From owner-freebsd-net@freebsd.org Fri Jul 10 18:21:08 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id AC4CA36FCFB for ; Fri, 10 Jul 2020 18:21:08 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: from mail-qk1-x741.google.com (mail-qk1-x741.google.com [IPv6:2607:f8b0:4864:20::741]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4B3Lvk6mhCz3Sw5 for ; Fri, 10 Jul 2020 18:21:06 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: by mail-qk1-x741.google.com with SMTP id b185so6209123qkg.1 for ; Fri, 10 Jul 2020 11:21:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=6iZwV3pB8ex4HdAAXM9N9BTwVZHjlpXmhOxogSXwKUE=; b=S76diRiZkSx1vfCAWyl92oBgHIWTGpWId0d3SyhEubIAJJKMMpH/xBJbLU5uLPR2xA fnM7KHAdEMPHRqIhadQqfzkMok9NUS02C6BQqRbR9ePsUugnqPJgk7pdaiwcZIeKL4tx 87uUuA12NaZ9HDfnaWlECkkm1HWhS0Atu5iYSX3ftvbuREnfdIdiwzDFrMrfJ5tDxlQn gEWqbAL+h0a4mSEyrunaeFT351X3XlyxW6uh4AiMsSzFZ/6nw4UdP9s9o2yjLZybA3J5 U9CQ6wjktknfB3BZKBYzYgxkCM8UBzuAqwZQhKnD+M3Q03i6o45xDBe6qb+rFY/8qt7t j/TA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:subject:message-id :references:mime-version:content-disposition:in-reply-to; bh=6iZwV3pB8ex4HdAAXM9N9BTwVZHjlpXmhOxogSXwKUE=; b=kSauZZu0VB2FJFCE5Cu9LQXGNj2Jt5cMsrtaHTQQpNlw6tL7qJNDMUhQ2IUA0XLYsX KMxlARJ8yuxNDgsQmE7bHCYzvbl9ov+gzwv2mz0Fp2YxLql96lscOcxnLGOsywgrKk5V ffpad2AKmXtDdbnIDaknBhDFRDeW/YT6v6ofzcxrA1nQx8UWUXTCNSnecUHGOtCm6LzD UD01+3wWxCphaSiWUMo299fyA0eT6oCRksEVogFTmC5l5EK1mEyJ2Yptop92Jiamdx0f xEEs+Nfn/ciA5K9cEGJfsn06P0goNa7RtiwJJ2jw3h9R8mRs3lwQaZh/VyrujnfLA5ek umnA== X-Gm-Message-State: AOAM530VwewT22Ld5Fjg7+IQdjayDq8cpLNmdeIT9mjTMQy/O04jQJ6b z/1yBf/3gTkV2DzO5mN8X1kuOWPmzBY= X-Google-Smtp-Source: ABdhPJyvky8ESxksYvEQa2VLMtz8BOIutzRdDnBj8qge8a6HaakEBYsg6vUEIYBTQoAj2IP8YIQacQ== X-Received: by 2002:a37:6348:: with SMTP id x69mr69257135qkb.350.1594405265781; Fri, 10 Jul 2020 11:21:05 -0700 (PDT) Received: from raichu (toroon0560w-lp130-14-174-91-9-204.dsl.bell.ca. [174.91.9.204]) by smtp.gmail.com with ESMTPSA id m7sm8637728qti.6.2020.07.10.11.21.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Jul 2020 11:21:05 -0700 (PDT) Sender: Mark Johnston Date: Fri, 10 Jul 2020 14:21:03 -0400 From: Mark Johnston To: freebsd-net@freebsd.org Subject: Re: making SCTP loadable and removing it from GENERIC Message-ID: <20200710182103.GB9380@raichu> References: <20200709151300.GC8947@raichu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200709151300.GC8947@raichu> X-Rspamd-Queue-Id: 4B3Lvk6mhCz3Sw5 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=S76diRiZ; dmarc=none; spf=pass (mx1.freebsd.org: domain of markjdb@gmail.com designates 2607:f8b0:4864:20::741 as permitted sender) smtp.mailfrom=markjdb@gmail.com X-Spamd-Result: default: False [-2.08 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; NEURAL_HAM_SHORT(-0.51)[-0.509]; FORGED_SENDER(0.30)[markj@freebsd.org,markjdb@gmail.com]; RECEIVED_SPAMHAUS_PBL(0.00)[174.91.9.204:received]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[markj@freebsd.org,markjdb@gmail.com]; TO_DOM_EQ_FROM_DOM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.88)[-0.879]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-0.99)[-0.991]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; DMARC_NA(0.00)[freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::741:from]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jul 2020 18:21:08 -0000 On Thu, Jul 09, 2020 at 11:13:00AM -0400, Mark Johnston wrote: > Hi, > > I spent some time working on making it possible to load the SCTP stack > as a kernel module, the same as we do today with IPSec. There is one > patch remaining to be committed before that can be done in head. One > caveat is that the module can't be unloaded, as some work is needed to > make this safe. However, this obviously isn't a regression. > > The work is based on the observations that: > 1) the in-kernel SCTP stack is not widely used (I know that the same > code is used in some userland applications), and > 2) the SCTP stack is quite large, most FreeBSD kernel developers are > unfamiliar with it, and bugs in it can easily lead to security holes. > > Michael has done a lot of work to fix issues in the SCTP code, > particularly those found by syzkaller, but given that in-kernel SCTP has > few users (almost certainly fewer than IPSec), it seems reasonable to > require users to opt in to having an SCTP stack with a simple "kldload > sctp". Thus, once the last patch is committed I would like to propose > removing "options SCTP" from GENERIC kernel configs in head, replacing > it with "options SCTP_SUPPORT" to enable sctp.ko to be loaded. > > I am wondering if anyone has any objections to or concerns about this > proposal. Any feedback is appreciated. As a follow-up, here is the proposed change now that requisite code has been committed to head: https://reviews.freebsd.org/D25611 I will wait for a week or so for feedback.