lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 31 May 2024 08:09:04 +0200
From: Steffen Klassert <steffen.klassert@...unet.com>
To: Willem de Bruijn <willemdebruijn.kernel@...il.com>
CC: Paul Wouters <paul@...ats.ca>, Jakub Kicinski <kuba@...nel.org>,
	<netdev@...r.kernel.org>, <pabeni@...hat.com>, <borisp@...dia.com>,
	<gal@...dia.com>, <cratiu@...dia.com>, <rrameshbabu@...dia.com>,
	<tariqt@...dia.com>
Subject: Re: [RFC net-next 00/15] add basic PSP encryption for TCP connections

On Tue, May 28, 2024 at 09:49:34AM -0400, Willem de Bruijn wrote:
> Steffen Klassert wrote:
> > On Wed, May 22, 2024 at 08:56:02AM -0400, Paul Wouters wrote:
> > > Jakub Kicinski wrote:
> > > 
> > > > Add support for PSP encryption of TCP connections.
> > > > 
> > > > PSP is a protocol out of Google:
> > > > https://github.com/google/psp/blob/main/doc/PSP_Arch_Spec.pdf
> > > > which shares some similarities with IPsec. I added some more info
> > > > in the first patch so I'll keep it short here.
> > > 
> > > Speaking as an IETF contributor, I am little surprised here. I know
> > > the google people reached out at IETF and were told their stuff is
> > > so similar to IPsec, maybe they should talk to the IPsecME Working
> > > Group. There, I believe Steffen Klassert started working on supporting
> > > the PSP features requested using updates to the ESP/WESP IPsec protocol,
> > > such as support for encryption offset to reveal protocol/ports for
> > > routing encrypted traffic.
> > 
> > This was somewhat semipublic information, so I did not talk about
> > it on the lists yet. Today we published the draft, it can be found here:
> > 
> > https://datatracker.ietf.org/doc/draft-klassert-ipsecme-wespv2/
> > 
> > Please note that the packet format specification is portable to other
> > protocol use cases, such as PSP. It uses IKEv2 as a negotiation
> > protocol and does not define any key derivation etc. as PSP does.
> > But it can be also used with other protocols for key negotiation
> > and key derivation.
> 
> Very nice. Thanks for posting, Steffen.
> 
> One point about why PSP is that the exact protocol and packet format
> is already in use and supported by hardware.
> 
> It makes sense to work to get to an IETF standard protocol that
> captures the same benefits. But that is independent from enabling what
> is already implemented.

Sure, PSP is already implemented in hardware and needs to be supported.
I don't want to judge if it was a good idea to start this without
talking to the IETF, but maybe now Google can join the effort at the
IETF do standardize a modern encryption protocol that meets all the
requirements we have these days. This will be likely on the agenda of
the next IETF IPsecME working group meeting, so would be nice to
see somebody from the Google 'PSP team' there.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ