From: Jakub Kicinski <kuba@kernel.org>
To: Sabrina Dubroca <sd@queasysnail.net>
Cc: netdev@vger.kernel.org, Vadim Fedorenko <vfedorenko@novek.ru>,
Frantisek Krenzelok <fkrenzel@redhat.com>,
Kuniyuki Iwashima <kuniyu@amazon.com>,
Apoorv Kothari <apoorvko@amazon.com>,
Boris Pismenny <borisp@nvidia.com>,
John Fastabend <john.fastabend@gmail.com>,
Shuah Khan <shuah@kernel.org>,
linux-kselftest@vger.kernel.org, Gal Pressman <gal@nvidia.com>,
Marcel Holtmann <marcel@holtmann.org>
Subject: Re: [PATCH net-next v2 0/5] tls: implement key updates for TLS1.3
Date: Wed, 15 Feb 2023 11:10:20 -0800 [thread overview]
Message-ID: <20230215111020.0c843384@kernel.org> (raw)
In-Reply-To: <Y+0Wjrc9shLkH+Gg@hog>
On Wed, 15 Feb 2023 18:29:50 +0100 Sabrina Dubroca wrote:
> > And how will we handle re-keying in offload?
>
> Sorry for the stupid question... do you mean that I need to solve that
> problem before this series can progress, or that the cover letter
> should summarize the state of the discussion?
I maintain that 1.3 offload is much more important than rekeying.
Offloads being available for 1.2 may be stalling adoption of 1.3
(just a guess, I run across this article mentioning 1.2 being used
in Oracle cloud for instance:
https://blogs.oracle.com/cloudsecurity/post/how-oci-helps-you-protect-data-with-default-encryption
could be because MITM requirements, or maybe they have HW which
can only do 1.2? Dunno).
But I'm willing to compromise, we just need a solid plan of how to
handle the inevitable. I'm worried that how this will pay out is:
- you don't care about offload and add rekey
- vendors don't care about rekey and add 1.3
... time passes ...
- both you and the vendors have moved on
- users run into issues, waste their time debugging and
eventually report the problem upstream
- it's on me to fix?
:(
next prev parent reply other threads:[~2023-02-15 19:10 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-14 11:17 [PATCH net-next v2 0/5] tls: implement key updates for TLS1.3 Sabrina Dubroca
2023-02-14 11:17 ` [PATCH net-next v2 1/5] tls: remove tls_context argument from tls_set_sw_offload Sabrina Dubroca
2023-02-14 11:17 ` [PATCH net-next v2 2/5] tls: block decryption when a rekey is pending Sabrina Dubroca
2023-02-15 5:09 ` Jakub Kicinski
2023-02-15 17:37 ` Sabrina Dubroca
2023-02-14 11:17 ` [PATCH net-next v2 3/5] tls: implement rekey for TLS1.3 Sabrina Dubroca
2023-02-14 11:17 ` [PATCH net-next v2 4/5] selftests: tls: add key_generation argument to tls_crypto_info_init Sabrina Dubroca
2023-02-14 11:17 ` [PATCH net-next v2 5/5] selftests: tls: add rekey tests Sabrina Dubroca
2023-02-15 5:08 ` [PATCH net-next v2 0/5] tls: implement key updates for TLS1.3 Jakub Kicinski
2023-02-15 17:29 ` Sabrina Dubroca
2023-02-15 19:10 ` Jakub Kicinski [this message]
2023-02-15 23:23 ` Sabrina Dubroca
2023-02-16 3:57 ` Jakub Kicinski
2023-02-16 16:23 ` Sabrina Dubroca
2023-02-22 3:19 ` Jakub Kicinski
2023-02-23 16:27 ` Sabrina Dubroca
2023-02-23 17:29 ` Jakub Kicinski
2023-03-13 15:41 ` Sabrina Dubroca
2023-03-13 18:35 ` Jakub Kicinski
2023-03-22 16:10 ` Sabrina Dubroca
2023-03-22 19:43 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230215111020.0c843384@kernel.org \
--to=kuba@kernel.org \
--cc=apoorvko@amazon.com \
--cc=borisp@nvidia.com \
--cc=fkrenzel@redhat.com \
--cc=gal@nvidia.com \
--cc=john.fastabend@gmail.com \
--cc=kuniyu@amazon.com \
--cc=linux-kselftest@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=netdev@vger.kernel.org \
--cc=sd@queasysnail.net \
--cc=shuah@kernel.org \
--cc=vfedorenko@novek.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.