lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <396556a20807181816qdb50221nc0aa259d3fb3395d@mail.gmail.com>
Date:	Fri, 18 Jul 2008 18:16:52 -0700
From:	"Adam Langley" <agl@...erialviolet.org>
To:	"YOSHIFUJI Hideaki / 吉藤英明" 
	<yoshfuji@...ux-ipv6.org>
Cc:	netdev@...r.kernel.org
Subject: Re: [RFC 2/2] TCP: Add TCP-AO support

On Fri, Jul 18, 2008 at 6:06 PM, YOSHIFUJI Hideaki / 吉藤英明
<yoshfuji@...ux-ipv6.org> wrote:
> struct tcp_auth {
>      struct __kernel_sockaddr_storage tcpa_addr;
>      __u32   tcpa_flags;

Probably a good idea for the future,

>      __u16   tcpa_txkey;

You can only specify 256 keys on the wire, so this only need be a __u8

>      __u8    tcpa_keylen[256];
>      __u8    tcpa_key[TCP_AUTH_MAXKEYLEN];

Although the generality of supporting 256 keys is a benefit, it makes
the code more complex. Multiple keys are just for key rotation: you
need enough keys such that:
  ceil(inflight-time / key-rotation-time) + 1 = numkeys

However, for reasonable values of key-rotation-time, that means that
you only need two keys. I'm quite happy to support n keys in future
versions if someone has a good argument.

(The closest I can come is "I have a 40Gbps link with a 1 second ping
time"; maybe that's not too crazy these days.)


AGL

-- 
Adam Langley agl@...erialviolet.org http://www.imperialviolet.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ