From owner-freebsd-current@freebsd.org  Sat Feb 27 14:10:23 2021
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7662F5675C2
 for <freebsd-current@mailman.nyi.freebsd.org>;
 Sat, 27 Feb 2021 14:10:23 +0000 (UTC)
 (envelope-from freebsd-rwg@gndrsh.dnsmgr.net)
Received: from gndrsh.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4DnpML2DKzz4tLq;
 Sat, 27 Feb 2021 14:10:21 +0000 (UTC)
 (envelope-from freebsd-rwg@gndrsh.dnsmgr.net)
Received: from gndrsh.dnsmgr.net (localhost [127.0.0.1])
 by gndrsh.dnsmgr.net (8.13.3/8.13.3) with ESMTP id 11REAEGX034987;
 Sat, 27 Feb 2021 06:10:14 -0800 (PST)
 (envelope-from freebsd-rwg@gndrsh.dnsmgr.net)
Received: (from freebsd-rwg@localhost)
 by gndrsh.dnsmgr.net (8.13.3/8.13.3/Submit) id 11REAEZm034986;
 Sat, 27 Feb 2021 06:10:14 -0800 (PST) (envelope-from freebsd-rwg)
From: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net>
Message-Id: <202102271410.11REAEZm034986@gndrsh.dnsmgr.net>
Subject: Re: KTLS with zfs recv
In-Reply-To: <CAOtMX2geavU-dvoT_WhifHh6ijmf+wSCkV52k89JWn8DgjdArA@mail.gmail.com>
To: Alan Somers <asomers@freebsd.org>
Date: Sat, 27 Feb 2021 06:10:13 -0800 (PST)
CC: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net>,
 FreeBSD CURRENT <freebsd-current@freebsd.org>
X-Mailer: ELM [version 2.4ME+ PL121h (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
X-Rspamd-Queue-Id: 4DnpML2DKzz4tLq
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of freebsd-rwg@gndrsh.dnsmgr.net has no SPF
 policy when checking 69.59.192.140)
 smtp.mailfrom=freebsd-rwg@gndrsh.dnsmgr.net
X-Spamd-Result: default: False [-0.10 / 15.00]; MID_RHS_MATCH_FROM(0.00)[];
 ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000];
 FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3];
 NEURAL_SPAM_SHORT(1.00)[1.000]; NEURAL_HAM_LONG(-1.00)[-1.000];
 MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[dnsmgr.net];
 RBL_DBL_DONT_QUERY_IPS(0.00)[69.59.192.140:from];
 AUTH_NA(1.00)[];
 SPAMHAUS_ZRD(0.00)[69.59.192.140:from:127.0.2.255];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[];
 R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[];
 RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[];
 ASN(0.00)[asn:13868, ipnet:69.59.192.0/19, country:US];
 MIME_TRACE(0.00)[0:+]; MAILMAN_DEST(0.00)[freebsd-current];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Feb 2021 14:10:23 -0000

> On Fri, Feb 26, 2021 at 9:24 AM Rodney W. Grimes <
> freebsd-rwg@gndrsh.dnsmgr.net> wrote:
> 
> > > My understanding is that KTLS works very well with OpenSSL for sending,
> > but
> > > not as well for receiving, because there's nothing like a recvfile
> > > syscall.  However, it works great for both send and receive with NFS,
> > where
> > > all the data remains in the kernel. What about zfs recv?  A very common
> > > pattern is for an application to read from an SSL socket and then pipe
> > the
> > > data to zfs recv. For example, zrepl does that.  Could zfs recv instead
> > > read directly from the KTLS socket, bypassing userspace?  That could
> > > potentially save a _lot_ of cycles for a _lot_ of people.
> >
> > I did some patches and a short presentation at BSDCan that basically
> > shoves the whole zfs send and zfs recv process into the kernel, ie
> > it opens the sockets up, makes the connections, then the socket
> > is passed into the kernel(s) and it all runs in kernel mode.
> >
> >
> > https://www.bsdcan.org/2018/schedule/attachments/479_BSDCan-2018-zfs-send.pdf
> >
> > A few things need fixed like reversing who does the listen for
> > security reasons, but this feature is probably ready for prime
> > time.
> >
> > > -Alan
> >
> > --
> > Rod Grimes
> > rgrimes@freebsd.org
> 
> 
> That looks potentially useful, but it doesn't use encryption.  Would it
> work if the socket had been opened by openssl with ktls?

Alan,
	Should I revise the code to meet the state that was discussed
during the BSDCan talk so that it can be committed?  Matt Aherns said
at the time he felt if I just reversed the listen/connect relationship
between send and recv that it addressed enough of the security concern
to be usable "on a local and well administered" network and would
probably be safe to import into upstream ZFS.  (This was prior to
FreeBSD moving to openzfs.)

>From other discussion in this thread it does not sound difficult to
implement the KTLS end of it, but I doubt that would be portable
enough to upstream, maybe someone can speak to that issue?

-- 
Rod Grimes                                                 rgrimes@freebsd.org