Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp939936imm;
        Wed, 26 Sep 2018 09:06:18 -0700 (PDT)
X-Google-Smtp-Source: ACcGV606CNLBRNWvqRcO2Pv7SL8ffIT+p0iS+yGy+jBst8D3ZBj8K7iKf7YIESGqCXtJRLMCOn+l
X-Received: by 2002:a63:f309:: with SMTP id l9-v6mr6173325pgh.369.1537977977962;
        Wed, 26 Sep 2018 09:06:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1537977977; cv=none;
        d=google.com; s=arc-20160816;
        b=W2V9S2ESP/DTeYXBg2mlrD0cf7OFgcu+D68Wub45ywkjh6NFm5tyuVzxYNxp1pmhSX
         DFky+NwxY94BsQfqKpg/LGRFe0AYkUeTbW4Sqk3nsjRv2O0WKecPQ9wHwuRK2+bqVK8e
         Y7YqgguTPnuSvczof0UibaPYt40uVMUG6LcKE/l6DJrK17SZk1NK9lXvJJpSN5ebVW0h
         5IWUFAsH2wXyrqvfZEi5O8oUDx+TPZy8x8pvKth940OR+JP2qvpcj9dEXdctQvRdO2P9
         GI4PeQ8mT7vxYrvKmbcpcqSyAdxF0u1q5NxJtAN+czPSWQKVZC6TrszPj/GoeKLZRx/E
         2gCQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=iRgGVJfXByRQhbxDp+ZSqUglNus2eo60Lisq+TeNZZo=;
        b=XzJ/Zbxinc1Tu5zfF04caPdQ5UAupHMzjhSOZVIRsRjCajASj1Z9vQFI09F49+g3eH
         ZRFryVNvujOh2/pJhDNRPtlUXK92kdhhoXgUNzvmmXVFvrXFD+BYnsF79PKSiZyetA+I
         6bs4Ig6VaMlqQkohC4u1HhQn5TI8iximNCCj0O6Ki0lE5xB5oARTppXmaxdTxiurVGT2
         zjE1DE0NF4shDqzdIMkoAftWr6YItqlJ6imZElWQrUNb2x8Z6ZMj7xf3qDwlOSeyTPje
         5ccuRN23EhAHkWJNiR/ZVqIVbtJlAJGt6mbkCOISHTgEedYnP5d0QRPY0HkMx1uU48hG
         MROA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@zx2c4.com header.s=mail header.b=m9V3s67z;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q10-v6si5588008pgl.522.2018.09.26.09.06.02;
        Wed, 26 Sep 2018 09:06:17 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@zx2c4.com header.s=mail header.b=m9V3s67z;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728490AbeIZWSC (ORCPT <rfc822;xqjcool@gmail.com> + 99 others);
        Wed, 26 Sep 2018 18:18:02 -0400
Received: from frisell.zx2c4.com ([192.95.5.64]:37405 "EHLO frisell.zx2c4.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726937AbeIZWSC (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 26 Sep 2018 18:18:02 -0400
Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 21d1137f;
        Wed, 26 Sep 2018 15:45:49 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=mime-version
        :references:in-reply-to:from:date:message-id:subject:to:cc
        :content-type:content-transfer-encoding; s=mail; bh=gj88kwP8hALO
        spsKo2ZO4ZJWaDA=; b=m9V3s67zvrbI8PxfFL8PQCoiadD/ipHoPg2KiMxYl2Go
        1MS0qKLCm4GhCeUuXj2Z8MKSb/F+L9hYQsLdJg6mq6mv5A0PDOmMqPHX8FBj1uJM
        vD2KU61p+FRLi3LuPPkuuT9QdI8+0Z9e84nV5XxC1QK/BXI9fDRI6Z2WgyWKBe7S
        C6xpeprha4CpjucGmsCxsLd11QLVctC1JUEfVPXkN+A6CMcdm3SLAUUV/XenUjpd
        Y5NpvdJ+Cmdb7E9s+YnmJuRjyMyn9ntlxlzCOI+eplIvwSI+F+ZnIIE4LY8wpul8
        aTMAzPqJhOWolMVcbMfEaIGPx9m8LyOsIlzCQy4EXw==
Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 9178ad68 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO);
        Wed, 26 Sep 2018 15:45:48 +0000 (UTC)
Received: by mail-ot1-f46.google.com with SMTP id e18-v6so28707374oti.8;
        Wed, 26 Sep 2018 09:04:21 -0700 (PDT)
X-Gm-Message-State: ABuFfogXM6TQSOy++mLt+JA5jTtaQlOv3rXX7Mh42lmxj0J7xXF23kDr
        j5BguCUgfHXWTeBvYVykqnrSGpYHQeG8j77pOjk=
X-Received: by 2002:a9d:4a9c:: with SMTP id i28-v6mr2379420otf.138.1537977861013;
 Wed, 26 Sep 2018 09:04:21 -0700 (PDT)
MIME-Version: 1.0
References: <20180925145622.29959-1-Jason@zx2c4.com> <20180925145622.29959-24-Jason@zx2c4.com>
 <7830522a-968e-0880-beb7-44904466cf14@labo.rs>
In-Reply-To: <7830522a-968e-0880-beb7-44904466cf14@labo.rs>
From:   "Jason A. Donenfeld" <Jason@zx2c4.com>
Date:   Wed, 26 Sep 2018 18:04:09 +0200
X-Gmail-Original-Message-ID: <CAHmME9oQJ9y51Pv7U=+=5uDA_tb+U1zWZdsLcyNMhdcFZmjM8Q@mail.gmail.com>
Message-ID: <CAHmME9oQJ9y51Pv7U=+=5uDA_tb+U1zWZdsLcyNMhdcFZmjM8Q@mail.gmail.com>
Subject: Re: [PATCH net-next v6 23/23] net: WireGuard secure network tunnel
To:     labokml@labo.rs, Dave Taht <dave.taht@gmail.com>
Cc:     LKML <linux-kernel@vger.kernel.org>,
        Netdev <netdev@vger.kernel.org>,
        Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
        David Miller <davem@davemloft.net>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Ivan,

On Wed, Sep 26, 2018 at 6:00 PM Ivan Lab=C3=A1th <labokml@labo.rs> wrote:
>
> On 25.09.2018 16:56, Jason A. Donenfeld wrote:
> > Extensive documentation and description of the protocol and
> > considerations, along with formal proofs of the cryptography, are> avai=
lable at:
> >
> >   * https://www.wireguard.com/
> >   * https://www.wireguard.com/papers/wireguard.pdf
> []
> > +enum { HANDSHAKE_DSCP =3D 0x88 /* AF41, plus 00 ECN */ };
> []
> > +     if (skb->protocol =3D=3D htons(ETH_P_IP)) {
> > +             len =3D ntohs(ip_hdr(skb)->tot_len);
> > +             if (unlikely(len < sizeof(struct iphdr)))
> > +                     goto dishonest_packet_size;
> > +             if (INET_ECN_is_ce(PACKET_CB(skb)->ds))
> > +                     IP_ECN_set_ce(ip_hdr(skb));
> > +     } else if (skb->protocol =3D=3D htons(ETH_P_IPV6)) {
> > +             len =3D ntohs(ipv6_hdr(skb)->payload_len) +
> > +                   sizeof(struct ipv6hdr);
> > +             if (INET_ECN_is_ce(PACKET_CB(skb)->ds))
> > +                     IP6_ECN_set_ce(skb, ipv6_hdr(skb));
> > +     } else
> []
> > +     skb_queue_walk (&packets, skb) {
> > +             /* 0 for no outer TOS: no leak. TODO: should we use flowi=
->tos
> > +              * as outer? */
> > +             PACKET_CB(skb)->ds =3D ip_tunnel_ecn_encap(0, ip_hdr(skb)=
, skb);
> > +             PACKET_CB(skb)->nonce =3D
> > +                             atomic64_inc_return(&key->counter.counter=
) - 1;
> > +             if (unlikely(PACKET_CB(skb)->nonce >=3D REJECT_AFTER_MESS=
AGES))
> > +                     goto out_invalid;
> > +     }
> Hi,
>
> is there documentation and/or rationale for ecn handling?
> Quick search for ecn and dscp didn't reveal any.

ECN support was developed with Dave Taht so that it does the right
thing with CAKE and such. He's CC'd, so that he can fill in details,
and sure, we can write these up. As well, I can add the rationale for
the handshake-packet-specific DSCP value to the paper in the next few
days; thanks for pointing out these documentation oversights.

Jason