From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
To: Tom Herbert <tom@herbertland.com>,
netdev@vger.kernel.org, davem@davemloft.net,
Herbert Xu <herbert@gondor.apana.org.au>,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-team@fb.com
Subject: Re: [RFC PATCH 2/2] Crypto kernel tls socket
Date: Mon, 23 Nov 2015 16:59:06 -0500 [thread overview]
Message-ID: <20151123215906.GH30089@oracle.com> (raw)
In-Reply-To: <20151123214312.GA2319382@devbig217.prn1.facebook.com>
On (11/23/15 13:43), Dave Watson wrote:
>
> For kcm, opfd is the fd you would pass along in kcm_attach.
> For rds, it looks like you'd want to use opfd as the sock instead of
> the new one created by sock_create_kern in rds_tcp_conn_connect.
I see.
It's something to consider, and it would certainly secure the
RDS header and app data, but TLS by itself may not be
enough- we'd need to protect the TCP control plane as well, and
at the moment, I'm finding that even using esp-null (or AO, or MD5,
for that matter) means that I lose GSO, and perf tanks. I'll try to
put all my data together for this for netdev 1.1.
> > E.g., if I get a cipher-suite request outside the aes-ni, what would
> > happen (punt to uspace?)
> >
> > --Sowmini
>
> Right, bind() would fail and you would fallback to uspace.
That's the approach that Solaris KSSL took, back in 1999. It quickly
became obsolete, again more details in netdev 1.1.
--Sowmini
next prev parent reply other threads:[~2015-11-23 21:59 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-23 17:42 [RFC PATCH 0/2] Crypto kernel TLS socket Dave Watson
2015-11-23 17:42 ` [RFC PATCH 1/2] Crypto support aesni rfc5288 Dave Watson
2015-11-24 10:30 ` Herbert Xu
2015-11-23 17:43 ` [RFC PATCH 2/2] Crypto kernel tls socket Dave Watson
2015-11-23 19:27 ` Sowmini Varadhan
2015-11-23 21:43 ` Dave Watson
2015-11-23 21:59 ` Sowmini Varadhan [this message]
2015-11-24 10:34 ` Herbert Xu
2015-11-24 11:00 ` Stephan Mueller
2015-11-24 11:20 ` Hannes Frederic Sowa
2015-11-24 11:50 ` Sowmini Varadhan
2015-11-24 11:54 ` Phil Sutter
2015-11-24 12:36 ` Stephan Mueller
2015-11-24 12:37 ` Stephan Mueller
2015-11-23 19:10 ` [RFC PATCH 0/2] Crypto kernel TLS socket Hannes Frederic Sowa
2016-01-11 15:12 ` Nikos Mavrogiannopoulos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151123215906.GH30089@oracle.com \
--to=sowmini.varadhan@oracle.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=kernel-team@fb.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=tom@herbertland.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.