Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp3416809imm; Mon, 13 Aug 2018 11:17:16 -0700 (PDT) X-Google-Smtp-Source: AA+uWPwLo6sYGON3r914GBOAlsw/BqB+8MH2GJbV/pJrgDbIOLANtbvI8AryF+rMeCADnXPICGoe X-Received: by 2002:a63:65c2:: with SMTP id z185-v6mr17736119pgb.276.1534184236196; Mon, 13 Aug 2018 11:17:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534184236; cv=none; d=google.com; s=arc-20160816; b=u+xOeD7X+WyszHRlyYZWIMPnw9UBd5vbmo4jf0siYoDmCIM11DbWNdDz52RIE93xW8 59IYmD1mkxwcDjtnmr8kTGqpIX66tg1kGN40FhJlEgZNHN8qbdjhLWDKnULmL+wFSkjD +TOVx5bYCimz1opwAseJLaebG0ZmW+d5dsMXUzAIKADsVQ/jkdAdM6wy8kcCvNBxWDkZ rwo4n3MB5Ai82vgr458CCJHi3fk4KnVfv1ra6778RLqYOFZJa87WrC0BPG/f17pCyieV +ry+gm4kEqXwtJew93kTNg9fQ1O99qYeW+k6m8297v4Vqt3+8tim77rXffD9ODFMDPBa F2dw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:arc-authentication-results; bh=9TQLa1x8bG1tCFwwmWpCXPENohsA6aoqtB7Fmna/YHg=; b=B3YxodRajCGP65fpLM32P54jK2wHXbzgFQttvw9Dvh+S6G2WbsB04oOuOdNciCPtw+ AsUg99wdWCDAXAVQLPP59P8cYU9jsSdYUa/DR8RKEfecZWW18QMC485twqAR5Nv4sW3H TCyzZXfpmU7idiFC+ULxbj5ZV9i81rg4yh+LnmRylHMdxEGr421pYFKJa9nrWbM8218f KsIJJLhj44eAKxElROPX65atc0KdyI6svaxrjMEZoPQ9ZZTgQjL65V+l0DZQ9n7XQqpM qbuVPh/xqzpQcoZV6E+n/vrRwWxEinFgAqMo9mguF8jnIWN82OGXhM9ErhxTJ0xSdhj4 5h8g== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=rFr4Z+bL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 38-v6si17693825pgz.286.2018.08.13.11.17.01; Mon, 13 Aug 2018 11:17:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=rFr4Z+bL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730456AbeHMUrx (ORCPT + 99 others); Mon, 13 Aug 2018 16:47:53 -0400 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:39758 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729835AbeHMUrx (ORCPT ); Mon, 13 Aug 2018 16:47:53 -0400 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 3836D8EE171; Mon, 13 Aug 2018 11:04:37 -0700 (PDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0sRLQSQJn1jN; Mon, 13 Aug 2018 11:04:37 -0700 (PDT) Received: from [153.66.254.194] (unknown [50.35.68.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id ACC5B8EE0ED; Mon, 13 Aug 2018 11:04:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1534183476; bh=XKaiUftx+2vnXBzHjIE9ornO5si0asIT6BxbrIMBKWw=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=rFr4Z+bLZ7L9DUI6mAuayZoAAm2Xq9fsHt1G7bzD3DDbplCowWOirsDJ3a4twmbvD ISTghDyImS4IBzEZ8ZwdvS90mTcAm4m455lLKT5ynUE2x39CvKxX12bIplSrSO9zsi bJTp+m3NJnVHtPQvlgKQnV7P+sAE+C3r4i7rzS9Y= Message-ID: <1534183475.7872.14.camel@HansenPartnership.com> Subject: Re: [PATCH v1 0/3] WireGuard: Secure Network Tunnel From: James Bottomley To: "Jason A. Donenfeld" Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, davem@davemloft.net, linux-crypto@vger.kernel.org Date: Mon, 13 Aug 2018 11:04:35 -0700 In-Reply-To: References: <20180731191102.2434-1-Jason@zx2c4.com> <1534174811.7872.3.camel@HansenPartnership.com> <1534181830.7872.10.camel@HansenPartnership.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2018-08-13 at 10:55 -0700, Jason A. Donenfeld wrote: > > but it's very hard for a flow classifier because you have to > > The construction and identifier strings might not obviously help with > the extremely narrow idea you've brought up, but it is very important > for safely introducing additional versions. Namely, it prevents > against cross-protocol key reuse attacks and type confusion bugs. So > don't be too quick to dismiss the importance of these for > accomplishing what we're after. I'm not saying a hash check isn't important for safety; I'm saying that if you only have a hash of a dynamic part plus the protocol identifier to go on it makes far more work for the flow classifier. You can see this easily if you contemplate the idea that the hash might be the algorithm being changed. > > so lets pick one of the above and try it out. > > We have, multiple times, and it's absolutely trivial to do and works > well. The exact thing you're concerned about has already been > researched and worked with on live systems quite a bit over the last > 3 years, and it works in a pretty straight forward way. I'm not sure > there's much more to add here: the thing you want is already there > and has been tested extensively. At this point the "pick one and > let's try it out!" is an old story, and the focus now is on making > sure the code quality and netdev api usage is correct for merging Great, thanks, I'll look forward to seeing it in v2 then. James