lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 6 Apr 2024 08:39:57 -0400
From: Christian Hopps <chopps@...pps.org>
To: nicolas.dichtel@...nd.com
Cc: Christian Hopps <chopps@...pps.org>,
 Antony Antony <antony.antony@...unet.com>,
 Steffen Klassert <steffen.klassert@...unet.com>,
 Herbert Xu <herbert@...dor.apana.org.au>,
 devel@...ux-ipsec.org,
 netdev@...r.kernel.org
Subject: Re: [devel-ipsec] [PATCH ipsec-next v5] xfrm: Add Direction to the SA
 in or out

Hi Nicolas,

IPTFS is the planned first user of the direction attribute. Antony noted that most IPTFS config is only for the sending SA and created this patch as a result.

Thanks,
Chris.

> On Apr 4, 2024, at 10:08, Nicolas Dichtel via Devel <devel@...ux-ipsec.org> wrote:
> 
> Le 04/04/2024 à 10:32, Antony Antony a écrit :
>> This patch introduces the 'dir' attribute, 'in' or 'out', to the
>> xfrm_state, SA, enhancing usability by delineating the scope of values
>> based on direction. An input SA will now exclusively encompass values
>> pertinent to input, effectively segregating them from output-related
>> values. This change aims to streamline the configuration process and
>> improve the overall clarity of SA attributes.
>> 
>> This feature sets the groundwork for future patches, including
>> the upcoming IP-TFS patch. Additionally, the 'dir' attribute can
>> serve purely informational purposes.
>> It currently validates the XFRM_OFFLOAD_INBOUND flag for hardware
>> offload capabilities.
> Frankly, it's a poor API. It will be more confusing than useful.
> This informational attribute could be wrong, there is no check.
> Please consider use cases of people that don't do offload.
> 
> The kernel could accept this attribute only in case of offload. This could be
> relaxed later if needed. With no check at all, nothing could be done later, once
> it's in the uapi.
> 
> 
> Regards,
> Nicolas
> -- 
> Devel mailing list
> Devel@...ux-ipsec.org
> https://linux-ipsec.org/mailman/listinfo/devel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ