SlideShare ist ein Scribd-Unternehmen logo

Better IPSec Security Association Resolution - Netconf 2006 Tokyo

J
James Morris

Better IPSec Security Association Resolution - Netconf 2006 Tokyo Presentation slides.

Technologie
1 von 9
Downloaden Sie, um offline zu lesen
Better IPSec Security Association Resolution Netconf 2006 Tokyo James Morris jmorris@namei.org    
Problem a) Outbound packet b) Security policy db entry match c) No security association in kernel ● Most of the time, we return EAGAIN to app or drop packet if forwarding. ● We kick the key manager, and usually have an SA available for next packet.    
Problem... ● It actually kind of works for one case: blocking sendmsg() of datagrams. ● Process is scheduled in a loop until SA resolved. See xfrm_lookup(). ● Does not work for connect(2), so ping and many UDP apps just get EAGAIN.    
Solution ● General solution for all protocols and contexts: – connect(2) – sendmsg(2) – forwarding path (tunnel endpoint) – various kernel-generated packets – blocking and non-blocking modes    
Solution... ● Ideally, we'd like connect(2) to follow Posix semantics, for non-blocking this is: – Return EINPROGESS first – Return EALREADY until SA resolved ● For non-blocking sockets in general, it'd be nice to make sure poll(2) works as expected. – even for datagram protocols, as IPSec adds a kind of session underneath.    
Solution... ● sendmsg(2) should return EAGAIN for non- blocking case ● For tunnel end point, we probably need to queue packets in a resolution queue. ● This may also be useful for non-blocking socket case. ● Herbert has suggested larval dst to go with larval SA.    
Status ● Current patch contains a lot of instrumentation and some initial changes: – Make connect(2) work for the blocking case, hooking into ip_route_connect() – Propagate new flags down to xfrm_lookup() to control behavior: ● Kick the key manager? ● Sleep until resolved?    
Ongoing work ● Continue to develop code to handle all cases and protocols ● Probably involve some code consolidation ● Determine how much of the problem to solve    
Issues ● Not clear on all of the use-cases for this: – Opportunistic encryption – Complex/large scale policy where pro-active SA negotiation overhead would be too high – Others?    

Empfohlen

Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers
Fast and Precise Symbolic Analysis of Concurrency Bugs in Device DriversFast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers
Fast and Precise Symbolic Analysis of Concurrency Bugs in Device DriversPantazis Deligiannis
 
ITFT_Semaphores and bounded buffer
ITFT_Semaphores and bounded bufferITFT_Semaphores and bounded buffer
ITFT_Semaphores and bounded bufferSneh Prabha
 
Synchronization linux
Synchronization linuxSynchronization linux
Synchronization linuxSusant Sahani
 
120827 JAWS-UG Sapporo7 openswanでvpc
120827 JAWS-UG Sapporo7 openswanでvpc120827 JAWS-UG Sapporo7 openswanでvpc
120827 JAWS-UG Sapporo7 openswanでvpcMachie Atarashi
 
VPNaaS neutron
VPNaaS neutronVPNaaS neutron
VPNaaS neutronNarasimha sreeram
 
IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1Abdallah Abuouf
 
SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008James Morris
 
The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007James Morris
 

Empfohlen

Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers
Fast and Precise Symbolic Analysis of Concurrency Bugs in Device DriversFast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers
Fast and Precise Symbolic Analysis of Concurrency Bugs in Device DriversPantazis Deligiannis
 
ITFT_Semaphores and bounded buffer
ITFT_Semaphores and bounded bufferITFT_Semaphores and bounded buffer
ITFT_Semaphores and bounded bufferSneh Prabha
 
Synchronization linux
Synchronization linuxSynchronization linux
Synchronization linuxSusant Sahani
 
120827 JAWS-UG Sapporo7 openswanでvpc
120827 JAWS-UG Sapporo7 openswanでvpc120827 JAWS-UG Sapporo7 openswanでvpc
120827 JAWS-UG Sapporo7 openswanでvpcMachie Atarashi
 
VPNaaS neutron
VPNaaS neutronVPNaaS neutron
VPNaaS neutronNarasimha sreeram
 
IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1Abdallah Abuouf
 
SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008James Morris
 
The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007James Morris
 
Directions in SELinux Networking
Directions in SELinux NetworkingDirections in SELinux Networking
Directions in SELinux NetworkingJames Morris
 
VTI の中身
VTI の中身VTI の中身
VTI の中身Masakazu Asama
 
SmartCloud Enterprise: Using a SOCKS Proxy with VLANs
SmartCloud Enterprise: Using a SOCKS Proxy with VLANsSmartCloud Enterprise: Using a SOCKS Proxy with VLANs
SmartCloud Enterprise: Using a SOCKS Proxy with VLANsAlex Amies
 
Mandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 TokyoMandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 TokyoJames Morris
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxJames Morris
 
SDN in the Management Plane: OpenConfig and Streaming Telemetry
SDN in the Management Plane: OpenConfig and Streaming TelemetrySDN in the Management Plane: OpenConfig and Streaming Telemetry
SDN in the Management Plane: OpenConfig and Streaming TelemetryAnees Shaikh
 
Slug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsSlug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsPaulWay
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday UsersPaulWay
 
One Year of Porting - Post-mortem of two Linux/SteamOS launches
One Year of Porting - Post-mortem of two Linux/SteamOS launchesOne Year of Porting - Post-mortem of two Linux/SteamOS launches
One Year of Porting - Post-mortem of two Linux/SteamOS launchesLeszek Godlewski
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersSadique Puthen
 
Single Packet Authorization - Slides English
Single Packet Authorization - Slides EnglishSingle Packet Authorization - Slides English
Single Packet Authorization - Slides EnglishLeandro Almeida
 
Layer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikLayer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikGLC Networks
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network StackAdrien Mahieux
 
Fast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya SerebryanyFast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya Serebryanyyaevents
 
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...Yandex
 
cachegrand: A Take on High Performance Caching
cachegrand: A Take on High Performance Cachingcachegrand: A Take on High Performance Caching
cachegrand: A Take on High Performance CachingScyllaDB
 
UWE Linux Boot Camp 2007: Hacking embedded Linux on the cheap
UWE Linux Boot Camp 2007: Hacking embedded Linux on the cheapUWE Linux Boot Camp 2007: Hacking embedded Linux on the cheap
UWE Linux Boot Camp 2007: Hacking embedded Linux on the cheapedlangley
 
延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018
延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018
延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018Roger Zhou 周志强
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteHostedGraphite
 
Userspace adaptive spinlocks with rseq
Userspace adaptive spinlocks with rseqUserspace adaptive spinlocks with rseq
Userspace adaptive spinlocks with rseqIgalia
 
Memory model
Memory modelMemory model
Memory modelMingdongLiao
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 

Weitere ähnliche Inhalte

Andere mochten auch

Directions in SELinux Networking
Directions in SELinux NetworkingDirections in SELinux Networking
Directions in SELinux NetworkingJames Morris
 
SmartCloud Enterprise: Using a SOCKS Proxy with VLANs
SmartCloud Enterprise: Using a SOCKS Proxy with VLANsSmartCloud Enterprise: Using a SOCKS Proxy with VLANs
SmartCloud Enterprise: Using a SOCKS Proxy with VLANsAlex Amies
 
Mandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 TokyoMandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 TokyoJames Morris
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxJames Morris
 
SDN in the Management Plane: OpenConfig and Streaming Telemetry
SDN in the Management Plane: OpenConfig and Streaming TelemetrySDN in the Management Plane: OpenConfig and Streaming Telemetry
SDN in the Management Plane: OpenConfig and Streaming TelemetryAnees Shaikh
 
Slug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsSlug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsPaulWay
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday UsersPaulWay
 

Andere mochten auch (8)

Directions in SELinux Networking
Directions in SELinux NetworkingDirections in SELinux Networking
Directions in SELinux Networking
 
VTI の中身
VTI の中身VTI の中身
VTI の中身
 
SmartCloud Enterprise: Using a SOCKS Proxy with VLANs
SmartCloud Enterprise: Using a SOCKS Proxy with VLANsSmartCloud Enterprise: Using a SOCKS Proxy with VLANs
SmartCloud Enterprise: Using a SOCKS Proxy with VLANs
 
Mandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 TokyoMandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 Tokyo
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinux
 
SDN in the Management Plane: OpenConfig and Streaming Telemetry
SDN in the Management Plane: OpenConfig and Streaming TelemetrySDN in the Management Plane: OpenConfig and Streaming Telemetry
SDN in the Management Plane: OpenConfig and Streaming Telemetry
 
Slug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsSlug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For Sysadmins
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
 

Ähnlich wie Better IPSec Security Association Resolution - Netconf 2006 Tokyo

One Year of Porting - Post-mortem of two Linux/SteamOS launches
One Year of Porting - Post-mortem of two Linux/SteamOS launchesOne Year of Porting - Post-mortem of two Linux/SteamOS launches
One Year of Porting - Post-mortem of two Linux/SteamOS launchesLeszek Godlewski
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersSadique Puthen
 
Single Packet Authorization - Slides English
Single Packet Authorization - Slides EnglishSingle Packet Authorization - Slides English
Single Packet Authorization - Slides EnglishLeandro Almeida
 
Layer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikLayer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikGLC Networks
 
Fast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya SerebryanyFast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya Serebryanyyaevents
 
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...Yandex
 
cachegrand: A Take on High Performance Caching
cachegrand: A Take on High Performance Cachingcachegrand: A Take on High Performance Caching
cachegrand: A Take on High Performance CachingScyllaDB
 
UWE Linux Boot Camp 2007: Hacking embedded Linux on the cheap
UWE Linux Boot Camp 2007: Hacking embedded Linux on the cheapUWE Linux Boot Camp 2007: Hacking embedded Linux on the cheap
UWE Linux Boot Camp 2007: Hacking embedded Linux on the cheapedlangley
 
延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018
延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018
延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018Roger Zhou 周志强
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteHostedGraphite
 
Userspace adaptive spinlocks with rseq
Userspace adaptive spinlocks with rseqUserspace adaptive spinlocks with rseq
Userspace adaptive spinlocks with rseqIgalia
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
Performance optimization techniques for Java code
Performance optimization techniques for Java codePerformance optimization techniques for Java code
Performance optimization techniques for Java codeAttila Balazs
 
pfSense 2.2 Preview - pfSense Hangout November 2014
pfSense 2.2 Preview - pfSense Hangout November 2014pfSense 2.2 Preview - pfSense Hangout November 2014
pfSense 2.2 Preview - pfSense Hangout November 2014Netgate
 
Snap - the universal packaging format for linux distros
Snap - the universal packaging format for linux distrosSnap - the universal packaging format for linux distros
Snap - the universal packaging format for linux distrosAnthony Wong
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Community
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)Michael Smith
 
Streaming huge databases using logical decoding
Streaming huge databases using logical decodingStreaming huge databases using logical decoding
Streaming huge databases using logical decodingAlexander Shulgin
 

Ähnlich wie Better IPSec Security Association Resolution - Netconf 2006 Tokyo (20)

One Year of Porting - Post-mortem of two Linux/SteamOS launches
One Year of Porting - Post-mortem of two Linux/SteamOS launchesOne Year of Porting - Post-mortem of two Linux/SteamOS launches
One Year of Porting - Post-mortem of two Linux/SteamOS launches
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoorters
 
Single Packet Authorization - Slides English
Single Packet Authorization - Slides EnglishSingle Packet Authorization - Slides English
Single Packet Authorization - Slides English
 
Layer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikLayer 7 Firewall on Mikrotik
Layer 7 Firewall on Mikrotik
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 
Fast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya SerebryanyFast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya Serebryany
 
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
 
cachegrand: A Take on High Performance Caching
cachegrand: A Take on High Performance Cachingcachegrand: A Take on High Performance Caching
cachegrand: A Take on High Performance Caching
 
UWE Linux Boot Camp 2007: Hacking embedded Linux on the cheap
UWE Linux Boot Camp 2007: Hacking embedded Linux on the cheapUWE Linux Boot Camp 2007: Hacking embedded Linux on the cheap
UWE Linux Boot Camp 2007: Hacking embedded Linux on the cheap
 
延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018
延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018
延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
 
Userspace adaptive spinlocks with rseq
Userspace adaptive spinlocks with rseqUserspace adaptive spinlocks with rseq
Userspace adaptive spinlocks with rseq
 
Memory model
Memory modelMemory model
Memory model
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
Performance optimization techniques for Java code
Performance optimization techniques for Java codePerformance optimization techniques for Java code
Performance optimization techniques for Java code
 
pfSense 2.2 Preview - pfSense Hangout November 2014
pfSense 2.2 Preview - pfSense Hangout November 2014pfSense 2.2 Preview - pfSense Hangout November 2014
pfSense 2.2 Preview - pfSense Hangout November 2014
 
Snap - the universal packaging format for linux distros
Snap - the universal packaging format for linux distrosSnap - the universal packaging format for linux distros
Snap - the universal packaging format for linux distros
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)
 
Streaming huge databases using logical decoding
Streaming huge databases using logical decodingStreaming huge databases using logical decoding
Streaming huge databases using logical decoding
 

Mehr von James Morris

Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
 
Adding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFSAdding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFSJames Morris
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
sVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access ControlsVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access ControlJames Morris
 
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...James Morris
 
OLPC Networking Overview
OLPC Networking OverviewOLPC Networking Overview
OLPC Networking OverviewJames Morris
 
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004James Morris
 
Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004James Morris
 
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007James Morris
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005James Morris
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005James Morris
 
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)James Morris
 

Mehr von James Morris (12)

Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
 
Adding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFSAdding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFS
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
sVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access ControlsVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access Control
 
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
 
OLPC Networking Overview
OLPC Networking OverviewOLPC Networking Overview
OLPC Networking Overview
 
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
 
Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004
 
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005
 
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
 

Kürzlich hochgeladen

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Kürzlich hochgeladen (20)

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

Better IPSec Security Association Resolution - Netconf 2006 Tokyo

  • 1. Better IPSec Security Association Resolution Netconf 2006 Tokyo James Morris jmorris@namei.org    
  • 2. Problem a) Outbound packet b) Security policy db entry match c) No security association in kernel ● Most of the time, we return EAGAIN to app or drop packet if forwarding. ● We kick the key manager, and usually have an SA available for next packet.    
  • 3. Problem... ● It actually kind of works for one case: blocking sendmsg() of datagrams. ● Process is scheduled in a loop until SA resolved. See xfrm_lookup(). ● Does not work for connect(2), so ping and many UDP apps just get EAGAIN.    
  • 4. Solution ● General solution for all protocols and contexts: – connect(2) – sendmsg(2) – forwarding path (tunnel endpoint) – various kernel-generated packets – blocking and non-blocking modes    
  • 5. Solution... ● Ideally, we'd like connect(2) to follow Posix semantics, for non-blocking this is: – Return EINPROGESS first – Return EALREADY until SA resolved ● For non-blocking sockets in general, it'd be nice to make sure poll(2) works as expected. – even for datagram protocols, as IPSec adds a kind of session underneath.    
  • 6. Solution... ● sendmsg(2) should return EAGAIN for non- blocking case ● For tunnel end point, we probably need to queue packets in a resolution queue. ● This may also be useful for non-blocking socket case. ● Herbert has suggested larval dst to go with larval SA.    
  • 7. Status ● Current patch contains a lot of instrumentation and some initial changes: – Make connect(2) work for the blocking case, hooking into ip_route_connect() – Propagate new flags down to xfrm_lookup() to control behavior: ● Kick the key manager? ● Sleep until resolved?    
  • 8. Ongoing work ● Continue to develop code to handle all cases and protocols ● Probably involve some code consolidation ● Determine how much of the problem to solve    
  • 9. Issues ● Not clear on all of the use-cases for this: – Opportunistic encryption – Complex/large scale policy where pro-active SA negotiation overhead would be too high – Others?