From owner-svn-src-head@freebsd.org Mon Aug 20 01:41:33 2018 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C6E02107F4EB; Mon, 20 Aug 2018 01:41:32 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: from mail-io0-f178.google.com (mail-io0-f178.google.com [209.85.223.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6C8BC747AD; Mon, 20 Aug 2018 01:41:32 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: by mail-io0-f178.google.com with SMTP id l7-v6so11299276iok.6; Sun, 19 Aug 2018 18:41:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc; bh=T/aw6vjC1ZUF8uE4bGrgu9IxAfQPLENRpabNglN64zA=; b=iWAHXSc4BtePyYRu2GtoSw1NFrXIDHprIZf2EE9kWWXpLXiIzH4fD+8PAEgV0BlrHV YUAyum7HoGiNmUxfXNQWm+ODC5SY60DFhLlTn4dw7GFVLGas44jV0vinHhbxQKyjsV/o gj121hae+UpFD+ykU6r7CX/+CLx3o9vCRazWxJo7NfWc3qqUScpPW2KLDmMlAersjotJ jVZnyQQEBCQnvzHIK0FwJoeXl3bvRgoh3t6oRsRnaylLhw2ChkE2kpv37/S3iBOLLn9A nzOkajC4H3ftz6n/u5FX3LADWkN8M2TT7jcxZtyFuPT7bwH6Ojc92w6kjl5WmFzM3bQv MFtw== X-Gm-Message-State: APzg51C4E0IpOhcf0INPSHMqSO/DOq6LUCVDSCryekZRUEjhG4Fhvwdb aImd62Ufl7pvTR+TEp864Q9L1MB6 X-Google-Smtp-Source: ANB0VdZr032RjghB7/3R8F0QJV1VmQtoeuis9MUd3D3SnpgdPg0zu2ZQ7P/I6i8cpR8A2oyCC3dYdw== X-Received: by 2002:a6b:b7c7:: with SMTP id h190-v6mr253865iof.164.1534727553311; Sun, 19 Aug 2018 18:12:33 -0700 (PDT) Received: from mail-it0-f50.google.com (mail-it0-f50.google.com. [209.85.214.50]) by smtp.gmail.com with ESMTPSA id u4-v6sm3054300iob.0.2018.08.19.18.12.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 19 Aug 2018 18:12:33 -0700 (PDT) Received: by mail-it0-f50.google.com with SMTP id h20-v6so18480657itf.2; Sun, 19 Aug 2018 18:12:33 -0700 (PDT) X-Received: by 2002:a24:f945:: with SMTP id l66-v6mr8219653ith.6.1534727553008; Sun, 19 Aug 2018 18:12:33 -0700 (PDT) MIME-Version: 1.0 Reply-To: cem@freebsd.org Received: by 2002:a02:b472:0:0:0:0:0 with HTTP; Sun, 19 Aug 2018 18:12:32 -0700 (PDT) In-Reply-To: <97661C9D-9C25-4DE0-89A8-FE1C40DAFB81@freebsd.org> References: <201808191456.w7JEuAZE069780@repo.freebsd.org> <97661C9D-9C25-4DE0-89A8-FE1C40DAFB81@freebsd.org> From: Conrad Meyer Date: Sun, 19 Aug 2018 18:12:32 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: svn commit: r338053 - head/sys/netinet To: Michael Tuexen Cc: src-committers , svn-src-all@freebsd.org, svn-src-head@freebsd.org Content-Type: text/plain; charset="UTF-8" X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2018 01:41:33 -0000 On Sun, Aug 19, 2018 at 10:08 AM, Michael Tuexen wrote: >> On 19. Aug 2018, at 18:35, Conrad Meyer wrote: >> Hi Michael, >> >> How was this particular keyed hash function construction chosen? >> (Yes, I see it is the same initial TSN, but how was that selected?) > You mean: > > Why is FreeBSD using the MD5 with secret suffix as the keyed hash function? Yes :-). > I don't know, I have not implemented that. > > However, https://tools.ietf.org/html/rfc6528#section-3 suggests this, > OpenBSD uses a similar computation, but uses SHA512 instead of MD5, NetBSD > seem to use the same computation as FreeBSD. > I guess using MD5 was an acceptable choice at the time the choice was made. I see. I don't know that MD5 is a poor fit, but the actual HMAC construction has somewhat nicer properties than this digest with a plain secret suffix construction. I don't know that those properties matter for this use, especially when the hash is then truncated to a 32-bit value anyway. > When preparing this patch I was about to choose a different keyed hash function, > but decided to separate > * Using a keyed has functions as the offset for the TCP time stamp. > * Choose a good keyed hash function. > > That is why I isolated the keyed hash function. So it is simple to replace > it with a different one. That seems very reasonable to me, thanks. > I think it would be good to change this keyed hash function to SIP-HASH (both > for the initial sequence number and the time stamp). Opinions? Well, sip-hash is no cryptographic hash, but it is unclear to me if that is needed or meaningful for this use. There may be good modern keyed cryptographic hashes with comparable performance to MD5 (i.e., according to https://www.cryptopp.com/benchmarks.html Blake2 may have comparable performance to MD5, although it is unclear how performance compares for very small "messages" like this use). But I admit I am unfamiliar with the requirements here and therefore am hesitant to make any recommendation. All the best, Conrad