Re: [RFCv2 1/9] tcp: authopt: Initial support and key management

[Leonard Crestez]

On 8/11/21 11:29 AM, Leonard Crestez wrote:
> On 8/10/21 11:41 PM, Dmitry Safonov wrote:
> > On Tue, 10 Aug 2021 at 02:50, Leonard Crestez <cdleonard@xxxxxxxxx> 
> > > +       /* If an old value exists for same local_id it is deleted */
> > > +       key_info = __tcp_authopt_key_info_lookup(sk, info, 
> > > opt.local_id);
> > > +       if (key_info)
> > > +               tcp_authopt_key_del(sk, info, key_info);
> > > +       key_info = sock_kmalloc(sk, sizeof(*key_info), GFP_KERNEL | 
> > > __GFP_ZERO);
> > > +       if (!key_info)
> > > +               return -ENOMEM;
> >
> > 1. You don't need sock_kmalloc() together with tcp_authopt_key_del().
> >      It just frees the memory and allocates it back straight away - no
> > sense in doing that.
>
> The list is scanned in multiple places in later commits using nothing 
> but an rcu_read_lock, this means that keys can't be updated in-place.
>
> > 2. I think RFC says you must not allow a user to change an existing key:
> > > MKT parameters are not changed. Instead, new MKTs can be installed, 
> > > and a connection
> > > can change which MKT it uses.
> >
> > IIUC, it means that one can't just change an existing MKT, but one can
> > remove and later
> > add MKT with the same (send_id, recv_id, src_addr/port, dst_addr/port).
> >
> > So, a reasonable thing to do:
> > if (key_info)
> >      return -EEXIST.
>
> You're right, making the user delete keys explicitly is better.

On a second thought this might be required to mark keys as "send-only" 
and "recv-only" atomically.

Separately from RFC5925 some vendors implement a "keychain" model based 
on RFC8177 where each key has a distinct "accept-lifetime" and a 
"send-lifetime". This could be implemented by adding flags 
"expired_for_send" and "expired_for_recv" but requires the ability to 
set an expiration mark without the key ever being deleted.

--
Regards,
Leonard