| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 31 May 2024 10:46:45 -0400 From: Willem de Bruijn <willemdebruijn.kernel@...il.com> To: Steffen Klassert <steffen.klassert@...unet.com>, Willem de Bruijn <willemdebruijn.kernel@...il.com> Cc: Paul Wouters <paul@...ats.ca>, Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org, pabeni@...hat.com, borisp@...dia.com, gal@...dia.com, cratiu@...dia.com, rrameshbabu@...dia.com, tariqt@...dia.com Subject: Re: [RFC net-next 00/15] add basic PSP encryption for TCP connections Steffen Klassert wrote: > On Tue, May 28, 2024 at 09:49:34AM -0400, Willem de Bruijn wrote: > > Steffen Klassert wrote: > > > On Wed, May 22, 2024 at 08:56:02AM -0400, Paul Wouters wrote: > > > > Jakub Kicinski wrote: > > > > > > > > > Add support for PSP encryption of TCP connections. > > > > > > > > > > PSP is a protocol out of Google: > > > > > https://github.com/google/psp/blob/main/doc/PSP_Arch_Spec.pdf > > > > > which shares some similarities with IPsec. I added some more info > > > > > in the first patch so I'll keep it short here. > > > > > > > > Speaking as an IETF contributor, I am little surprised here. I know > > > > the google people reached out at IETF and were told their stuff is > > > > so similar to IPsec, maybe they should talk to the IPsecME Working > > > > Group. There, I believe Steffen Klassert started working on supporting > > > > the PSP features requested using updates to the ESP/WESP IPsec protocol, > > > > such as support for encryption offset to reveal protocol/ports for > > > > routing encrypted traffic. > > > > > > This was somewhat semipublic information, so I did not talk about > > > it on the lists yet. Today we published the draft, it can be found here: > > > > > > https://datatracker.ietf.org/doc/draft-klassert-ipsecme-wespv2/ > > > > > > Please note that the packet format specification is portable to other > > > protocol use cases, such as PSP. It uses IKEv2 as a negotiation > > > protocol and does not define any key derivation etc. as PSP does. > > > But it can be also used with other protocols for key negotiation > > > and key derivation. > > > > Very nice. Thanks for posting, Steffen. > > > > One point about why PSP is that the exact protocol and packet format > > is already in use and supported by hardware. > > > > It makes sense to work to get to an IETF standard protocol that > > captures the same benefits. But that is independent from enabling what > > is already implemented. > > Sure, PSP is already implemented in hardware and needs to be supported. > I don't want to judge if it was a good idea to start this without > talking to the IETF, but maybe now Google can join the effort at the > IETF do standardize a modern encryption protocol that meets all the > requirements we have these days. This will be likely on the agenda of > the next IETF IPsecME working group meeting, so would be nice to > see somebody from the Google 'PSP team' there. Sounds good. We'll try to have someone join the next WG meeting during IETF 120.
Powered by blists - more mailing lists