lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 19 Jun 2024 04:47:46 -0400
From: Willem de Bruijn <willemdebruijn.kernel@...il.com>
To: Willem de Bruijn <willemdebruijn.kernel@...il.com>, 
 "Singhai, Anjali" <anjali.singhai@...el.com>, 
 "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Cc: Paolo Abeni <pabeni@...hat.com>, 
 "willemdebruijn.kernel@...il.com" <willemdebruijn.kernel@...il.com>, 
 Boris Pismenny <borisp@...dia.com>, 
 "gal@...dia.com" <gal@...dia.com>, 
 "cratiu@...dia.com" <cratiu@...dia.com>, 
 "rrameshbabu@...dia.com" <rrameshbabu@...dia.com>, 
 "steffen.klassert@...unet.com" <steffen.klassert@...unet.com>, 
 "tariqt@...dia.com" <tariqt@...dia.com>, 
 Jakub Kicinski <kuba@...nel.org>, 
 "Samudrala, Sridhar" <sridhar.samudrala@...el.com>, 
 "Acharya, Arun Kumar" <arun.kumar.acharya@...el.com>
Subject: Re: [RFC net-next 00/15] add basic PSP encryption for TCP connections

> > 3. About the PSP and UDP header addition, why is the driver doing it? I guess it's because the SW equivalent for PSP support in the kernel does not exist and just an offload for the device. Again in this case the assumption is either the driver does it or the device will do it.
> > Hope that is irrelevant for the stack. In our case most likely it will be the device doing it.
> > 
> > 4. Why is the driver adding the PSP trailer? Hoping this is between the driver and the device, in our case it's the device that will add the trailer.
> 
> This does not adhere to the spec:
> 
> "An option must be provided that enables upper-level software to send packets that are
> pre-formatted to include the headers required for PSP encapsulation. In this case, the
> NIC will modify the contents of the headers appropriately, apply
> encryption/authentication, and add the PSP trailer to the packet."
> 
> https://raw.githubusercontent.com/google/psp/main/doc/PSP_Arch_Spec.pdf

I responded to the wrong statement. This is in response to point 3.

In general, PSP can work in tunnel and transport mode. In transport
mode, it is here assumed to be not transparent, but under control of
the operating system. That inserts the outer encapsulation headers and
prepares all fields as it sees fit. E.g., using the inner 4-tuple as
entropy for the outer UDP source port, and selecting the right SPI.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ