From: Sabrina Dubroca <sd@queasysnail.net>
To: Jakub Kicinski <kuba@kernel.org>
Cc: netdev@vger.kernel.org, Vadim Fedorenko <vfedorenko@novek.ru>,
Frantisek Krenzelok <fkrenzel@redhat.com>,
Kuniyuki Iwashima <kuniyu@amazon.com>,
Apoorv Kothari <apoorvko@amazon.com>,
Boris Pismenny <borisp@nvidia.com>,
John Fastabend <john.fastabend@gmail.com>,
Shuah Khan <shuah@kernel.org>,
linux-kselftest@vger.kernel.org, Gal Pressman <gal@nvidia.com>,
Marcel Holtmann <marcel@holtmann.org>
Subject: Re: [PATCH net-next v3 3/6] tls: implement rekey for TLS1.3
Date: Mon, 14 Aug 2023 17:46:15 +0200 [thread overview]
Message-ID: <ZNpMR8nYKlIP9JQw@hog> (raw)
In-Reply-To: <20230814082128.632d2b03@kernel.org>
2023-08-14, 08:21:28 -0700, Jakub Kicinski wrote:
> On Mon, 14 Aug 2023 17:06:10 +0200 Sabrina Dubroca wrote:
> > 2023-08-11, 18:43:47 -0700, Jakub Kicinski wrote:
> > > On Wed, 9 Aug 2023 14:58:52 +0200 Sabrina Dubroca wrote:
> > > > TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSRXSW);
> > > > TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSCURRRXSW);
> > > > conf = TLS_SW;
> > >
> > > Should we add a statistic for rekeying?
> >
> > Hmpf, at least I shouldn't be incrementing the existing stats on every
> > update, especially not TLSCURR* :/
> >
> > I don't see much benefit in tracking succesful rekeys. Failed rekeys
> > seem more interesting to me. What would we get from counting succesful
> > rekeys?
>
> No huge benefit from counting rekeys, the main (only?) one I see is
> that when user reports issues we can see whether rekeys were involved
> (given that they are fairly rare). It could help narrow down triage.
Ok. So unless you objcet I'll add 4 more counters: {RX,TX}REKEY{OK,ERROR}.
And it probably shouldn't be "rekey" in case we decide to implement
full 1.2 renegotiation (with cipher change) and use the same
counter. Or 1.2 renegotiation without cipher change gets to use the
rekey counters, and cipher change would get a new set of counters.
I could also just call them *UPDATE* but that might be a bit too
vague.
--
Sabrina
next prev parent reply other threads:[~2023-08-14 15:46 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-09 12:58 [PATCH net-next v3 0/6] tls: implement key updates for TLS1.3 Sabrina Dubroca
2023-08-09 12:58 ` [PATCH net-next v3 1/6] tls: remove tls_context argument from tls_set_sw_offload Sabrina Dubroca
2023-08-10 17:42 ` Simon Horman
2023-08-09 12:58 ` [PATCH net-next v3 2/6] tls: block decryption when a rekey is pending Sabrina Dubroca
2023-08-10 17:44 ` Simon Horman
2023-08-12 1:37 ` Jakub Kicinski
2023-08-09 12:58 ` [PATCH net-next v3 3/6] tls: implement rekey for TLS1.3 Sabrina Dubroca
2023-08-10 17:56 ` Simon Horman
2023-08-12 1:43 ` Jakub Kicinski
2023-08-14 15:06 ` Sabrina Dubroca
2023-08-14 15:21 ` Jakub Kicinski
2023-08-14 15:46 ` Sabrina Dubroca [this message]
2023-08-09 12:58 ` [PATCH net-next v3 4/6] docs: tls: document TLS1.3 key updates Sabrina Dubroca
2023-08-09 12:58 ` [PATCH net-next v3 5/6] selftests: tls: add key_generation argument to tls_crypto_info_init Sabrina Dubroca
2023-08-09 12:58 ` [PATCH net-next v3 6/6] selftests: tls: add rekey tests Sabrina Dubroca
2023-08-10 17:58 ` Simon Horman
2023-08-14 15:09 ` Sabrina Dubroca
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZNpMR8nYKlIP9JQw@hog \
--to=sd@queasysnail.net \
--cc=apoorvko@amazon.com \
--cc=borisp@nvidia.com \
--cc=fkrenzel@redhat.com \
--cc=gal@nvidia.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.com \
--cc=linux-kselftest@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=netdev@vger.kernel.org \
--cc=shuah@kernel.org \
--cc=vfedorenko@novek.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).