From: Sabrina Dubroca <sd@queasysnail.net>
To: Jakub Kicinski <kuba@kernel.org>
Cc: Wilfred Mallawa <wilfred.mallawa@wdc.com>,
"corbet@lwn.net" <corbet@lwn.net>,
"dlemoal@kernel.org" <dlemoal@kernel.org>,
"davem@davemloft.net" <davem@davemloft.net>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
"linux-kselftest@vger.kernel.org"
<linux-kselftest@vger.kernel.org>,
"john.fastabend@gmail.com" <john.fastabend@gmail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Alistair Francis <Alistair.Francis@wdc.com>,
"pabeni@redhat.com" <pabeni@redhat.com>,
"skhan@linuxfoundation.org" <skhan@linuxfoundation.org>,
"horms@kernel.org" <horms@kernel.org>,
"edumazet@google.com" <edumazet@google.com>,
Daiki Ueno <dueno@redhat.com>, Simo Sorce <ssorce@redhat.com>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Re: [RFC net-next 1/3] net/tls_sw: support randomized zero padding
Date: Tue, 17 Mar 2026 10:19:27 +0100 [thread overview]
Message-ID: <abkcnzIJ5q0XCVJ7@krikkit> (raw)
In-Reply-To: <20260316180355.37d45785@kernel.org>
2026-03-16, 18:03:55 -0700, Jakub Kicinski wrote:
> On Tue, 17 Mar 2026 00:53:07 +0000 Wilfred Mallawa wrote:
> > > Or maybe you could refer to existing implementations of this feature
> > > in user space libs? The padding feature seems slightly nebulous,
> > > I wasn't aware of anyone actually using it. Maybe I should ask...
> > > are you actually planning to use it, or are you checking a box?
> >
> > For upcoming WD hardware, we were planning on informing users to use
> > this feature if an extra layer of security can benefit their particular
> > configuration. But to answer your question, I think this falls more
> > into the "checking a box"...
> >
> > I'm happy to drop this series if there's not much added value from
> > having this as an available option for users.
>
> I'm not much of a security person, and maybe Sabrina will disagree
> but I feel like it's going to be hard for us to design this feature
> in a sensible way if we don't know at least one potential attack :S
No, same here, that's why I tried to CC some userspace developers on
the cover (as well as for awareness of what's going on in the kernel
and the API being discussed -- adding them here again).
My understanding is that attacks of this type are mainly "observers
will figure out what type of traffic I'm doing based on message
length", and I feel all those "traffic pattern masking" features are
only interesting for very paranoid users. The RFC links to some
research, and maybe the kind of statistics/machine learning that those
attacks require has improved since, which could make such attacks more
realistic? No idea.
--
Sabrina
next prev parent reply other threads:[~2026-03-17 9:19 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-09 5:48 [RFC net-next 0/3] tls_sw: add tx record zero padding Wilfred Mallawa
2026-03-09 5:48 ` [RFC net-next 1/3] net/tls_sw: support randomized " Wilfred Mallawa
2026-03-13 13:16 ` Sabrina Dubroca
2026-03-14 14:39 ` Jakub Kicinski
2026-03-17 0:53 ` Wilfred Mallawa
2026-03-17 1:03 ` Jakub Kicinski
2026-03-17 1:21 ` Wilfred Mallawa
2026-03-17 1:30 ` Jakub Kicinski
2026-03-17 1:53 ` Wilfred Mallawa
2026-03-19 1:35 ` Alistair Francis
2026-03-17 9:19 ` Sabrina Dubroca [this message]
2026-03-17 0:20 ` Wilfred Mallawa
2026-03-09 5:48 ` [RFC net-next 2/3] net/tls: add randomized zero padding socket option Wilfred Mallawa
2026-03-09 5:48 ` [RFC net-next 3/3] selftest: tls: add tls record zero pad test Wilfred Mallawa
2026-03-13 12:13 ` [RFC net-next 0/3] tls_sw: add tx record zero padding Sabrina Dubroca
2026-03-17 0:59 ` Wilfred Mallawa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=abkcnzIJ5q0XCVJ7@krikkit \
--to=sd@queasysnail.net \
--cc=Alistair.Francis@wdc.com \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=dlemoal@kernel.org \
--cc=dueno@redhat.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=skhan@linuxfoundation.org \
--cc=ssorce@redhat.com \
--cc=wilfred.mallawa@wdc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox