Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp1802225ybn; Thu, 26 Sep 2019 02:25:04 -0700 (PDT) X-Google-Smtp-Source: APXvYqzZSktS0ORX0lI09okeoQyxKTlQ5KaWG8KYWI3wnuE2qSr2oWiKfGAGPPecS7gPe6XGHpvv X-Received: by 2002:a50:b884:: with SMTP id l4mr2403215ede.295.1569489903886; Thu, 26 Sep 2019 02:25:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569489903; cv=none; d=google.com; s=arc-20160816; b=KbGGXR1071p9cJTg6PkT+ws7+qMIUeP2Mj9oJNH0DSWuW4Bz+9uj2Lyqdbe324ci4C dQe4oUUsKiCI8GC10WRRsHd0YGBeLFkDJP/qtZA97YinetUZSgWVpZRcCFk6J5AKF2cN 0q9n4M3ACVpNZvy3JCaNKXkPt1lWvzobhIdwgisW2s1ahJA8COHP6kjidhzeCRvghnea ei6si5FmQKC6dHupX55X6Qu7a51zilzWjRMu2WygEfbWOEhDw6z2gIN9js5SvZWAQFei 8ULSxuJYup3DxM7bhPZR7dCHewkAMrytZ8TWguRGzVQHWVnVwhIjSEoZ+kLnvV1f4X9j LqpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:references :in-reply-to:subject:to:dkim-signature:from; bh=hdI2/8m1XWzYalolj8xZHSopkUVGhtQLUm6AD7C/6rE=; b=IMIyxkC3gez5vlUfhj70OKJbB7rqJuq1cgnurV2DDbu7bGKzpjDVBwuc3Z2zhMOEKB TMP6mM5DIK4wIW5TLS0qhyqbMJ4XVlK39fVSFe+J4a7YdYtXSb7Xfhc8UQSHJfHt/W/Y QY6lVgm4vZW2rGLiiEKIrnm17X+XTgn0kL4d2cM/tMgoe/e1fZboQZDkj5n+34RejQWD nAs9unGGIWTNuNL2IMDlhdwKG3o0txA1NWUnQkHSvcq7YKMCDaS9XUgQWA2oWIORCxZ1 07WareE4ibC8lZtZLGENxzP5oNSkcvTIsHVU9NCE0GezGpzFouywJyHTFa5tdrZULiSd M/Aw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@toke.dk header.s=20161023 header.b=lnGCwqPn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=toke.dk Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l18si687810ejg.248.2019.09.26.02.24.40; Thu, 26 Sep 2019 02:25:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@toke.dk header.s=20161023 header.b=lnGCwqPn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=toke.dk Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731989AbfIYIx6 (ORCPT + 99 others); Wed, 25 Sep 2019 04:53:58 -0400 Received: from mail.toke.dk ([52.28.52.200]:39823 "EHLO mail.toke.dk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731534AbfIYIxq (ORCPT ); Wed, 25 Sep 2019 04:53:46 -0400 X-Greylist: delayed 446 seconds by postgrey-1.27 at vger.kernel.org; Wed, 25 Sep 2019 04:53:41 EDT From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023; t=1569401168; bh=hdI2/8m1XWzYalolj8xZHSopkUVGhtQLUm6AD7C/6rE=; h=From:To:Subject:In-Reply-To:References:Date:From; b=lnGCwqPn8Xik4+dABeuye2OpcKR61gBj+tf2azZZoiepMCvLys5acy3IEAA+CySH2 XpGvTv765iKAnzYQNUpf7Y00XFwVyGsUT3ShOReN/2rArjEsMh8kVdmUJaheeNA1Mw A8fSIQHBrNUzDQv6bAp2GpCkb/BFUB+646giQysI2lnfync3zPBY7ptF2QJpBStDF9 c3Q4bwZw+CxdwrDkgOEvUpbi226xIFGNwDtCu+HCOGojbt8uZVyJx9lIwnUMXa59CM ikhH6E/y8/5YSbpJvWH3rya/lMZkr25jE3h7vDFC6/NaiaBhJubkJEM0MOqhlMJ26T KZU470eZglgHQ== To: "Jason A. Donenfeld" , WireGuard mailing list , Netdev , LKML Subject: Re: WireGuard to port to existing Crypto API In-Reply-To: References: Date: Wed, 25 Sep 2019 10:46:08 +0200 X-Clacks-Overhead: GNU Terry Pratchett Message-ID: <87v9tg3grz.fsf@toke.dk> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org "Jason A. Donenfeld" writes: > Hi folks, > > I'm at the Kernel Recipes conference now and got a chance to talk with > DaveM a bit about WireGuard upstreaming. His viewpoint has recently > solidified: in order to go upstream, WireGuard must port to the > existing crypto API, and handle the Zinc project separately. As DaveM > is the upstream network tree maintainer, his opinion is quite > instructive. > > I've long resisted the idea of porting to the existing crypto API, > because I think there are serious problems with it, in terms of > primitives, API, performance, and overall safety. I didn't want to > ship WireGuard in a form that I thought was sub-optimal from a > security perspective, since WireGuard is a security-focused project. > > But it seems like with or without us, WireGuard will get ported to the > existing crypto API. So it's probably better that we just fully > embrace it, and afterwards work evolutionarily to get Zinc into Linux > piecemeal. I've ported WireGuard already several times as a PoC to the > API and have a decent idea of the ways it can go wrong and generally > how to do it in the least-bad way. > > I realize this kind of compromise might come as a disappointment for > some folks. But it's probably better that as a project we remain > intimately involved with our Linux kernel users and the security of > the implementation, rather than slinking away in protest because we > couldn't get it all in at once. So we'll work with upstream, port to > the crypto API, and get the process moving again. We'll pick up the > Zinc work after that's done. On the contrary, kudos on taking the pragmatic route! Much as I have enjoyed watching your efforts on Zinc, I always thought it was a shame it had to hold back the upstreaming of WireGuard. So as far as I'm concerned, doing that separately sounds like the right approach at this point, and I'll look forward to seeing the patches land :) -Toke