Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1097791ybi;
        Fri, 14 Jun 2019 08:35:07 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwFfa2cu32jDZZ8jVjl4cg6IK6zGKMGRwsmCZ/+9+CT+3oJZhmO19Nj0SJwLqJA8UIpgHCy
X-Received: by 2002:a17:902:a412:: with SMTP id p18mr26172537plq.105.1560526507515;
        Fri, 14 Jun 2019 08:35:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1560526507; cv=none;
        d=google.com; s=arc-20160816;
        b=hKd96WOqMIS9pD9iRBCsj8QcNzMI/kSDx/tSzOPBNiryatK9lXwnN8VrDhqKjHQ/rl
         zhkJFY5FugWE2ALGkK4wyRcY3wjprl+JGmSD/x/GjZHRhTFGh2TaDFntwnhePdgh1YR8
         MtvESBmFABK5FZwXbmxFpDZ40J3uHFcYVmf1xaxAp8y83BL5NnypQ66Wuwlx/sz9XLkJ
         EULxkgM+N7n48GxMfY+aMV9ud7cH0Lah0UyvE0QpQu+PVxsGRUZ/UZzT+7p5o0mmlepm
         6a56P25RgB5jeE+0fmRtlcRCoqzDOPHNwrR7OYsb3rlpXmuRkarYmNrm9bKpJ5vawsB0
         4mPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=ZvSLdb4tGoj1KerVcujZWEcT0dZuhjXYXXie7nT7mXw=;
        b=LI3lMWkh4m4Dn0JR2vWG756R6MKOKxKriUvtkZ7VwI9bpieXDtb8noE6Fh+lY1QswF
         7tVxY9hjhPtE49hmIsHBuIb2NzYHesv9tRv5rqbo0xfMNOMrGD17+GxxPUrFbHvhpUqt
         f/OBYZ6Znflafy2TbjmmvGVCtshlsM+xnTgWBSJimnbMd9humXWdckF7yKSP9VTatycG
         duJutXcxL0CKeWqgI39tmzxPTlBYA7mRunZMpbwuy1/FaD2iYZNZaeA1pDmcAPsokLYj
         CBnTEOpMtYLo/tunXkYf2WVW/D72P3wudTJJ0uS+ts+XlXrUiMGXwBxtBxyzY5Gu5lQi
         SLcg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=nxrt4giW;
       spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j59si2509932plb.176.2019.06.14.08.34.45;
        Fri, 14 Jun 2019 08:35:07 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=nxrt4giW;
       spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726784AbfFNPea (ORCPT <rfc822;nullstelllensatz@gmail.com>
        + 99 others); Fri, 14 Jun 2019 11:34:30 -0400
Received: from mail-yb1-f195.google.com ([209.85.219.195]:37605 "EHLO
        mail-yb1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726754AbfFNPe3 (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Fri, 14 Jun 2019 11:34:29 -0400
Received: by mail-yb1-f195.google.com with SMTP id v144so1246471ybb.4
        for <linux-crypto@vger.kernel.org>; Fri, 14 Jun 2019 08:34:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=ZvSLdb4tGoj1KerVcujZWEcT0dZuhjXYXXie7nT7mXw=;
        b=nxrt4giWUlhE9biCVR+Nf7l0dQrFKvxLWDlX56RbVNxUEL0bUAFHio4l+uzl0nCxh7
         xXzwrZb2/VMVmB+aSmN56g905HvDn3pCUAGYNxE7lgaqutKZ1nzEtyOuvhGIdaUqZWnO
         iwxssJBIDgARes03cNAnQxvq0Dawjb1fSsJgBu8clFk87sKOVkvglbqQV3ArKpwt6YEY
         U0yhmXm8J5eHwfiEs6Vzf64EyDO/hlefYNr8XiDq9Xwgo4Bt8mHGoKc5wR3Umn5k4VRm
         PysrCqMQJpRReJvso+/R9WYMkI5EyDmBVUwyI4P9kGBArUktyJcbMOmfUlNvfdkoZDtt
         cflQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=ZvSLdb4tGoj1KerVcujZWEcT0dZuhjXYXXie7nT7mXw=;
        b=udOzB9gnnwoEz6VvVGUtYoiOKY/u9fvct6ZWHGSwDqXmfc+PafZg1h3qPmLF1uM7Ut
         6KxPfZDd8cHKf2Ipr3BvOSbroCtjXDnxdQnOtp/i84KuoW8ZfC0N5H1QFgTlHUqXRw2K
         YUBPqY+zKWAyqHRhI2NUaVFedPBjhKiFGxH4hN5XnNmfroxuTewGJCkdy0oRMenXhVol
         /eVJsHFisqECCC14dMmLsmjVu7V4h8xF/aE/7/WG8qI2qqPvmB8TzkMmrXZZ0HFGtugQ
         IKXihsEuR1enaqbcwptWhvDFYs15J0UQlMo7j1EwX5C5JPjI+dxvipY5kg3zaenx50gF
         11YQ==
X-Gm-Message-State: APjAAAVaeJDOGpbVvu5tFjfZaosYPcwh7sg6CeG98PiAfyOq2ujBADDC
        Ywf63tEC9Q4qUj2p2Kh4l+OmTgK4/9r7ZPuQOPjsRkWhWcw=
X-Received: by 2002:a25:55d7:: with SMTP id j206mr50996255ybb.234.1560526468360;
 Fri, 14 Jun 2019 08:34:28 -0700 (PDT)
MIME-Version: 1.0
References: <20190614140122.20934-1-ard.biesheuvel@linaro.org>
In-Reply-To: <20190614140122.20934-1-ard.biesheuvel@linaro.org>
From:   Eric Dumazet <edumazet@google.com>
Date:   Fri, 14 Jun 2019 08:34:16 -0700
Message-ID: <CANn89iKP2fQ6Tc0jBW_WdLq3kYQx7NsdVDB5S3y453T+6yp86g@mail.gmail.com>
Subject: Re: [PATCH v2] net: ipv4: move tcp_fastopen server side code to
 SipHash library
To:     Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc:     netdev <netdev@vger.kernel.org>, linux-crypto@vger.kernel.org,
        Herbert Xu <herbert@gondor.apana.org.au>, ebiggers@kernel.org,
        David Miller <davem@davemloft.net>,
        Jason Baron <jbaron@akamai.com>,
        Christoph Paasch <cpaasch@apple.com>,
        David Laight <David.Laight@aculab.com>,
        Yuchung Cheng <ycheng@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

On Fri, Jun 14, 2019 at 7:01 AM Ard Biesheuvel
<ard.biesheuvel@linaro.org> wrote:
>
> Using a bare block cipher in non-crypto code is almost always a bad idea,
> not only for security reasons (and we've seen some examples of this in
> the kernel in the past), but also for performance reasons.
>
> In the TCP fastopen case, we call into the bare AES block cipher one or
> two times (depending on whether the connection is IPv4 or IPv6). On most
> systems, this results in a call chain such as
>
>   crypto_cipher_encrypt_one(ctx, dst, src)
>     crypto_cipher_crt(tfm)->cit_encrypt_one(crypto_cipher_tfm(tfm), ...);
>       aesni_encrypt
>         kernel_fpu_begin();
>         aesni_enc(ctx, dst, src); // asm routine
>         kernel_fpu_end();
>
> It is highly unlikely that the use of special AES instructions has a
> benefit in this case, especially since we are doing the above twice
> for IPv6 connections, instead of using a transform which can process
> the entire input in one go.
>
> We could switch to the cbcmac(aes) shash, which would at least get
> rid of the duplicated overhead in *some* cases (i.e., today, only
> arm64 has an accelerated implementation of cbcmac(aes), while x86 will
> end up using the generic cbcmac template wrapping the AES-NI cipher,
> which basically ends up doing exactly the above). However, in the given
> context, it makes more sense to use a light-weight MAC algorithm that
> is more suitable for the purpose at hand, such as SipHash.
>
> Since the output size of SipHash already matches our chosen value for
> TCP_FASTOPEN_COOKIE_SIZE, and given that it accepts arbitrary input
> sizes, this greatly simplifies the code as well.
>
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

While the patch looks fine (I yet have to run our tests with it), it
might cause some deployment issues
for server farms.

They usually share a common fastopen key, so that clients can reuse
the same token for different sessions.

Changing some servers in the pool will lead to inconsistencies.

Probably not a too big deal, but worth mentioning.