| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 11 Sep 2022 08:57:07 +0000
From: Emeel Hakim <ehakim@...dia.com>
To: Sabrina Dubroca <sd@...asysnail.net>
CC: "dsahern@...nel.org" <dsahern@...nel.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
Raed Salem <raeds@...dia.com>, Tariq Toukan <tariqt@...dia.com>
Subject: RE: [PATCH main v4 1/2] macsec: add Extended Packet Number support
> -----Original Message-----
> From: Sabrina Dubroca <sd@...asysnail.net>
> Sent: Sunday, 11 September 2022 11:35
> To: Emeel Hakim <ehakim@...dia.com>
> Cc: dsahern@...nel.org; netdev@...r.kernel.org; Raed Salem
> <raeds@...dia.com>; Tariq Toukan <tariqt@...dia.com>
> Subject: Re: [PATCH main v4 1/2] macsec: add Extended Packet Number support
>
> External email: Use caution opening links or attachments
>
>
> 2022-09-08, 13:53:37 +0300, Emeel Hakim wrote:
> > This patch adds support for extended packet number (XPN).
> > XPN can be configured by passing 'xpn on' as part of the ip
>
> "cipher ..."
Ack , will send V5
> > link add command using macsec type.
> > In addition, using 'xpn' keyword instead of the 'pn', passing a 12
> > bytes salt using the 'salt' keyword and passing short secure channel
> > id (ssci) using the 'ssci' keyword as part of the ip macsec command is
> > required (see example).
> >
> > e.g:
> >
> > create a MACsec device on link eth0 with enabled xpn
> > # ip link add link eth0 macsec0 type macsec port 11
> > encrypt on xpn on
>
> cipher ...
Ack , will send V5
> [...]
> > @@ -392,9 +439,21 @@ static int do_modify_nl(enum cmd c, enum
> macsec_nl_commands cmd, int ifindex,
> > addattr8(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_AN, sa->an);
> >
> > if (c != CMD_DEL) {
> > - if (sa->pn)
> > - addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
> > - sa->pn);
> > + if (sa->xpn) {
> > + if (sa->pn.pn64)
> > + addattr64(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
> > + sa->pn.pn64);
> > + if (sa->salt[0] != '\0')
>
> if (sa->salt_set)
>
> > + addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SALT,
> > + sa->salt, MACSEC_SALT_LEN);
> > + if (sa->ssci != 0)
>
> if (sa->ssci_set)
>
> > + addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SSCI,
> > + sa->ssci);
> > + } else {
> > + if (sa->pn.pn32)
> > + addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
> > + sa->pn.pn32);
> > + }
>
> [...]
> > @@ -1251,6 +1339,7 @@ static void usage(FILE *f)
> > " [ send_sci { on | off } ]\n"
> > " [ end_station { on | off } ]\n"
> > " [ scb { on | off } ]\n"
> > + " [ xpn { on | off } ]\n"
>
> That should be the new "cipher" options instead of "xpn on/off".
Ack , will send V5
> > " [ protect { on | off } ]\n"
> > " [ replay { on | off} window { 0..2^32-1 } ]\n"
> > " [ validate { strict | check | disabled } ]\n"
>
> --
> Sabrina
Powered by blists - more mailing lists