lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <m24jc7lt50.fsf@chopps.org>
Date: Thu, 11 Apr 2024 12:40:30 -0400
From: Christian Hopps <chopps@...pps.org>
To: Paul Wouters <paul@...ats.ca>
Cc: Leon Romanovsky <leon@...nel.org>, Antony Antony
 <antony.antony@...unet.com>, Steffen Klassert
 <steffen.klassert@...unet.com>, Herbert Xu <herbert@...dor.apana.org.au>,
 netdev@...r.kernel.org, "David S. Miller" <davem@...emloft.net>, Eric
 Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo
 Abeni <pabeni@...hat.com>, Eyal Birger <eyal.birger@...il.com>, Nicolas
 Dichtel <nicolas.dichtel@...nd.com>, Sabrina Dubroca <sd@...asysnail.net>,
 devel@...ux-ipsec.org
Subject: Re: [devel-ipsec] [PATCH ipsec-next v10 1/3] xfrm: Add Direction to
 the SA in or out


Paul Wouters via Devel <devel@...ux-ipsec.org> writes:

> On Apr 11, 2024, at 07:41, Leon Romanovsky via Devel <devel@...ux-ipsec.org> wrote:
>>
>>
>> I asked it on one of the previous versions, but why do we need this limitation?
>> Update SA is actually add and delete, so if user wants to update
>> direction, it should be allowed.
>
> An SA can never change direction without dealing with updated SPIs. Logically,
> it makes no sense. Sure, if you treat SA’s as Linux lego bricks that can be
> turned into anything, then yeah why not. Why not turn the SA into block device
> or magic flute?
>
> If you keep to the RFC, an SA is uni directional. More things might apply too,
> eg the mode (transport vs tunnel) should not change, sequence numbers can only
> increase, etc.

I have to agree. When we add new direction specific attributes (e.g., iptfs send-rate, pkt-size, etc, for "out", reorder window size, drop-time for "in") changing direction would mean removing invalidating these attributes and possibly setting new different ones, deleting old send state adding new receive state, etc.. this doesn't feel like an SA update IMO, it feels like a new SA. I say we should apply KISS and just require a new SA for a different direction attribute.

Thanks,
Chris.


>
> Paul

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ