lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20230714203258.GL41919@unreal>
Date: Fri, 14 Jul 2023 23:32:58 +0300
From: Leon Romanovsky <leon@...nel.org>
To: Jakub Kicinski <kuba@...nel.org>
Cc: Saeed Mahameed <saeedm@...dia.com>, Jianbo Liu <jianbol@...dia.com>,
	Eric Dumazet <edumazet@...gle.com>, Mark Bloch <mbloch@...dia.com>,
	netdev@...r.kernel.org, Paolo Abeni <pabeni@...hat.com>,
	"David S . Miller" <davem@...emloft.net>,
	Simon Horman <simon.horman@...igine.com>
Subject: Re: [PATCH net-next 09/12] net/mlx5: Compare with old_dest param to
 modify rule destination

On Fri, Jul 14, 2023 at 12:16:33PM -0700, Jakub Kicinski wrote:
> On Fri, 14 Jul 2023 21:40:13 +0300 Leon Romanovsky wrote:
> > > > In theory, we support any order, but in real life I don't think that TC
> > > > before IPsec is really valuable.  
> > > 
> > > I asked the question poorly. To clearer, you're saying that:
> > > 
> > > a)  host <-> TC <-> IPsec <-> "wire"/switch
> > >   or
> > > b)  host <-> IPsec <-> TC <-> "wire"/switch
> > > 
> > > ?  
> > 
> > It depends on configuration order, if user configures TC first, it will
> > be a), if he/she configures IPsec first, it will be b).
> > 
> > I just think that option b) is really matters.
> 
> And only b) matches what happens in the kernel with policy based IPsec,
> right? 

Can you please clarify what do you mean "policy based IPsec"?

> So can we reject a) from happening? 

Technically yes.

> IIUC what you're saying -
> the result depending on order of configuration may be a major source
> of surprises / hard to debug problems for the user.

When I reviewed patches, I came exactly to an opposite conclusion :)

My rationale was that users who configure IPsec and TC are advanced
users who knows their data flow and if they find a) option valuable,
they can do it.

For example, a) allows to limit amount of data sent to IPsec engine.

I believe both a) and b) should be supported.

Thanks

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ