[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHmME9pn+zm67mmDDrkMLpSAXNEugCT3z2L-QXO2eQw+31V=YQ@mail.gmail.com>
Date: Mon, 13 Aug 2018 10:55:09 -0700
From: "Jason A. Donenfeld" <Jason@...c4.com>
To: James Bottomley <James.Bottomley@...senpartnership.com>
Cc: linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
davem@...emloft.net, linux-crypto@...r.kernel.org
Subject: Re: [PATCH v1 0/3] WireGuard: Secure Network Tunnel
> but it's very hard for a flow classifier because you have to
The construction and identifier strings might not obviously help with
the extremely narrow idea you've brought up, but it is very important
for safely introducing additional versions. Namely, it prevents
against cross-protocol key reuse attacks and type confusion bugs. So
don't be too quick to dismiss the importance of these for
accomplishing what we're after.
> so lets pick one of the above and try it out.
We have, multiple times, and it's absolutely trivial to do and works
well. The exact thing you're concerned about has already been
researched and worked with on live systems quite a bit over the last 3
years, and it works in a pretty straight forward way. I'm not sure
there's much more to add here: the thing you want is already there and
has been tested extensively. At this point the "pick one and let's try
it out!" is an old story, and the focus now is on making sure the code
quality and netdev api usage is correct for merging
Powered by blists - more mailing lists