lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <aGdrCYtJ5oe3NI7i@gauss3.secunet.de>
Date: Fri, 4 Jul 2025 07:47:53 +0200
From: Steffen Klassert <steffen.klassert@...unet.com>
To: Erwan Dufour <erwan.dufour@...hings.com>
CC: Hangbin Liu <liuhangbin@...il.com>, Erwan Dufour <mrarmonius@...il.com>,
	<netdev@...r.kernel.org>, <herbert@...dor.apana.org.au>,
	<davem@...emloft.net>, <jv@...sburgh.net>, <saeedm@...dia.com>,
	<tariqt@...dia.com>, Cosmin Ratiu <cratiu@...dia.com>
Subject: Re: [PATCH] [PATH xfrm offload] xfrm: bonding: Add xfrm packet
 offload for active-backup mode

On Thu, Jul 03, 2025 at 01:58:36AM +0200, Erwan Dufour wrote:
> Hi Liu,
> 
> Thanks for your explanation. Unfortunately,the alignment still not works.
> 
> With pleasure. Thank you very much for providing an example with an
> explanation.
> Hopefully, there were no mistakes and I managed to correct all the errors
> in the new patch.
> 
> New Patch:
> 
> >From 39639cf83712b13271fc3d8bbe3f4d9cd0b38db6 Mon Sep 17 00:00:00 2001
> From: Erwan Dufour <erwan.dufour@...hings.com>
> Date: Wed, 2 Jul 2025 22:12:10 +0000
> Subject: [PATCH net-next] xfrm: bonding: Add xfrm packet offload for
>  active-backup mode
> 
> Implement XFRM policy offload functions for bond device in active-backup mode.
>  - xdo_dev_policy_add = bond_ipsec_add_sp
>  - xdo_dev_policy_delete = bond_ipsec_del_sp
>  _ xdo_deb_policy_free = bond_ipsec_free_sp

We should not add further xfrm offloads to bonding as long
as the security issues are not solved. Moving an already
used SA from one device to another can lead to IV reusage,
as discussed here:

https://lore.kernel.org/all/ZsbkdzvjVf3GiYHa@gauss3.secunet.de/

This should be fixed before we add another offload.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ