From: Sabrina Dubroca <sd@queasysnail.net>
To: Paul Wouters <paul@nohats.ca>,
Steffen Klassert <steffen.klassert@secunet.com>
Cc: Antony Antony <antony@phenome.org>,
Nicolas Dichtel <nicolas.dichtel@6wind.com>,
Antony Antony <antony.antony@secunet.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
netdev@vger.kernel.org, devel@linux-ipsec.org,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [devel-ipsec] [PATCH ipsec-next v6] xfrm: Add Direction to the SA in or out
Date: Thu, 11 Apr 2024 11:23:36 +0200 [thread overview]
Message-ID: <ZhesGJtMXk-PPtzz@hog> (raw)
In-Reply-To: <81b4f75c-5c43-8357-55ad-0ec28291d399@nohats.ca>
2024-04-10, 20:58:33 -0400, Paul Wouters wrote:
> On Wed, 10 Apr 2024, Antony Antony via Devel wrote:
> > > > Though supporting 0 is higly desired
> > > > feature and probably a hard to implement feature in xfrm code.
> > >
> > > Why would it be hard for outgoing SAs? The replay window should never
> > > be used on those. And xfrm_replay_check_esn and xfrm_replay_check_bmp
> > > already have checks for 0-sized replay window.
> >
> > That information comes from hall way talks with Steffen. I can't explain
> > it:) May be he can elaborate why 0 is not allowed with ESN.
>
> With ESN, you use a 64 bit number but only send a 32 bit number over the
> wire. So you need to "track" the parts not being sent to do the proper
> packet authentication that uses the full 64bit number. The
> authentication bit is needed for encrypting and decrypting, so on both
> the incoming and outgoing SA.
>
> AFAIK, this 64 bit number tracking is done using the replay-window code.
> That is why replay-window cannot be 0 when ESN is enabled in either
> direction of the SA.
It's in the replay-window code, but AFAICT it doesn't use the
replay_window variable at all (xfrm_output calls into the
xfrm_replay_overflow_* functions which only look at oseq, xfrm_input
calls the *check and *advance functions of xfrm_replay.c). So I think
we could accept an unset replay_window for an output SA.
> I have already poked Steffen it would be good to decouple ESN code from
> replay-window code, as often people want to benchmark highspeed links
> by disabling replay protection completely, but then they are also
> unwittingly disabling ESN and causing needing a rekey ever 2 minutes
> or so on a modern 100gbps ipsec link.
>
> > strongSwan sets ESN and replay-window 1 on "out" SA.
>
> It has to set a replay-window of non-zero or else ESN won't work.
> It is not related to migration AFAIK.
>
> > For instance, there isn't a validation for unused XFRMA_SA_EXTRA_FLAGS in
> > DELSA; if set, it's simply ignored. Similarly, if XFRMA_SA_DIR were set in
> > DELSA, it would also be disregarded. Attempting to introduce validations for
> > DELSA and other methods seems like an extensive cleanup task. Do we consider
> > this level of validation within the scope of our current patch? It feels
> > like we are going too far.
>
> Is there a way where rate limited logging can be introduced, so that
> userlands will clean up their use and after a few years change the API
> to not allow setting bogus values?
Yes, this is doable. Steffen, does that seem reasonable? (for example,
when XFRMA_REPLAY_THRESH is passed to NEWSA, or XFRMA_ALG_AEAD to
DELSA, etc)
(as part of a separate patchset of course)
--
Sabrina
next prev parent reply other threads:[~2024-04-11 9:23 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-05 12:40 [PATCH ipsec-next v6] xfrm: Add Direction to the SA in or out Antony Antony
2024-04-05 13:31 ` Nicolas Dichtel
2024-04-05 21:56 ` Sabrina Dubroca
2024-04-06 12:36 ` [devel-ipsec] " Christian Hopps
2024-04-07 8:23 ` Antony Antony
2024-04-08 13:02 ` Sabrina Dubroca
2024-04-09 17:23 ` Antony Antony
2024-04-10 8:56 ` Sabrina Dubroca
2024-04-10 16:59 ` Antony Antony
2024-04-10 21:41 ` Christian Hopps
2024-04-11 0:58 ` Paul Wouters
2024-04-11 9:23 ` Sabrina Dubroca [this message]
2024-04-11 11:03 ` Steffen Klassert
2024-04-11 9:24 ` Sabrina Dubroca
2024-04-11 10:36 ` Antony Antony
2024-04-11 20:14 ` Sabrina Dubroca
2024-04-11 10:57 ` Steffen Klassert
2024-04-10 6:27 ` Nicolas Dichtel
2024-04-10 7:26 ` Sabrina Dubroca
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZhesGJtMXk-PPtzz@hog \
--to=sd@queasysnail.net \
--cc=antony.antony@secunet.com \
--cc=antony@phenome.org \
--cc=davem@davemloft.net \
--cc=devel@linux-ipsec.org \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nicolas.dichtel@6wind.com \
--cc=pabeni@redhat.com \
--cc=paul@nohats.ca \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).