Received: by 2002:a25:ef43:0:0:0:0:0 with SMTP id w3csp653735ybm; Wed, 27 May 2020 04:57:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwZVK0zwN/H791hdbKk+OTLUPUstQovzu7Dug3WpzZtZStgoWuatwz+PTMcFATvxDtNTCPD X-Received: by 2002:a05:6402:1bce:: with SMTP id ch14mr19605457edb.80.1590580626364; Wed, 27 May 2020 04:57:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590580626; cv=none; d=google.com; s=arc-20160816; b=aF83eA57FL/fq51IkcvrTQLZs1h5Z9wacmEdR9nVXp12J4zAJ3MzrxZAMXvnRUYDXZ y2VknSj5pBLPWcXrSwLTwFoeWiIxsXS2sxqwrj1xDhVcKbcKIYKvyWBw1lX2QmE4VjxY TCGkn0w0GReHKJqz95fde+jn5tgNJ4P0QqccqLReFd9C0RutCLB25PIjuewhCLnwQ6gt 2cjESFpPdJxeZD1+oyD51yH91nS/y6cgqCblvafw4eOEgjc3E4+O4z5+6rpWNa8zgZPh UfM4hxjEcRU745jfYrfZtvThsNRtqZP7mL0xLugBby2OPUkBd5A9CBdtODdms+uN3fBH Awng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=cUS3+FHzxdOJYBvppLYv/k7Qnu4FBiAFM6a3qwD7zwE=; b=rlN4XriG25pFfLqYHmPF1DDQGzYR1Y7L+uhU3Kb3ZW41rYNxS4JzxTrath+3mC17BD J6CkAupC3G+pbcFXzMZWO4dzEIiPsDNXAjDx3cnuzVqu6mGx48lc3ygbj4ajPjCfugYj /qcOwJXDFLHcmJj6jex9mVMUq4YkY5ZzYBfDgZHNsnthunh1yELWqBQGYEzQ1mPW4tdF Ok+kzy/7oDD/Wil1FWFfmHScFwQG3JAZcYsIeiJCIljfpvLsVjLdyZq77ziumWcAunJH DgSVi7PxVs0WrEoByZRNUsqypA+Kj5OVWTr1Ml2H8bH6sNY+p3nrfNIqwJdeju5xHx0l RIOQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=EOZNcbLX; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h26si1702300eja.132.2020.05.27.04.56.43; Wed, 27 May 2020 04:57:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=EOZNcbLX; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728842AbgE0L2f (ORCPT + 99 others); Wed, 27 May 2020 07:28:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44500 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728568AbgE0L2f (ORCPT ); Wed, 27 May 2020 07:28:35 -0400 Received: from mail-ed1-x543.google.com (mail-ed1-x543.google.com [IPv6:2a00:1450:4864:20::543]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 028F9C061A0F; Wed, 27 May 2020 04:28:35 -0700 (PDT) Received: by mail-ed1-x543.google.com with SMTP id k19so19981044edv.9; Wed, 27 May 2020 04:28:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cUS3+FHzxdOJYBvppLYv/k7Qnu4FBiAFM6a3qwD7zwE=; b=EOZNcbLX4WgtgegWPrbd31D1EDL1EwaAPdS/8W+FukopOQKazQsRHeVSMbBY0lh8Sp 55WI9/eWKvjGONoI96NM4gz4SLe6yxjSXzBDMdI6TaaNquols/wODObgUqHchYP2ykNh Mt/50OjTxCzIUxPDhnaK19aG2LsNmXZt0jxj3p7Wcdi2E4AsjFkwtQ8+veswFbOkZgsP 3SaH38NQKvl5Gzh/5TwsrOpd+sU6phvrZa8McqrqjC9vKkcg2lucAgjAQ3BXzs+8Fn0Q G/LH5EgJpE661+jvyfKfUKPd3i8M5b3ZgjJbFwucRPnQ0qxTaozdh6XRhry6D/Do/MWZ 76kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cUS3+FHzxdOJYBvppLYv/k7Qnu4FBiAFM6a3qwD7zwE=; b=YpwFRom3o8uC3cd2t8KGy70SC6AOqnDEH7bZrtmdKlgcXI3uG0MKL+SiyD9D0sOzx/ vVWEj/AD10kaUoQI9gm5yj5pmQz4nSxfyQmh+rY57x3PU81ezQOtmJzHzDDyIcRnmNO9 eDIjSAif/UaBVj9LAw1/NhPe8hRKXK9Nlyo2rblbFVjFTAXMOZkHYp6wfrYHHpNXHWf1 Z2B5p6nbQay+LXwyj6mPs2KCZ+zMyiK2uwdwDwcA3AfW/zIo0BegRX1bA4LSAizY9hWT wwjBR9nUiBqBzha8/9ENgzEhMqLh2MQExwJ/jLX12mHDgKcYyzGn7uJOToddLZfMVkQg PaAg== X-Gm-Message-State: AOAM531BhXejA9ALuzAo4bcgzRYnFUQU36t5RSHpJXUdIUas13ytV2bo R2+z4DyeA0aUcX21cwD5kjJc8Yj2rG6r1UGGn0w= X-Received: by 2002:a50:f983:: with SMTP id q3mr908282edn.259.1590578913571; Wed, 27 May 2020 04:28:33 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Eric Curtin Date: Wed, 27 May 2020 12:28:21 +0100 Message-ID: Subject: Re: Looking for an open-source thesis idea To: Sandy Harris Cc: Linux Crypto Mailing List , Kernel development list Content-Type: text/plain; charset="UTF-8" Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Sandy, I actually have worked quite a bit with IPsec, it's not a protocol I'm a huge fan of, it's use of multiple ports make it difficult to work with middleboxs (be it load-balancers, TLS interceptors, reverse proxies, proxies, firewalls, routers, switches, etc.). I've even seen issues where some middleboxes only recognize TCP/UDP packets and not ESP packets. There's so many implementations of IPsec with various routers OS's and the standard seems to be only sort of universally accepted. It can be difficult to deploy. Although Wireshark does solve at many of these problems, it's simpler at least, as regards VPNs I really like it. I'm actually more a fan of protocols that applications have a little more control over like QUIC over UDP or TLS over TCP. I actually use HTTPS Everywhere plugin, but at the end of the day, that simply just turns on TLS encryption if it's available right? I like some of the problems QUIC solves, the multiple handshake problem decreasing overall round trips, and just that it's more modern. openssl is brilliant, but there's a lot of deadwood, older encryption techniques in that codebase. A monolithic secure TCP protocol seems like a nice idea, but maybe it is too difficult. I think it's a nice idea to explore OOM killer and compare it to the solutions on various other OS's (FreeBSD, AIX, z/OS, Solaris, HP-UX, macOS, iOS, Windows, Zircon, etc. and the OS I work on Powermax). Thanks for that. Any other ideas, keep them coming :) On Tue, 26 May 2020 at 08:18, Sandy Harris wrote: > > Eric Curtin wrote: > > > Hope I'm not bothering you. I'm looking for a masters thesis idea, ... > > > I'm really liking this > > new QUIC (UDP) protocol as an alternative to TCP over TLS. And with > > the growth of new modern secure protocols like Wireguard. I was > > wondering, would it be an idea to do a monolithic secure TCP protocol > > (as an alternative to TCP over TLS) as a small thesis project or is it > > as hard as the guys at Google make is sound? > > > > "Because TCP is implemented in operating system kernels, and middlebox > > firmware, making significant changes to TCP is next to impossible." > > I'm inclined to agree with the Google folk on that. However, what about > IPsec? That was designed to secure anything-over-IP so it should be > a more general solution. The FreeS/WAN project added opportunistic > encryption for wider availability > https://freeswan.org/freeswan_trees/freeswan-2.06/doc/intro.html#goals > > Today some opportunistic encryption protocols -- SMTP-over-TLS and > HTTPS Everywhere -- are quite widespread but my impression is > that opportunistic IPsec is not. Would adding it to an open source > router be a thesis-sized project? Or, since routers likely have IPsec > already, just making it easier to deploy? > > > I'm open to any other suggestions also for my thesis :) > > Linux's OOM killer strikes me as a spectacularly ugly kluge, > but people who are certainly more knowledgeable and likely > more competent seem to think it is necessary. Is there a > thesis in examining it, looking at how other Unix-like systems > handle the problem & perhaps implementing an alternative > for Linux?