From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
To: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Tom Herbert <tom@herbertland.com>,
davem@davemloft.net, netdev@vger.kernel.org, kernel-team@fb.com,
davewatson@fb.com, alexei.starovoitov@gmail.com
Subject: Re: [PATCH net-next 0/6] kcm: Kernel Connection Multiplexor (KCM)
Date: Mon, 23 Nov 2015 07:43:07 -0500 [thread overview]
Message-ID: <20151123124307.GA24663@oracle.com> (raw)
In-Reply-To: <1448272388.3983270.447381049.07BA3A5C@webmail.messagingengine.com>
On (11/23/15 10:53), Hannes Frederic Sowa wrote:
> >
> > - Integration with TLS (TLS-in-kernel is a separate initiative).
>
> This is interesting:
>
> Regarding the last week's discussion about better OOB support in TCP
> e.g. for SOCKET_DESTROY, do you already have a plan to handle TLS alerts
> and do CHANGE_CIPHER on the socket synchronously?
I have had that same question too. In fact I pointed this out already
in the thread at http://permalink.gmane.org/gmane.linux.network/382278
In addition to CCS, TLS does other complex things such as mid-session
regeneration of new session keys based on the master-secret. If you
move TLS to the kernel, there may be a lot of
synchronicity/security/inter-op issues to resolve.
Perhaps it's not a good idea to use "TLS" on the TCP socket, but let
each kcm application negotiate a crypto key (in any manner that it wants)
and set it on the PF_KCM socket, then use that key to encrypt application
data just before passing it off to tcp. (Of course, then you have to deal
with the fact that BPF still needs to get to the clear data somehow)
--Sowmini
next prev parent reply other threads:[~2015-11-23 12:43 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-20 21:21 [PATCH net-next 0/6] kcm: Kernel Connection Multiplexor (KCM) Tom Herbert
2015-11-20 21:21 ` [PATCH net-next 1/6] rcu: Add list_next_or_null_rcu Tom Herbert
2015-11-20 21:21 ` [PATCH net-next 2/6] net: Make sock_alloc exportable Tom Herbert
2015-11-20 21:21 ` [PATCH net-next 3/6] net: Add MSG_BATCH flag Tom Herbert
2015-11-23 10:02 ` Hannes Frederic Sowa
2015-11-20 21:21 ` [PATCH net-next 4/6] kcm: Kernel Connection Multiplexor module Tom Herbert
2015-11-20 22:50 ` Sowmini Varadhan
2015-11-20 23:19 ` Tom Herbert
2015-11-20 23:27 ` Sowmini Varadhan
2015-11-20 23:10 ` Alexei Starovoitov
2015-11-20 23:20 ` Tom Herbert
2015-11-23 9:42 ` Daniel Borkmann
2015-11-20 21:21 ` [PATCH net-next 5/6] kcm: Add statistics and proc interfaces Tom Herbert
2015-11-20 21:22 ` [PATCH net-next 6/6] kcm: Add description in Documentation Tom Herbert
2015-11-23 9:53 ` [PATCH net-next 0/6] kcm: Kernel Connection Multiplexor (KCM) Hannes Frederic Sowa
2015-11-23 12:43 ` Sowmini Varadhan [this message]
2015-11-23 17:33 ` Tom Herbert
2015-11-23 19:35 ` Hannes Frederic Sowa
2015-11-23 19:54 ` David Miller
2015-11-23 20:02 ` Tom Herbert
2015-11-24 11:25 ` Hannes Frederic Sowa
2015-11-24 15:49 ` David Miller
2015-11-24 15:27 ` Florian Westphal
2015-11-24 15:49 ` Eric Dumazet
2015-11-24 18:09 ` Rick Jones
2015-11-24 15:55 ` David Miller
2015-11-24 16:25 ` Florian Westphal
2015-11-24 17:00 ` Tom Herbert
2015-11-24 17:16 ` Florian Westphal
2015-11-24 17:43 ` Tom Herbert
2015-11-24 20:55 ` Florian Westphal
2015-11-24 21:49 ` Tom Herbert
2015-11-24 22:22 ` Florian Westphal
2015-11-24 22:25 ` David Miller
2015-11-24 22:45 ` Florian Westphal
2015-11-24 23:13 ` Hannes Frederic Sowa
2015-11-24 18:23 ` Hannes Frederic Sowa
2015-11-24 18:59 ` Alexei Starovoitov
2015-11-24 19:16 ` Hannes Frederic Sowa
2015-11-24 19:26 ` Hannes Frederic Sowa
2015-11-24 20:23 ` Alexei Starovoitov
[not found] ` <1448402288.1489559.449199721.64EBB346@webmail.messagingengine.com>
[not found] ` <20151124222109.GA86838@ast-mbp.thefacebook.com>
2015-11-25 10:38 ` Hannes Frederic Sowa
2015-11-25 16:26 ` Sowmini Varadhan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151123124307.GA24663@oracle.com \
--to=sowmini.varadhan@oracle.com \
--cc=alexei.starovoitov@gmail.com \
--cc=davem@davemloft.net \
--cc=davewatson@fb.com \
--cc=hannes@stressinduktion.org \
--cc=kernel-team@fb.com \
--cc=netdev@vger.kernel.org \
--cc=tom@herbertland.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).