lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20191015082424.GA435630@bistromath.localdomain>
Date:   Tue, 15 Oct 2019 10:24:24 +0200
From:   Sabrina Dubroca <sd@...asysnail.net>
To:     David Miller <davem@...emloft.net>
Cc:     netdev@...r.kernel.org, herbert@...dor.apana.org.au,
        steffen.klassert@...unet.com
Subject: Re: [PATCH net-next v4 0/6] ipsec: add TCP encapsulation support
 (RFC 8229)

2019-10-14, 14:43:27 -0400, David Miller wrote:
> From: Sabrina Dubroca <sd@...asysnail.net>
> Date: Fri, 11 Oct 2019 16:57:23 +0200
> 
> > This patchset introduces support for TCP encapsulation of IKE and ESP
> > messages, as defined by RFC 8229 [0]. It is an evolution of what
> > Herbert Xu proposed in January 2018 [1] that addresses the main
> > criticism against it, by not interfering with the TCP implementation
> > at all. The networking stack now has infrastructure for this: TCP ULPs
> > and Stream Parsers.
> 
> So this will bring up a re-occurring nightmare in that now we have another
> situation where stacking ULPs would be necessary (kTLS over TCP encap) and
> the ULP mechanism simply can't do this.
> 
> Last time this came up, it had to do with sock_map.  No way could be found
> to stack ULPs properly, so instead sock_map was implemented via something
> other than ULPs.
> 
> I fear we have the same situation here again and this issue must be
> addressed before these patches are included.
> 
> Thanks.

I don't think there's any problem here. We're not stacking ULPs on the
same socket. There's a TCP encap socket for IPsec, which belongs to
the IKE daemon. The traffic on that socket is composed of IKE messages
and ESP packets. Then there's whatever userspace sockets (doesn't have
to be TCP), and the whole IPsec and TCP encap is completely invisible
to them.

Where we would probably need ULP stacking is if we implement ESP over
TLS [1], but we're not there.

[1] https://tools.ietf.org/html/rfc8229#appendix-A

-- 
Sabrina

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ