Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp2910727rdb;
        Wed, 4 Oct 2023 15:56:38 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IElTeQRbqVoyrDoyIiB6PCtzcy4Mda0Mzm9gAJlsztHvgOBwlXTqJjx4ymAQD9vSsT4Qv8e
X-Received: by 2002:a54:4081:0:b0:3a7:44a1:512c with SMTP id i1-20020a544081000000b003a744a1512cmr3622446oii.5.1696460197808;
        Wed, 04 Oct 2023 15:56:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696460197; cv=none;
        d=google.com; s=arc-20160816;
        b=xonK43Usnj2TgeQSeaZThwglPXkGKPDQx/ALvDKr/+p2H+BXpLw92q4XhsWyaI7EUu
         8LCKIWTD//smX79HJEuB1H5AEcLXVjLieChRMT1rnuXBukd2tDpIojeiBFwP3Ajpd5KB
         9VCDB66GeQtQXWXSdqIfZcZEuB/MXC+ig7z0X9C8Tv09U1NQ7i6K+5V8hlJE8k2ZND14
         q5XsqDJrsy6a8/yq76aQTsBk0rsDTpnG0pKnZzyJUYmre0m6MjfTOcCM0BvZtvTcUNfN
         OTKgeNXXFoC1YvQebrKp/+fJTP2kEbE9Ia67o0q9RDhH6nCkmmRfItv+qIMrrDEXyIl/
         RgIQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:message-id:date:references
         :in-reply-to:subject:cc:to:from:dkim-signature:dkim-filter;
        bh=VGEewOivVVXxRe4yeWdnj6hs2luNc7hkwYEag1NXZWw=;
        fh=WV1DALegChZw7RqhvhC+JuxP3Q8JGQuaKPFYoTxqg5c=;
        b=jiFde3d9vUbwM8a2MppGjwv26+CqWnCW4Jd0OkCTY1Vyz7sDon9Z+W+Mr1SbR8AHpN
         Ov3y/4yv7NDY9UBXVqGFnhEEq2HlIqnlKlOhlh8rvzVA+3QR0UwIbP+OYfds017K/eAU
         SbnFXVpUqn4lOedYFT8eVpZVtsAgizqO1deACKTDtfuMab7yHSD1MAnxiF2KjFGOvBtc
         l0ayZpo3DL4yG2aNR/ie+XTuhh3w+CyNENmQ0cjjUylwpHQUw53x1TgnNNDwg1DpfZQa
         2PQiq0yUmzdugZelnYWh6hLt6yE6TdesxeOOKf2R43uXYLfFvOWMgsTngbSrAYCJTWMD
         Pj3A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lwn.net header.s=20201203 header.b=tHHuP8Qv;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2])
        by mx.google.com with ESMTPS id g25-20020a633759000000b005698cf29f75si152980pgn.222.2023.10.04.15.56.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 04 Oct 2023 15:56:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lwn.net header.s=20201203 header.b=tHHuP8Qv;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by agentk.vger.email (Postfix) with ESMTP id 83D5A81DD275;
	Wed,  4 Oct 2023 15:56:35 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S240277AbjJDW4O (ORCPT <rfc822;recursive.nomad@gmail.com>
        + 99 others); Wed, 4 Oct 2023 18:56:14 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41566 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S236558AbjJDW4N (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 4 Oct 2023 18:56:13 -0400
Received: from ms.lwn.net (ms.lwn.net [IPv6:2600:3c01:e000:3a1::42])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3693895;
        Wed,  4 Oct 2023 15:56:07 -0700 (PDT)
Received: from localhost (unknown [IPv6:2601:281:8300:73::646])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ms.lwn.net (Postfix) with ESMTPSA id C0D9577D;
        Wed,  4 Oct 2023 22:56:05 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 ms.lwn.net C0D9577D
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lwn.net; s=20201203;
        t=1696460165; bh=VGEewOivVVXxRe4yeWdnj6hs2luNc7hkwYEag1NXZWw=;
        h=From:To:Cc:Subject:In-Reply-To:References:Date:From;
        b=tHHuP8QvrNgyqfwD29DAEB9Fyz/9m9K3y2sKAXSae3a3KPAXs4o196eUbjmVhXmc+
         DFmYoUWRH1ppihNXVcglkKTJuit12m9ESk/aU1Om5Lp0AQk8cJ3q+rViPWi3AYQY+j
         3CIp4qdj1gFMP/4l1vD8w/kRkCY4dZ/EGBNAgF5WsyUVACADAy6C6gLwEH4AlucGgM
         xRF578ij0imQW2Lmj/PbcEPj+4ozg47EDmULcRtc9XY73lXNfPaVNAeFvadkpSoxNv
         ts9OrI59d5JMZUAT2Kpm/2CHT8wjZZo8BlbD1AEiOdcejef62leajHNZhaiOK4Kvcg
         Mjq/XOV+Pay6w==
From:   Jonathan Corbet <corbet@lwn.net>
To:     Dmitry Safonov <dima@arista.com>, David Ahern <dsahern@kernel.org>,
        Eric Dumazet <edumazet@google.com>,
        Paolo Abeni <pabeni@redhat.com>,
        Jakub Kicinski <kuba@kernel.org>,
        "David S. Miller" <davem@davemloft.net>
Cc:     linux-kernel@vger.kernel.org, Dmitry Safonov <dima@arista.com>,
        Andy Lutomirski <luto@amacapital.net>,
        Ard Biesheuvel <ardb@kernel.org>,
        Bob Gilligan <gilligan@arista.com>,
        Dan Carpenter <error27@gmail.com>,
        David Laight <David.Laight@aculab.com>,
        Dmitry Safonov <0x7f454c46@gmail.com>,
        Donald Cassidy <dcassidy@redhat.com>,
        Eric Biggers <ebiggers@kernel.org>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Francesco Ruggeri <fruggeri05@gmail.com>,
        "Gaillardetz, Dominik" <dgaillar@ciena.com>,
        Herbert Xu <herbert@gondor.apana.org.au>,
        Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
        Ivan Delalande <colona@arista.com>,
        Leonard Crestez <cdleonard@gmail.com>,
        "Nassiri, Mohammad" <mnassiri@ciena.com>,
        Salam Noureddine <noureddine@arista.com>,
        Simon Horman <simon.horman@corigine.com>,
        "Tetreault, Francois" <ftetreau@ciena.com>, netdev@vger.kernel.org,
        linux-doc@vger.kernel.org
Subject: Re: [PATCH v13 net-next 23/23] Documentation/tcp: Add TCP-AO
 documentation
In-Reply-To: <20231004223629.166300-24-dima@arista.com>
References: <20231004223629.166300-1-dima@arista.com>
 <20231004223629.166300-24-dima@arista.com>
Date:   Wed, 04 Oct 2023 16:56:05 -0600
Message-ID: <87jzs2yp2y.fsf@meer.lwn.net>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Status: No, score=2.7 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Wed, 04 Oct 2023 15:56:35 -0700 (PDT)
X-Spam-Level: **

Dmitry Safonov <dima@arista.com> writes:

> It has Frequently Asked Questions (FAQ) on RFC 5925 - I found it very
> useful answering those before writing the actual code. It provides answers
> to common questions that arise on a quick read of the RFC, as well as how
> they were answered. There's also comparison to TCP-MD5 option,
> evaluation of per-socket vs in-kernel-DB approaches and description of
> uAPI provided.
>
> Hopefully, it will be as useful for reviewing the code as it was for writing.

It looks like useful information; I just have one request...

> Cc: Jonathan Corbet <corbet@lwn.net>
> Cc: linux-doc@vger.kernel.org
> Signed-off-by: Dmitry Safonov <dima@arista.com>
> Acked-by: David Ahern <dsahern@kernel.org>
> ---
>  Documentation/networking/index.rst  |   1 +
>  Documentation/networking/tcp_ao.rst | 434 ++++++++++++++++++++++++++++
>  2 files changed, 435 insertions(+)
>  create mode 100644 Documentation/networking/tcp_ao.rst
>
> diff --git a/Documentation/networking/index.rst b/Documentation/networking/index.rst
> index 5b75c3f7a137..69c1e53ef88b 100644
> --- a/Documentation/networking/index.rst
> +++ b/Documentation/networking/index.rst
> @@ -107,6 +107,7 @@ Contents:
>     sysfs-tagging
>     tc-actions-env-rules
>     tc-queue-filters
> +   tcp_ao
>     tcp-thin
>     team
>     timestamping
> diff --git a/Documentation/networking/tcp_ao.rst b/Documentation/networking/tcp_ao.rst
> new file mode 100644
> index 000000000000..cfa13a0748a2
> --- /dev/null
> +++ b/Documentation/networking/tcp_ao.rst
> @@ -0,0 +1,434 @@
> +.. SPDX-License-Identifier: GPL-2.0
> +
> +========================================================
> +TCP Authentication Option Linux implementation (RFC5925)
> +========================================================
> +
> +TCP Authentication Option (TCP-AO) provides a TCP extension aimed at verifying
> +segments between trusted peers. It adds a new TCP header option with
> +a Message Authentication Code (MAC). MACs are produced from the content
> +of a TCP segment using a hashing function with a password known to both peers.
> +The intent of TCP-AO is to deprecate TCP-MD5 providing better security,
> +key rotation and support for variety of hashing algorithms.
> +
> +1. Introduction
> +===============
> +
> +.. list-table:: Short and Limited Comparison of TCP-AO and TCP-MD5
> +
> +   * -
> +     - TCP-MD5
> +     - TCP-AO
> +   * - Supported hashing algorithms
> +     - MD5 (cryptographically weak).
> +     - Must support HMAC-SHA1 (chosen-prefix attacks) and CMAC-AES-128
> +       (only side-channel attacks). May support any hashing algorithm.

...can you please avoid using list-table if possible?  It makes the
plain-text version nearly impossible to read.

Thanks,

jon