Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp1521240pxb; Wed, 12 Jan 2022 17:14:42 -0800 (PST) X-Google-Smtp-Source: ABdhPJy4jzsFJOmaU7gNF2Xz46FADayh44JXvHqrw+Vy+dh6FCOiWNQc1L3QZybjjBxpH+m8QKXx X-Received: by 2002:a17:907:6d03:: with SMTP id sa3mr1848893ejc.200.1642036482297; Wed, 12 Jan 2022 17:14:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642036482; cv=none; d=google.com; s=arc-20160816; b=SqV7y1zlMakfCrAscT/AvlUZX71SJ+g+ONDRMvOBxlaSWhYrSUyrdNyJWkk/wDzxxt 4zr5wBD4RL/Zi7oXj22A+5LEtWgr5MdnzVyclVmmGT/+w7G4ErFqpUPi8XwvhDIGRxh/ q8RELAjNJ8hP5TjBqpKaiFwiD/Kd02I4SQhKHu5RA5YNFGzHTsFmMGPrcIP/l0/11uRW fM2UVUNCdn5zSsqcM5/Zl0QHdkvO70GoNJf9f+W77QNDGIhrbZ+lkcTaZ8M4cvJulF0+ F6ZwLaBzNPUNVvTZ0GshVOoa3owu+sIpJaLQ+NGvANfZqSJasNPK1f0kAsx5OdGhRO7a O3QQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dkim-signature; bh=hstk73wuIKZWiikWlym2h0bIC3qGMXsXWymKJtQh5ys=; b=YxcfQH+n6nGin1D2mkIklK20y1V2wdN++/9ueFaM10I6bFCbUy7HAz17T2XtWqL/1x DZxO2NUoICO3f8DwU/Yj9Drt4Zk3vQ0W3yUo3FsERQu5/bn2QFh96IjzNWyByFVeMbIA pXXgctrasvQrRAhFvM+erhjga5H3N2bhiVQCnAoj6REJZtYF8UrF3uCDHBK1oOf2hXNl 4StJPMR1JdpM1Xcprz3fyb9IOAEE9WNgKZbX64KCo/9N54lWPjQXGp69EJF+m8guPjK1 6MRUyy0qIG+hjxh8KHTHTsFRbTy/0NlkmxiM2B8Y/Gs1n/2vOiA0NAmeyad5VUcyhUCH 3aWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=TfsWPvgX; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y11si865978edm.218.2022.01.12.17.14.18; Wed, 12 Jan 2022 17:14:42 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=TfsWPvgX; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235447AbiALXcA (ORCPT + 99 others); Wed, 12 Jan 2022 18:32:00 -0500 Received: from ams.source.kernel.org ([145.40.68.75]:38234 "EHLO ams.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235421AbiALXb6 (ORCPT ); Wed, 12 Jan 2022 18:31:58 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C4165B82188; Wed, 12 Jan 2022 23:31:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id EF377C36AF2; Wed, 12 Jan 2022 23:31:54 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="TfsWPvgX" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1642030311; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hstk73wuIKZWiikWlym2h0bIC3qGMXsXWymKJtQh5ys=; b=TfsWPvgXekG/1IVjr0hbJSZ9+mLRmpbL5U4Eq5MjE6/kba79M6pIMbxIGKKGDgv+Fejvya lfNJJqkjkmxJF2zUmC1gjt9u4ZNPb03bc2K4K3oMolN6Afn8kHPhERaS36Mo55OKhZaDbC SVR4F0lYxwTH+iea5Wziem4LXnxE0Ag= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 98d0b2c9 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Wed, 12 Jan 2022 23:31:51 +0000 (UTC) Received: by mail-yb1-f171.google.com with SMTP id g81so10029968ybg.10; Wed, 12 Jan 2022 15:31:50 -0800 (PST) X-Gm-Message-State: AOAM530uzYfmi2peL82YFOSG8xY1Xco12LXAEhmpO+RXbxM3c4TrVSVX xcSzhkr9wCVapmmnvKnos4oLPlpMxmXAUdRG7So= X-Received: by 2002:a25:a0c4:: with SMTP id i4mr2845644ybm.457.1642030309048; Wed, 12 Jan 2022 15:31:49 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a05:7110:209:b0:11c:1b85:d007 with HTTP; Wed, 12 Jan 2022 15:31:48 -0800 (PST) In-Reply-To: <87r19cftbr.fsf@toke.dk> References: <20220112131204.800307-1-Jason@zx2c4.com> <20220112131204.800307-3-Jason@zx2c4.com> <87r19cftbr.fsf@toke.dk> From: "Jason A. Donenfeld" Date: Thu, 13 Jan 2022 00:31:48 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH RFC v1 2/3] ipv6: move from sha1 to blake2s in address calculation To: =?UTF-8?B?VG9rZSBIw7hpbGFuZC1Kw7hyZ2Vuc2Vu?= Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Geert Uytterhoeven , Herbert Xu , Ard Biesheuvel , Jean-Philippe Aumasson , linux-crypto@vger.kernel.org, Erik Kline , Fernando Gont , Lorenzo Colitti , hideaki.yoshifuji@miraclelinux.com, Hannes Frederic Sowa Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Toke, On 1/13/22, Toke H=C3=B8iland-J=C3=B8rgensen wrote: > However, if we make this change, systems setting a stable_secret and > using addr_gen_mode 2 or 3 will come up with a completely different > address after a kernel upgrade. Which would be bad for any operator > expecting to be able to find their machine again after a reboot, > especially if it is accessed remotely. > > I haven't ever used this feature myself, though, or seen it in use. So I > don't know if this is purely a theoretical concern, or if the > stable_address feature is actually used in this way in practice. If it > is, I guess the switch would have to be opt-in, which kinda defeats the > purpose, no (i.e., we'd have to keep the SHA1 code around I'm not even so sure that's true. That was my worry at first, but actually, looking at this more closely, DAD means that the address can be changed anyway - a byte counter is hashed in - so there's no gurantee there. There's also the other aspect that open coding sha1_transform like this and prepending it with the secret (rather than a better construction) isn't so great... Take a look at the latest version of this in my branch to see a really nice simplification and security improvement: https://git.zx2c4.com/linux-dev/log/?h=3Dremove-sha1 Jason