lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20150106101936.GC31458@secunet.com>
Date:	Tue, 6 Jan 2015 11:19:37 +0100
From:	Steffen Klassert <steffen.klassert@...unet.com>
To:	<netdev@...r.kernel.org>
CC:	Jamal Hadi Salim <jhs@...atatu.com>,
	Herbert Xu <herbert@...dor.apana.org.au>,
	David Miller <davem@...emloft.net>
Subject: IPsec workshop at netdev01?

Is there any interest in doing an IPsec workshop at netdev01?

This mail is to probe if we can gather enough discussion topics to run
such a workshop. So if someone is interested to attend and/or has a
related discussion topic, please let me know.

The idea to do this workshop came yesterday, so I'm still collecting
topics I'm interested in. Some things that came immediately to my mind
are:

- Our IPsec policy/state lookups are still hashlist based on slowpath with
  a flowcache to do fast lookups for traffic flows we have already seen.
  This flowcache has similar issues like the ipv4 routing chache had.
  Is the flowcache an appropriate lookup method on the long run or should
  we at least think about an additional alternative lookup method?

- We still lack a 32/64 bit compatibiltiy layer for IPsec, this issue
  comes up from time to time. Some solutions were proposed in the past
  but all had problems. The current behaviour is broken if someone tries
  to configure IPsec with 32 bit tools on a 64 bit machine. Can we get
  this right somehow or is it better to just return an error in this case?

- Changing the system time can lead to unexpected SA lifetime changes. The
  discussion on the list did not lead to a conclusion on how to fix this.
  What is the best way to get this fixed?
  
- The IPsec policy enforcement default is to allow all flows that don't
  match a policy. On systems with a high security level it might be
  intersting to configurable invert the default from allow to block. With
  the default to block configured, we would need allow policies for all
  packet flows we accept. Some people would be even interested in a knob
  to enforce a certain default behaviour until the next reboot. Is this
  reasonable? How far can we get here?

- A more general thing: How complete is our IPsec implementation? Are there
  things that should be implemented but we don't have it?

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ