemon. The traffic on that socket is composed of IKE messages
> > and ESP packets. Then there's whatever userspace sockets (doesn't have
> > to be TCP), and the whole IPsec and TCP encap is completely invisible
> > to them.
> > 
> > Where we would probably need ULP stacking is if we implement ESP over
> > TLS [1], but we're not there.
> > 
> > [1] https://tools.ietf.org/html/rfc8229#appendix-A
> 
> But can there be any potential issues if the TCP socket with esp ULP is
> also inserted into a sockmap? (well, I think sockmap socket gets a ULP,
> I think we prevent sockmap on top of ULP but not the other way around..)

Yeah, there's nothing preventing a socket that's already in a sockmap
from getting a ULP, only for inserting a socket in a sockmap if it
already has a ULP (see sock_map_update_common).

I gave it a quick test with espintcp, it doesn't quite seem to work: a
sockmap program that drops everything actually drops messages, but a
sockmap program that drops some messages based on length... doesn't.

Although, to be honest, I don't see a use case for sockmap on espintcp
sockets.

> Is there any chance we could see some selftests here?

For espintcp? That's planned, I need to rework my test scripts so that
they don't need human interaction, and turn them into selftests.

-- 
Sabrina

  reply	other threads:[~2019-10-17 14:33 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-11 14:57 [PATCH net-next v4 0/6] ipsec: add TCP encapsulation support (RFC 8229) Sabrina Dubroca
2019-10-11 14:57 ` [PATCH net-next v4 1/6] net: add queue argument to __skb_wait_for_more_packets and __skb_{,try_}recv_datagram Sabrina Dubroca
2019-10-11 14:57 ` [PATCH net-next v4 2/6] xfrm: introduce xfrm_trans_queue_net Sabrina Dubroca
2019-10-11 14:57 ` [PATCH net-next v4 3/6] xfrm: add route lookup to xfrm4_rcv_encap Sabrina Dubroca
2019-10-11 14:57 ` [PATCH net-next v4 4/6] esp4: prepare esp_input_done2 for non-UDP encapsulation Sabrina Dubroca
2019-10-11 14:57 ` [PATCH net-next v4 5/6] esp4: split esp_output_udp_encap and introduce esp_output_encap Sabrina Dubroca
2019-10-11 14:57 ` [PATCH net-next v4 6/6] xfrm: add espintcp (RFC 8229) Sabrina Dubroca
2019-10-14 18:43 ` [PATCH net-next v4 0/6] ipsec: add TCP encapsulation support " David Miller
2019-10-15  8:24   ` Sabrina Dubroca
2019-10-15 18:46     ` Jakub Kicinski
2019-10-17 14:33       ` Sabrina Dubroca [this message]
2019-10-17 16:00         ` Jakub Kicinski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191017143314.GA621051@bistromath.localdomain \
    --to=sd@queasysnail.net \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=jakub.kicinski@netronome.com \
    --cc=netdev@vger.kernel.org \
    --cc=steffen.klassert@secunet.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).