lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 26 Feb 2020 08:12:31 +0000
From:   Igor Russkikh <irusskikh@...vell.com>
To:     Antoine Tenart <antoine.tenart@...tlin.com>
CC:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "David S . Miller" <davem@...emloft.net>,
        Mark Starovoytov <mstarovoitov@...vell.com>,
        "Dmitry Bogdanov" <dbogdanov@...vell.com>,
        "sd@...asysnail.net" <sd@...asysnail.net>
Subject: RE: [EXT] Re: [RFC 00/18] net: atlantic: MACSec support for AQC
 devices

> Hello Igor,
> 
> Thanks for sending this series!
> 
> Please Cc Sabrina Dubroca <sd@...asysnail.net> (the IEEE 802.1AE driver
> author) on such series.
> 
> Antoine


Hi Antoine, thanks for reviewing this, your comments are all correct, will respin.

I'd also like to stress on the following patch:

> > 1) patch 0008:
> >   multicast/broadcast when offloading is needed to handle ARP requests,
> >   because they have broadcast destination address;
> >   With this patch we also match and encrypt/decrypt packets between
> macsec
> >   hw and realdev based on device's mac address.
> >   This potentially can be used to support multiple macsec offloaded
> interfaces
> >   on top of one realdev.
> >   On some environments however this could lead to problems, e.g. bridge
> over
> >   macsec configuration will expect packets with unknown src MAC
> >   should come through macsec.
> >   The patch is questionable, we've used it because our current hw setup
> and
> >   requirements assumes decryption is only done based on mac address
> match.
> >   This could be changed by encrypting/decripting all the traffic (except
> control).

We now basically see two different approaches on macsec traffic routing between the devices.

If HW supports per mac decryption rules, this could be used to implement multiple secy channels, all offloaded.
But macsec code then should use dst MAC to route decrypted packets to the correct macsec device.

Another usecase we have to support in our system is having a bridge device on top of macsec device. To support this
we had to encrypt/decrypt all the traffic against the single macsec dev (i.e. unconditionally, without mac addr filtering).
And this imposes a limitation of having only a single secy.

Internally, we now separate these usecases basically by private module param (not in this patchset).

But it'd be good to hear from you and possibly other users if these are legitimate configurations and
if this somehow should be supported in the offloading API.

Regards,
  Igor

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ