Re: [PATCH iproute2-next] man8: ip-sr: Document that passphrase must be high-entropy

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Biggers <ebiggers@kernel.org>
To: netdev@vger.kernel.org, David Ahern <dsahern@gmail.com>,
	Stephen Hemminger <stephen@networkplumber.org>
Cc: Andrea Mayer <andrea.mayer@uniroma2.it>,
	David Lebrun <dlebrun@google.com>
Subject: Re: [PATCH iproute2-next] man8: ip-sr: Document that passphrase must be high-entropy
Date: Fri, 15 Aug 2025 20:16:40 -0700	[thread overview]
Message-ID: <20250816031640.GA1309@sol> (raw)
In-Reply-To: <20250816030129.474797-1-ebiggers@kernel.org>

On Fri, Aug 15, 2025 at 08:01:29PM -0700, Eric Biggers wrote:
> 'ip sr hmac set' takes a newline-terminated "passphrase", but it fails
> to stretch it.  The "passphrase" actually gets used directly as the key.
> This makes it difficult to use securely.
> 
> I recommend deprecating this command and replacing it with a command
> that either stretches the passphrase or explicitly takes a key instead
> of a passphrase.  But for now, let's at least document this pitfall.
> 
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> ---
>  man/man8/ip-sr.8 | 20 ++++++++++++++++----
>  1 file changed, 16 insertions(+), 4 deletions(-)

Sorry, please disregard this version.  I had a (small) unstaged change
that I meant to include.  I'll send v2 with it included.

- Eric

     prev parent reply	other threads:[~2025-08-16  3:17 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-08-16  3:01 [PATCH iproute2-next] man8: ip-sr: Document that passphrase must be high-entropy Eric Biggers
2025-08-16  3:16 ` Eric Biggers [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250816031640.GA1309@sol \
    --to=ebiggers@kernel.org \
    --cc=andrea.mayer@uniroma2.it \
    --cc=dlebrun@google.com \
    --cc=dsahern@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=stephen@networkplumber.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.