From: Leon Romanovsky <leon@kernel.org>
To: Saeed Mahameed <saeed@kernel.org>
Cc: Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Paolo Abeni <pabeni@redhat.com>,
Eric Dumazet <edumazet@google.com>,
Saeed Mahameed <saeedm@nvidia.com>,
netdev@vger.kernel.org, Tariq Toukan <tariqt@nvidia.com>
Subject: Re: [pull request][net-next V2 00/15] mlx5 updates 2023-10-19
Date: Fri, 27 Oct 2023 13:08:16 +0300 [thread overview]
Message-ID: <20231027100816.GE2950466@unreal> (raw)
In-Reply-To: <ZTsH2n4k0kd+nChv@x130>
On Thu, Oct 26, 2023 at 05:44:10PM -0700, Saeed Mahameed wrote:
> On 26 Oct 15:46, Jakub Kicinski wrote:
> > On Thu, 26 Oct 2023 15:26:01 -0700 Saeed Mahameed wrote:
> > > When I sent V1 I stripped the fixes tags given that I know this is not an
> > > actual bug fix but rather a missing feature, You asked me to add Fixes
> > > tags when you know this is targeting net-next, and I complied in V2.
> > >
> > > About Fixes tags strict policy in net-next, it was always a controversy,
> > > I thought you changed your mind, since you explicitly asked me to add the
> > > Fixes tags to a series targeting net-next.
> >
> > Sorry, I should have been clearer, obviously the policy did not change.
> > I thought you'd know what to do.
> >
> > > I will submit V3, with Fixes tags removed, Please accept it since Leon
> > > and I agree that this is not a high priority bug fix that needs to be
> > > addressed in -rc7 as Leon already explained.
> >
> > Patches 3 / 4 are fairly trivial. Patch 7 sounds pretty scary,
> > you're not performing replay validation at all, IIUC.
> > Let me remind you that this is an offload of a security protocol.
> >
> > BTW I have no idea what "ASO syndrome" is, please put more effort
> > into commit messages.
>
> ASO stands for (Advanced Steering Operations), it handles the reply
> protection and in case of failure it provides the syndrome, yes I agree the
> commit message needed some work.
>
> Now given the series is focused on reworking the whole reply protection
> implementation and aligning it with user expectation, and the complexity of
> the patches, I did agree to push it to net-next as the cover letter
> claimed, I am not sure what the severity of this issue in terms of
> security, so I will let Leon decide.
While replay protection attack is real issue, in this specific case, I
didn't see any urgency to push it in -rc7 (most likely, next week will
be merge window [1]).
IPsec packet offload is supported in crypto flavor ConnectX cards, need
relatively new FW and very new strongswan/libreswan. Also, we (Mellanox)
work very closely with all our partners who needs backports as it is not
trivial.
There are zero or close to zero chances that anyone will run IPsec
offload in production with stable kernel which is not approved by us.
Thanks
[1] https://lwn.net/Articles/948468/
>
>
next prev parent reply other threads:[~2023-10-27 10:08 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-21 6:46 [pull request][net-next V2 00/15] mlx5 updates 2023-10-19 Saeed Mahameed
2023-10-21 6:46 ` [net-next V2 01/15] xfrm: generalize xdo_dev_state_update_curlft to allow statistics update Saeed Mahameed
2023-10-21 6:46 ` [net-next V2 02/15] xfrm: get global statistics from the offloaded device Saeed Mahameed
2023-10-21 6:46 ` [net-next V2 03/15] net/mlx5e: Honor user choice of IPsec replay window size Saeed Mahameed
2023-10-21 6:46 ` [net-next V2 04/15] net/mlx5e: Ensure that IPsec sequence packet number starts from 1 Saeed Mahameed
2023-10-21 6:46 ` [net-next V2 05/15] net/mlx5e: Unify esw and normal IPsec status table creation/destruction Saeed Mahameed
2023-10-21 6:46 ` [net-next V2 06/15] net/mlx5e: Remove exposure of IPsec RX flow steering struct Saeed Mahameed
2023-10-21 6:46 ` [net-next V2 07/15] net/mlx5e: Add IPsec and ASO syndromes check in HW Saeed Mahameed
2023-10-21 6:46 ` [net-next V2 08/15] net/mlx5e: Connect mlx5 IPsec statistics with XFRM core Saeed Mahameed
2023-10-21 6:46 ` [net-next V2 09/15] net/mlx5e: Delete obsolete IPsec code Saeed Mahameed
2023-10-21 6:46 ` [net-next V2 10/15] net/mlx5: Increase size of irq name buffer Saeed Mahameed
2023-10-21 6:46 ` [net-next V2 11/15] net/mlx5e: Reduce the size of icosq_str Saeed Mahameed
2023-10-21 6:46 ` [net-next V2 12/15] net/mlx5e: Check return value of snprintf writing to fw_version buffer Saeed Mahameed
2023-10-21 6:46 ` [net-next V2 13/15] net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors Saeed Mahameed
2023-10-21 6:46 ` [net-next V2 14/15] net/mlx5: print change on SW reset semaphore returns busy Saeed Mahameed
2023-10-21 6:46 ` [net-next V2 15/15] net/mlx5: Allow sync reset flow when BF MGT interface device is present Saeed Mahameed
2023-10-25 1:02 ` [pull request][net-next V2 00/15] mlx5 updates 2023-10-19 Jakub Kicinski
2023-10-25 8:52 ` Leon Romanovsky
2023-10-26 1:25 ` Jakub Kicinski
2023-10-26 7:29 ` Leon Romanovsky
2023-10-26 22:26 ` Saeed Mahameed
2023-10-26 22:46 ` Jakub Kicinski
2023-10-27 0:44 ` Saeed Mahameed
2023-10-27 10:08 ` Leon Romanovsky [this message]
2023-10-27 22:02 ` Saeed Mahameed
2023-10-29 7:44 ` Leon Romanovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231027100816.GE2950466@unreal \
--to=leon@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=saeed@kernel.org \
--cc=saeedm@nvidia.com \
--cc=tariqt@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).