Re: [tipc-discussion] [PATCH RFC 0/5] TIPC encryption

[Jon Maloy via tipc-discussion]

> -----Original Message-----
> From: Ying Xue <ying....@windriver.com>
> Sent: 16-Oct-19 08:13
> To: Tuong Tong Lien <tuong.t.l...@dektech.com.au>; tipc-
> discuss...@lists.sourceforge.net; Jon Maloy <jon.ma...@ericsson.com>;
> ma...@donjonn.com
> Subject: Re: [PATCH RFC 0/5] TIPC encryption
> 
> Looks like this is an amazing proposal!
> 
> I had the idea long time ago, but at that moment, I didn't think encrypting 
> TIPC
> message was meaningful because TIPC was mostly used within internal
> network. After UDP bearer was supported and one TIPC node was capable of
> communicating with its peers across IP, it seemed the encryption feature
> became useful. But if needed, we could enable IPSEC during this situation.
> 
> At present, the only useful scenario that I can image is that TIPC will be 
> used as
> low level communication infrastructure in Docker or k8s environment. Is there
> other case?

The main driver for this has been that Ericsson customers want a fully 
encrypted "backplane" even for TIPC traffic that doesn't use UDP. 
We have considered MACsec, but that is not always desirable for our customers, 
just as they are not always happy with IPsec.
So the solution was to make TIPC "self sufficient" regarding encryption. Now we 
can also benefit from the fact that we can encrypt true multicast, something 
nobody else is doing.

> 
> Sorry, I am pretty busy in this week, and significant changes are made in the
> series. I have to take a bit long time to review the series.
> Please wait for a while.

We are looking forward to your feedback.

BR
///jon

> 
> On 10/14/19 7:07 PM, Tuong Lien wrote:
> > This series provides TIPC encryption feature, kernel part. There will
> > be another one in the 'iproute2/tipc' for user space to set key.
> >
> > Tuong Lien (5):
> >   tipc: add reference counter to bearer
> >   tipc: enable creating a "preliminary" node
> >   tipc: add new AEAD key structure for user API
> >   tipc: introduce TIPC encryption & authentication
> >   tipc: add support for AEAD key setting via netlink
> >
> >  include/uapi/linux/tipc.h         |   21 +
> >  include/uapi/linux/tipc_netlink.h |    4 +
> >  net/tipc/Makefile                 |    2 +-
> >  net/tipc/bcast.c                  |    2 +-
> >  net/tipc/bearer.c                 |   52 +-
> >  net/tipc/bearer.h                 |    6 +-
> >  net/tipc/core.c                   |   10 +
> >  net/tipc/core.h                   |    4 +
> >  net/tipc/crypto.c                 | 1986
> +++++++++++++++++++++++++++++++++++++
> >  net/tipc/crypto.h                 |  166 ++++
> >  net/tipc/link.c                   |   16 +-
> >  net/tipc/link.h                   |    1 +
> >  net/tipc/msg.c                    |   24 +-
> >  net/tipc/msg.h                    |   44 +-
> >  net/tipc/netlink.c                |   16 +-
> >  net/tipc/node.c                   |  314 +++++-
> >  net/tipc/node.h                   |   10 +
> >  net/tipc/sysctl.c                 |    9 +
> >  net/tipc/udp_media.c              |    1 +
> >  19 files changed, 2604 insertions(+), 84 deletions(-)  create mode
> > 100644 net/tipc/crypto.c  create mode 100644 net/tipc/crypto.h
> >

_______________________________________________
tipc-discussion mailing list
tipc-discussion@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tipc-discussion