Date: Sun, 19 Aug 2018 18:12:32 -0700 From: Conrad Meyer <cem@freebsd.org> To: Michael Tuexen <tuexen@freebsd.org> Cc: src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r338053 - head/sys/netinet Message-ID: <CAG6CVpUfrBcTr9TqDFAnZz0sZhD=c6Tc-Xa6-GfXJvJ%2B964jFg@mail.gmail.com> In-Reply-To: <97661C9D-9C25-4DE0-89A8-FE1C40DAFB81@freebsd.org> References: <201808191456.w7JEuAZE069780@repo.freebsd.org> <CAG6CVpW6GyS-xV1xBnMsiFiKPvTX9Xe4EXkyhfXXGdBUvfko8w@mail.gmail.com> <97661C9D-9C25-4DE0-89A8-FE1C40DAFB81@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Aug 19, 2018 at 10:08 AM, Michael Tuexen <tuexen@freebsd.org> wrote: >> On 19. Aug 2018, at 18:35, Conrad Meyer <cem@FreeBSD.org> wrote: >> Hi Michael, >> >> How was this particular keyed hash function construction chosen? >> (Yes, I see it is the same initial TSN, but how was that selected?) > You mean: > > Why is FreeBSD using the MD5 with secret suffix as the keyed hash function? Yes :-). > I don't know, I have not implemented that. > > However, https://tools.ietf.org/html/rfc6528#section-3 suggests this, > OpenBSD uses a similar computation, but uses SHA512 instead of MD5, NetBSD > seem to use the same computation as FreeBSD. > I guess using MD5 was an acceptable choice at the time the choice was made. I see. I don't know that MD5 is a poor fit, but the actual HMAC construction has somewhat nicer properties than this digest with a plain secret suffix construction. I don't know that those properties matter for this use, especially when the hash is then truncated to a 32-bit value anyway. > When preparing this patch I was about to choose a different keyed hash function, > but decided to separate > * Using a keyed has functions as the offset for the TCP time stamp. > * Choose a good keyed hash function. > > That is why I isolated the keyed hash function. So it is simple to replace > it with a different one. That seems very reasonable to me, thanks. > I think it would be good to change this keyed hash function to SIP-HASH (both > for the initial sequence number and the time stamp). Opinions? Well, sip-hash is no cryptographic hash, but it is unclear to me if that is needed or meaningful for this use. There may be good modern keyed cryptographic hashes with comparable performance to MD5 (i.e., according to https://www.cryptopp.com/benchmarks.html Blake2 may have comparable performance to MD5, although it is unclear how performance compares for very small "messages" like this use). But I admit I am unfamiliar with the requirements here and therefore am hesitant to make any recommendation. All the best, Conrad
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG6CVpUfrBcTr9TqDFAnZz0sZhD=c6Tc-Xa6-GfXJvJ%2B964jFg>