| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Jul 2008 18:16:52 -0700
From: "Adam Langley" <agl@...erialviolet.org>
To: "YOSHIFUJI Hideaki / 吉藤英明"
<yoshfuji@...ux-ipv6.org>
Cc: netdev@...r.kernel.org
Subject: Re: [RFC 2/2] TCP: Add TCP-AO support
On Fri, Jul 18, 2008 at 6:06 PM, YOSHIFUJI Hideaki / 吉藤英明
<yoshfuji@...ux-ipv6.org> wrote:
> struct tcp_auth {
> struct __kernel_sockaddr_storage tcpa_addr;
> __u32 tcpa_flags;
Probably a good idea for the future,
> __u16 tcpa_txkey;
You can only specify 256 keys on the wire, so this only need be a __u8
> __u8 tcpa_keylen[256];
> __u8 tcpa_key[TCP_AUTH_MAXKEYLEN];
Although the generality of supporting 256 keys is a benefit, it makes
the code more complex. Multiple keys are just for key rotation: you
need enough keys such that:
ceil(inflight-time / key-rotation-time) + 1 = numkeys
However, for reasonable values of key-rotation-time, that means that
you only need two keys. I'm quite happy to support n keys in future
versions if someone has a good argument.
(The closest I can come is "I have a 40Gbps link with a 1 second ping
time"; maybe that's not too crazy these days.)
AGL
--
Adam Langley agl@...erialviolet.org http://www.imperialviolet.org
Powered by blists - more mailing lists