| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20170612224912.GE17030@ycc.fr>
Date: Tue, 13 Jun 2017 00:49:12 +0200
From: Ivan Delalande <colona@...sta.com>
To: David Miller <davem@...emloft.net>
Cc: eric.dumazet@...il.com, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 2/2] tcp: md5: extend the tcp_md5sig struct to specify
a key address prefix
On Sat, Jun 10, 2017 at 06:58:11PM -0400, David Miller wrote:
> From: Ivan Delalande <colona@...sta.com>
> Date: Fri, 9 Jun 2017 19:14:49 -0700
>
> > Add a flag field and address prefix length at the end of the tcp_md5sig
> > structure so users can configure an address prefix length along with a
> > key. Make sure shorter option values are still accepted in
> > tcp_v4_parse_md5_keys and tcp_v6_parse_md5_keys to maintain backward
> > compatibility.
> >
> > Signed-off-by: Bob Gilligan <gilligan@...sta.com>
> > Signed-off-by: Eric Mowat <mowat@...sta.com>
> > Signed-off-by: Ivan Delalande <colona@...sta.com>
>
> As I believe was previously stated, the problem with this approach is
> that if a new tool requests the prefix length and is run on an older
> kernel, the kernel will return success even though the prefix length
> was not taken into account.
>
> We do not want to get a success back when the operation requested was
> not performed.
Ah yeah that's right, sorry, definitely not great.
So I guess our only other option is to add a new socket option, like
TCP_MD5SIG_EXT which would use the extended version of struct tcp_md5sig
from this patch. Is it justified for this feature, or do you see any
other way to achieve this?
Thanks,
--
Ivan Delalande
Arista Networks
Powered by blists - more mailing lists