All of lore.kernel.org
 help / color / mirror / Atom feed
From: Sabrina Dubroca <sd@queasysnail.net>
To: Paul Wouters <paul@nohats.ca>,
	Steffen Klassert <steffen.klassert@secunet.com>
Cc: Antony Antony <antony@phenome.org>,
	Nicolas Dichtel <nicolas.dichtel@6wind.com>,
	Antony Antony <antony.antony@secunet.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	netdev@vger.kernel.org, devel@linux-ipsec.org,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: Re: [devel-ipsec] [PATCH ipsec-next v6] xfrm: Add Direction to the SA in or out
Date: Thu, 11 Apr 2024 11:23:36 +0200	[thread overview]
Message-ID: <ZhesGJtMXk-PPtzz@hog> (raw)
In-Reply-To: <81b4f75c-5c43-8357-55ad-0ec28291d399@nohats.ca>

2024-04-10, 20:58:33 -0400, Paul Wouters wrote:
> On Wed, 10 Apr 2024, Antony Antony via Devel wrote:
> > > > Though supporting 0 is higly desired
> > > > feature and probably a hard to implement feature in xfrm code.
> > > 
> > > Why would it be hard for outgoing SAs? The replay window should never
> > > be used on those. And xfrm_replay_check_esn and xfrm_replay_check_bmp
> > > already have checks for 0-sized replay window.
> > 
> > That information comes from hall way talks with Steffen. I can't explain
> > it:) May be he can elaborate why 0 is not allowed with ESN.
> 
> With ESN, you use a 64 bit number but only send a 32 bit number over the
> wire. So you need to "track" the parts not being sent to do the proper
> packet authentication that uses the full 64bit number. The
> authentication bit is needed for encrypting and decrypting, so on both
> the incoming and outgoing SA.
> 
> AFAIK, this 64 bit number tracking is done using the replay-window code.
> That is why replay-window cannot be 0 when ESN is enabled in either
> direction of the SA.

It's in the replay-window code, but AFAICT it doesn't use the
replay_window variable at all (xfrm_output calls into the
xfrm_replay_overflow_* functions which only look at oseq, xfrm_input
calls the *check and *advance functions of xfrm_replay.c). So I think
we could accept an unset replay_window for an output SA.

> I have already poked Steffen it would be good to decouple ESN code from
> replay-window code, as often people want to benchmark highspeed links
> by disabling replay protection completely, but then they are also
> unwittingly disabling ESN and causing needing a rekey ever 2 minutes
> or so on a modern 100gbps ipsec link.
> 
> > strongSwan sets ESN and replay-window 1 on "out" SA.
> 
> It has to set a replay-window of non-zero or else ESN won't work.
> It is not related to migration AFAIK.
> 
> > For instance, there isn't a validation for unused XFRMA_SA_EXTRA_FLAGS in
> > DELSA; if set, it's simply ignored. Similarly, if XFRMA_SA_DIR were set in
> > DELSA, it would also be disregarded. Attempting to introduce validations for
> > DELSA and other methods seems like an extensive cleanup task. Do we consider
> > this level of validation within the scope of our current patch? It feels
> > like we are going too far.
> 
> Is there a way where rate limited logging can be introduced, so that
> userlands will clean up their use and after a few years change the API
> to not allow setting bogus values?

Yes, this is doable. Steffen, does that seem reasonable? (for example,
when XFRMA_REPLAY_THRESH is passed to NEWSA, or XFRMA_ALG_AEAD to
DELSA, etc)

(as part of a separate patchset of course)

-- 
Sabrina


  reply	other threads:[~2024-04-11  9:23 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-05 12:40 [PATCH ipsec-next v6] xfrm: Add Direction to the SA in or out Antony Antony
2024-04-05 13:31 ` Nicolas Dichtel
2024-04-05 21:56 ` Sabrina Dubroca
2024-04-06 12:36   ` [devel-ipsec] " Christian Hopps
2024-04-07  8:23   ` Antony Antony
2024-04-08 13:02     ` Sabrina Dubroca
2024-04-09 17:23       ` Antony Antony
2024-04-10  8:56         ` Sabrina Dubroca
2024-04-10 16:59           ` Antony Antony
2024-04-10 21:41             ` Christian Hopps
2024-04-11  0:58             ` Paul Wouters
2024-04-11  9:23               ` Sabrina Dubroca [this message]
2024-04-11 11:03                 ` Steffen Klassert
2024-04-11  9:24             ` Sabrina Dubroca
2024-04-11 10:36               ` Antony Antony
2024-04-11 20:14                 ` Sabrina Dubroca
2024-04-11 10:57             ` Steffen Klassert
2024-04-10  6:27       ` Nicolas Dichtel
2024-04-10  7:26         ` Sabrina Dubroca

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZhesGJtMXk-PPtzz@hog \
    --to=sd@queasysnail.net \
    --cc=antony.antony@secunet.com \
    --cc=antony@phenome.org \
    --cc=davem@davemloft.net \
    --cc=devel@linux-ipsec.org \
    --cc=edumazet@google.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=nicolas.dichtel@6wind.com \
    --cc=pabeni@redhat.com \
    --cc=paul@nohats.ca \
    --cc=steffen.klassert@secunet.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.