From: Leonard Crestez <cdleonard@gmail.com>
To: Eric Dumazet <edumazet@google.com>, David Ahern <dsahern@kernel.org>
Cc: Philip Paeps <philip@trouble.is>,
Dmitry Safonov <0x7f454c46@gmail.com>,
Shuah Khan <shuah@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Jakub Kicinski <kuba@kernel.org>,
Yuchung Cheng <ycheng@google.com>,
Francesco Ruggeri <fruggeri@arista.com>,
Mat Martineau <mathew.j.martineau@linux.intel.com>,
Christoph Paasch <cpaasch@apple.com>,
Ivan Delalande <colona@arista.com>,
Caowangbao <caowangbao@huawei.com>,
Priyaranjan Jha <priyarjha@google.com>,
netdev <netdev@vger.kernel.org>,
"open list:HARDWARE RANDOM NUMBER GENERATOR CORE"
<linux-crypto@vger.kernel.org>,
"open list:KERNEL SELFTEST FRAMEWORK"
<linux-kselftest@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v6 21/26] selftests: net/fcnal: Initial tcp_authopt support
Date: Wed, 27 Jul 2022 11:29:50 +0300 [thread overview]
Message-ID: <dd2ca85e-ab29-2973-f129-9afafb405851@gmail.com> (raw)
In-Reply-To: <CANn89i+=LVDFx_zjDy6uK+QorR+fosdkb8jqNMO6syqOsS7ZqQ@mail.gmail.com>
On 7/26/22 10:27, Eric Dumazet wrote:
> On Tue, Jul 26, 2022 at 9:06 AM Eric Dumazet <edumazet@google.com> wrote:
>>
>> On Tue, Jul 26, 2022 at 8:16 AM Leonard Crestez <cdleonard@gmail.com> wrote:
>>>
>>> Tests are mostly copied from tcp_md5 with minor changes.
>>>
>>> It covers VRF support but only based on binding multiple servers: not
>>> multiple keys bound to different interfaces.
>>>
>>> Also add a specific -t tcp_authopt to run only these tests specifically.
>>>
>>
>> Thanks for the test.
>>
>> Could you amend the existing TCP MD5 test to make sure dual sockets
>> mode is working ?
>>
>> Apparently, if we have a dual stack listener socket (AF_INET6),
>> correct incoming IPV4 SYNs are dropped.
>> If this is the case, fixing MD5 should happen first ;
I remember looking into this and my conclusion was that ipv4-mapped-ipv6
is not worth supporting for AO, at least not in the initial version.
Instead I just wrote a test to check that ipv4-mapped-ipv6 fails for AO:
https://github.com/cdleonard/tcp-authopt-test/blob/main/tcp_authopt_test/test_verify_capture.py#L191
On a closer look it does appear that support existed for
ipv4-mapped-ipv6 in TCP-MD5 but my test didn't actually exercise it
correctly so the test had to be fixed.
Do you think it makes sense to add support for ipv4-mapped-ipv6 for AO?
It's not particularly difficult to test, it was skipped due to a lack of
application use case and to keep the initial series smaller.
Adding support for this later as a separate commit should be fine. Since
ivp4-mapped-ipv6 addresses shouldn't appear on the wire giving them
special treatment "later" should raise no compatibility concerns.
>> I think that we are very late in the cycle (linux-5.19 should be
>> released in 5 days), and your patch set should not be merged so late.
This was posted in order to get code reviews, I'm not actually expecting
inclusion.
--
Regards,
Leonard
next prev parent reply other threads:[~2022-07-27 8:29 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-26 6:15 [PATCH v6 00/26] tcp: Initial support for RFC5925 auth option Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 01/26] tcp: authopt: Initial support and key management Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 02/26] tcp: authopt: Remove more unused noops Leonard Crestez
2022-07-27 1:17 ` David Ahern
2022-07-27 8:49 ` Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 03/26] docs: Add user documentation for tcp_authopt Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 04/26] tcp: authopt: Add crypto initialization Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 05/26] tcp: Refactor tcp_sig_hash_skb_data for AO Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 06/26] tcp: authopt: Compute packet signatures Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 07/26] tcp: Refactor tcp_inbound_md5_hash into tcp_inbound_sig_hash Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 08/26] tcp: authopt: Hook into tcp core Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 09/26] tcp: authopt: Disable via sysctl by default Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 10/26] tcp: authopt: Implement Sequence Number Extension Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 11/26] tcp: ipv6: Add AO signing for tcp_v6_send_response Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 12/26] tcp: authopt: Add support for signing skb-less replies Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 13/26] tcp: ipv4: Add AO signing for " Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 14/26] tcp: authopt: Add key selection controls Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 15/26] tcp: authopt: Add initial l3index support Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 16/26] tcp: authopt: Add NOSEND/NORECV flags Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 17/26] tcp: authopt: Add prefixlen support Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 18/26] tcp: authopt: Add /proc/net/tcp_authopt listing all keys Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 19/26] selftests: nettest: Rename md5_prefix to key_addr_prefix Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 20/26] selftests: nettest: Initial tcp_authopt support Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 21/26] selftests: net/fcnal: " Leonard Crestez
2022-07-26 7:06 ` Eric Dumazet
2022-07-26 7:27 ` Eric Dumazet
2022-07-27 8:29 ` Leonard Crestez [this message]
2022-07-27 9:27 ` Eric Dumazet
2022-07-26 6:15 ` [PATCH v6 22/26] tcp: authopt: Try to respect rnextkeyid from SYN on SYNACK Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 23/26] tcp: authopt: tcp_authopt_lookup_send: Add anykey output param Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 24/26] tcp: authopt: Initial support for TCP_AUTHOPT_FLAG_ACTIVE Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 25/26] tcp: authopt: If no keys are valid for send report an error Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 26/26] tcp: authopt: Initial implementation of TCP_REPAIR_AUTHOPT Leonard Crestez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dd2ca85e-ab29-2973-f129-9afafb405851@gmail.com \
--to=cdleonard@gmail.com \
--cc=0x7f454c46@gmail.com \
--cc=caowangbao@huawei.com \
--cc=colona@arista.com \
--cc=cpaasch@apple.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=fruggeri@arista.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.co.jp \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=mathew.j.martineau@linux.intel.com \
--cc=netdev@vger.kernel.org \
--cc=philip@trouble.is \
--cc=priyarjha@google.com \
--cc=shuah@kernel.org \
--cc=ycheng@google.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).