From: Wilfred Mallawa <wilfred.opensource@gmail.com>
To: Chuck Lever <chuck.lever@oracle.com>,
alistair.francis@wdc.com, dlemoal@kernel.org,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, horms@kernel.org, donald.hunter@gmail.com,
corbet@lwn.net, kbusch@kernel.org, axboe@kernel.dk, hch@lst.de,
sagi@grimberg.me, kch@nvidia.com, borisp@nvidia.com,
john.fastabend@gmail.com, jlayton@kernel.org, neil@brown.name,
okorniev@redhat.com, Dai.Ngo@oracle.com, tom@talpey.com,
trondmy@kernel.org, anna@kernel.org,
kernel-tls-handshake@lists.linux.dev, netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
linux-nvme@lists.infradead.org, linux-nfs@vger.kernel.org
Subject: Re: [RFC 0/4] net/tls: add support for the record size limit extension
Date: Thu, 07 Aug 2025 10:14:14 +1000 [thread overview]
Message-ID: <7af292c6bb2c42cead77202a9034fcb6111b898c.camel@gmail.com> (raw)
In-Reply-To: <96ca4de7-d647-47ac-b42f-d76284394526@oracle.com>
Hey Chuck,
On Tue, 2025-07-29 at 09:37 -0400, Chuck Lever wrote:
> Hi Wilfred -
>
> On 7/28/25 10:41 PM, Wilfred Mallawa wrote:
> > From: Wilfred Mallawa <wilfred.mallawa@wdc.com>
> >
> > During a tls handshake, an endpoint may specify a maximum record
> > size limit. As
> > specified by [1]. which allows peers to negotiate a maximum
> > plaintext record
> > size during the TLS handshake. If a TLS endpoint receives a record
> > larger
> > than its advertised limit, it must send a fatal "record_overflow"
> > alert [1].
> > Currently, this limit is not visble to the kernel, particularly in
> > the case
> > where userspace handles the handshake (tlshd/gnutls).
>
> This paragraph essentially says "The spec says we can, so I'm
> implementing it". Generally we don't implement spec features just
> because they are there.
>
> What we reviewers need instead is a problem statement. What is not
> working for you, and why is this the best way to solve it?
Thanks for the feedback.
Essentially, this is to support upcoming WD NVMe-TCP controller that
implements TLS support. These devices require record size negotiation
as they support a maximum record size less than the current kernel
default. I will add this to my V2 series in more detail.
>
>
> > This series in conjunction with the respective userspace changes
> > for tlshd [2]
> > and gnutls [3], adds support for the kernel the receive the
> > negotiated record
> > size limit through the existing netlink communication layer, and
> > use this
> > value to limit outgoing records to the size specified.
>
> As Hannes asked elsewhere, why is it up to the TLS consumer to be
> aware of this limit? Given the description here, it sounds to me
> like something that should be handled for all consumers by the TLS
> layer.
Yeah great point, I didn't think it through too well. I will address
this in V2 and have the record size limit implemented in the TLS layer
without involving ULPs.
Regards,
Wilfred
prev parent reply other threads:[~2025-08-07 0:14 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-29 2:41 [RFC 0/4] net/tls: add support for the record size limit extension Wilfred Mallawa
2025-07-29 2:41 ` [RFC 1/4] net/handshake: get negotiated tls record size limit Wilfred Mallawa
2025-07-29 8:07 ` Damien Le Moal
2025-07-29 8:12 ` Hannes Reinecke
2025-08-07 0:03 ` Wilfred Mallawa
2025-07-29 2:41 ` [RFC 2/4] net/tls/tls_sw: use the record size limit specified Wilfred Mallawa
2025-07-29 8:13 ` Damien Le Moal
2025-08-07 0:04 ` Wilfred Mallawa
2025-07-29 2:41 ` [RFC 3/4] nvme/host/tcp: set max record size in the tls context Wilfred Mallawa
2025-07-29 8:16 ` Hannes Reinecke
2025-07-29 2:41 ` [RFC 4/4] nvme/target/tcp: " Wilfred Mallawa
2025-07-29 8:16 ` Hannes Reinecke
2025-07-29 13:37 ` [RFC 0/4] net/tls: add support for the record size limit extension Chuck Lever
2025-08-07 0:14 ` Wilfred Mallawa [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7af292c6bb2c42cead77202a9034fcb6111b898c.camel@gmail.com \
--to=wilfred.opensource@gmail.com \
--cc=Dai.Ngo@oracle.com \
--cc=alistair.francis@wdc.com \
--cc=anna@kernel.org \
--cc=axboe@kernel.dk \
--cc=borisp@nvidia.com \
--cc=chuck.lever@oracle.com \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=dlemoal@kernel.org \
--cc=donald.hunter@gmail.com \
--cc=edumazet@google.com \
--cc=hch@lst.de \
--cc=horms@kernel.org \
--cc=jlayton@kernel.org \
--cc=john.fastabend@gmail.com \
--cc=kbusch@kernel.org \
--cc=kch@nvidia.com \
--cc=kernel-tls-handshake@lists.linux.dev \
--cc=kuba@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=neil@brown.name \
--cc=netdev@vger.kernel.org \
--cc=okorniev@redhat.com \
--cc=pabeni@redhat.com \
--cc=sagi@grimberg.me \
--cc=tom@talpey.com \
--cc=trondmy@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).