lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 16 May 2019 11:42:03 -0700
From:   Jakub Kicinski <jakub.kicinski@...ronome.com>
To:     Alexei Starovoitov <alexei.starovoitov@...il.com>
Cc:     Boris Pismenny <borisp@...lanox.com>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "oss-drivers@...ronome.com" <oss-drivers@...ronome.com>,
        "davejwatson@...com" <davejwatson@...com>,
        "john.fastabend@...il.com" <john.fastabend@...il.com>,
        "vakul.garg@....com" <vakul.garg@....com>,
        Alexei Starovoitov <ast@...nel.org>,
        Tariq Toukan <tariqt@...lanox.com>
Subject: Re: [PATCH net 3/3] Documentation: add TLS offload documentation

On Thu, 16 May 2019 11:13:47 -0700, Alexei Starovoitov wrote:
> On Thu, May 16, 2019 at 10:57 AM Jakub Kicinski wrote:
> >
> >   The preferred method of reporting the Layer 4 (TCP) checksum offload
> >   for packets decrypted by the device is to update the checksum field
> >   to the correct value for clear text and report CHECKSUM_UNNECESSARY
> >   or CHECKSUM_COMPLETE computed over clear text. However, the exact
> >   semantics of RX checksum offload when NIC performs data modification
> >   are not clear and subject to change.  
> 
> when host is consuming the tcp stream I don't see the value of
> tcp checksum on top tls.
> In that sense CHECKSUM_UNNECESSARY is fine and no
> need to update checksum field.
> Even in case of sockmap and tcp stream redirect it is still fine.
> Only the tcp payload being redirected to a different tcp socket
> and the headers are gone.
> So imo in all cases CHECKSUM_UNNECESSARY is fine
> even without adjustment to checksum field.

No question that CHECKSUM_UNNECESSARY currently works.  
But it's not "entirely" correct without the header fixup?
Device modifies the data - it should fix up the checksum.

I was trying (unsuccessfully) to hint at the fact that it's okay 
today to leave the checksum be, but at the same time if someone 
is designing new HW or has the ability to fix this up in microcode
I think the TCP csum should be fixed..

Maybe like this?

  The preferred method of reporting the Layer 4 (TCP) checksum offload
  for packets decrypted by the device is to update the checksum field
  to the correct value for clear text and report CHECKSUM_UNNECESSARY
  or CHECKSUM_COMPLETE computed over clear text. 

  Some existing devices may report CHECKSUM_UNNECESSARY without fixing
  the checksum field, which currently functions correctly but is not
  in line with the exact semantics of RX checksum offload. Such devices
  must make sure that RXCSUM offload is always enabled for TLS offloaded
  flows.

> Obviously the hw/firmware should have checked tcp csum before doing decrypt.

Ah, that is definitely worth stating, will add!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ