lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <ZNpMR8nYKlIP9JQw@hog>
Date: Mon, 14 Aug 2023 17:46:15 +0200
From: Sabrina Dubroca <sd@...asysnail.net>
To: Jakub Kicinski <kuba@...nel.org>
Cc: netdev@...r.kernel.org, Vadim Fedorenko <vfedorenko@...ek.ru>,
	Frantisek Krenzelok <fkrenzel@...hat.com>,
	Kuniyuki Iwashima <kuniyu@...zon.com>,
	Apoorv Kothari <apoorvko@...zon.com>,
	Boris Pismenny <borisp@...dia.com>,
	John Fastabend <john.fastabend@...il.com>,
	Shuah Khan <shuah@...nel.org>, linux-kselftest@...r.kernel.org,
	Gal Pressman <gal@...dia.com>,
	Marcel Holtmann <marcel@...tmann.org>
Subject: Re: [PATCH net-next v3 3/6] tls: implement rekey for TLS1.3

2023-08-14, 08:21:28 -0700, Jakub Kicinski wrote:
> On Mon, 14 Aug 2023 17:06:10 +0200 Sabrina Dubroca wrote:
> > 2023-08-11, 18:43:47 -0700, Jakub Kicinski wrote:
> > > On Wed,  9 Aug 2023 14:58:52 +0200 Sabrina Dubroca wrote:  
> > > >  			TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSRXSW);
> > > >  			TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSCURRRXSW);
> > > >  			conf = TLS_SW;  
> > > 
> > > Should we add a statistic for rekeying?  
> > 
> > Hmpf, at least I shouldn't be incrementing the existing stats on every
> > update, especially not TLSCURR* :/
> > 
> > I don't see much benefit in tracking succesful rekeys. Failed rekeys
> > seem more interesting to me. What would we get from counting succesful
> > rekeys?
> 
> No huge benefit from counting rekeys, the main (only?) one I see is
> that when user reports issues we can see whether rekeys were involved
> (given that they are fairly rare). It could help narrow down triage.

Ok. So unless you objcet I'll add 4 more counters: {RX,TX}REKEY{OK,ERROR}.

And it probably shouldn't be "rekey" in case we decide to implement
full 1.2 renegotiation (with cipher change) and use the same
counter. Or 1.2 renegotiation without cipher change gets to use the
rekey counters, and cipher change would get a new set of counters.

I could also just call them *UPDATE* but that might be a bit too
vague.

-- 
Sabrina

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ