Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp939936imm; Wed, 26 Sep 2018 09:06:18 -0700 (PDT) X-Google-Smtp-Source: ACcGV606CNLBRNWvqRcO2Pv7SL8ffIT+p0iS+yGy+jBst8D3ZBj8K7iKf7YIESGqCXtJRLMCOn+l X-Received: by 2002:a63:f309:: with SMTP id l9-v6mr6173325pgh.369.1537977977962; Wed, 26 Sep 2018 09:06:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537977977; cv=none; d=google.com; s=arc-20160816; b=W2V9S2ESP/DTeYXBg2mlrD0cf7OFgcu+D68Wub45ywkjh6NFm5tyuVzxYNxp1pmhSX DFky+NwxY94BsQfqKpg/LGRFe0AYkUeTbW4Sqk3nsjRv2O0WKecPQ9wHwuRK2+bqVK8e Y7YqgguTPnuSvczof0UibaPYt40uVMUG6LcKE/l6DJrK17SZk1NK9lXvJJpSN5ebVW0h 5IWUFAsH2wXyrqvfZEi5O8oUDx+TPZy8x8pvKth940OR+JP2qvpcj9dEXdctQvRdO2P9 GI4PeQ8mT7vxYrvKmbcpcqSyAdxF0u1q5NxJtAN+czPSWQKVZC6TrszPj/GoeKLZRx/E 2gCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=iRgGVJfXByRQhbxDp+ZSqUglNus2eo60Lisq+TeNZZo=; b=XzJ/Zbxinc1Tu5zfF04caPdQ5UAupHMzjhSOZVIRsRjCajASj1Z9vQFI09F49+g3eH ZRFryVNvujOh2/pJhDNRPtlUXK92kdhhoXgUNzvmmXVFvrXFD+BYnsF79PKSiZyetA+I 6bs4Ig6VaMlqQkohC4u1HhQn5TI8iximNCCj0O6Ki0lE5xB5oARTppXmaxdTxiurVGT2 zjE1DE0NF4shDqzdIMkoAftWr6YItqlJ6imZElWQrUNb2x8Z6ZMj7xf3qDwlOSeyTPje 5ccuRN23EhAHkWJNiR/ZVqIVbtJlAJGt6mbkCOISHTgEedYnP5d0QRPY0HkMx1uU48hG MROA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=mail header.b=m9V3s67z; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q10-v6si5588008pgl.522.2018.09.26.09.06.02; Wed, 26 Sep 2018 09:06:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=mail header.b=m9V3s67z; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728490AbeIZWSC (ORCPT + 99 others); Wed, 26 Sep 2018 18:18:02 -0400 Received: from frisell.zx2c4.com ([192.95.5.64]:37405 "EHLO frisell.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726937AbeIZWSC (ORCPT ); Wed, 26 Sep 2018 18:18:02 -0400 Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 21d1137f; Wed, 26 Sep 2018 15:45:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=mime-version :references:in-reply-to:from:date:message-id:subject:to:cc :content-type:content-transfer-encoding; s=mail; bh=gj88kwP8hALO spsKo2ZO4ZJWaDA=; b=m9V3s67zvrbI8PxfFL8PQCoiadD/ipHoPg2KiMxYl2Go 1MS0qKLCm4GhCeUuXj2Z8MKSb/F+L9hYQsLdJg6mq6mv5A0PDOmMqPHX8FBj1uJM vD2KU61p+FRLi3LuPPkuuT9QdI8+0Z9e84nV5XxC1QK/BXI9fDRI6Z2WgyWKBe7S C6xpeprha4CpjucGmsCxsLd11QLVctC1JUEfVPXkN+A6CMcdm3SLAUUV/XenUjpd Y5NpvdJ+Cmdb7E9s+YnmJuRjyMyn9ntlxlzCOI+eplIvwSI+F+ZnIIE4LY8wpul8 aTMAzPqJhOWolMVcbMfEaIGPx9m8LyOsIlzCQy4EXw== Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 9178ad68 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO); Wed, 26 Sep 2018 15:45:48 +0000 (UTC) Received: by mail-ot1-f46.google.com with SMTP id e18-v6so28707374oti.8; Wed, 26 Sep 2018 09:04:21 -0700 (PDT) X-Gm-Message-State: ABuFfogXM6TQSOy++mLt+JA5jTtaQlOv3rXX7Mh42lmxj0J7xXF23kDr j5BguCUgfHXWTeBvYVykqnrSGpYHQeG8j77pOjk= X-Received: by 2002:a9d:4a9c:: with SMTP id i28-v6mr2379420otf.138.1537977861013; Wed, 26 Sep 2018 09:04:21 -0700 (PDT) MIME-Version: 1.0 References: <20180925145622.29959-1-Jason@zx2c4.com> <20180925145622.29959-24-Jason@zx2c4.com> <7830522a-968e-0880-beb7-44904466cf14@labo.rs> In-Reply-To: <7830522a-968e-0880-beb7-44904466cf14@labo.rs> From: "Jason A. Donenfeld" Date: Wed, 26 Sep 2018 18:04:09 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH net-next v6 23/23] net: WireGuard secure network tunnel To: labokml@labo.rs, Dave Taht Cc: LKML , Netdev , Linux Crypto Mailing List , David Miller , Greg Kroah-Hartman Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Ivan, On Wed, Sep 26, 2018 at 6:00 PM Ivan Lab=C3=A1th wrote: > > On 25.09.2018 16:56, Jason A. Donenfeld wrote: > > Extensive documentation and description of the protocol and > > considerations, along with formal proofs of the cryptography, are> avai= lable at: > > > > * https://www.wireguard.com/ > > * https://www.wireguard.com/papers/wireguard.pdf > [] > > +enum { HANDSHAKE_DSCP =3D 0x88 /* AF41, plus 00 ECN */ }; > [] > > + if (skb->protocol =3D=3D htons(ETH_P_IP)) { > > + len =3D ntohs(ip_hdr(skb)->tot_len); > > + if (unlikely(len < sizeof(struct iphdr))) > > + goto dishonest_packet_size; > > + if (INET_ECN_is_ce(PACKET_CB(skb)->ds)) > > + IP_ECN_set_ce(ip_hdr(skb)); > > + } else if (skb->protocol =3D=3D htons(ETH_P_IPV6)) { > > + len =3D ntohs(ipv6_hdr(skb)->payload_len) + > > + sizeof(struct ipv6hdr); > > + if (INET_ECN_is_ce(PACKET_CB(skb)->ds)) > > + IP6_ECN_set_ce(skb, ipv6_hdr(skb)); > > + } else > [] > > + skb_queue_walk (&packets, skb) { > > + /* 0 for no outer TOS: no leak. TODO: should we use flowi= ->tos > > + * as outer? */ > > + PACKET_CB(skb)->ds =3D ip_tunnel_ecn_encap(0, ip_hdr(skb)= , skb); > > + PACKET_CB(skb)->nonce =3D > > + atomic64_inc_return(&key->counter.counter= ) - 1; > > + if (unlikely(PACKET_CB(skb)->nonce >=3D REJECT_AFTER_MESS= AGES)) > > + goto out_invalid; > > + } > Hi, > > is there documentation and/or rationale for ecn handling? > Quick search for ecn and dscp didn't reveal any. ECN support was developed with Dave Taht so that it does the right thing with CAKE and such. He's CC'd, so that he can fill in details, and sure, we can write these up. As well, I can add the rationale for the handshake-packet-specific DSCP value to the paper in the next few days; thanks for pointing out these documentation oversights. Jason