Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 19 Aug 2018 18:12:32 -0700
From:      Conrad Meyer <cem@freebsd.org>
To:        Michael Tuexen <tuexen@freebsd.org>
Cc:        src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org,  svn-src-head@freebsd.org
Subject:   Re: svn commit: r338053 - head/sys/netinet
Message-ID:  <CAG6CVpUfrBcTr9TqDFAnZz0sZhD=c6Tc-Xa6-GfXJvJ%2B964jFg@mail.gmail.com>
In-Reply-To: <97661C9D-9C25-4DE0-89A8-FE1C40DAFB81@freebsd.org>
References:  <201808191456.w7JEuAZE069780@repo.freebsd.org> <CAG6CVpW6GyS-xV1xBnMsiFiKPvTX9Xe4EXkyhfXXGdBUvfko8w@mail.gmail.com> <97661C9D-9C25-4DE0-89A8-FE1C40DAFB81@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Aug 19, 2018 at 10:08 AM, Michael Tuexen <tuexen@freebsd.org> wrote:
>> On 19. Aug 2018, at 18:35, Conrad Meyer <cem@FreeBSD.org> wrote:
>> Hi Michael,
>>
>> How was this particular keyed hash function construction chosen?
>> (Yes, I see it is the same initial TSN, but how was that selected?)
> You mean:
>
> Why is FreeBSD using the MD5 with secret suffix as the keyed hash function?

Yes :-).

> I don't know, I have not implemented that.
>
> However, https://tools.ietf.org/html/rfc6528#section-3 suggests this,
> OpenBSD uses a similar computation, but uses SHA512 instead of MD5, NetBSD
> seem to use the same computation as FreeBSD.
> I guess using MD5 was an acceptable choice at the time the choice was made.

I see.  I don't know that MD5 is a poor fit, but the actual HMAC
construction has somewhat nicer properties than this digest with a
plain secret suffix construction.  I don't know that those properties
matter for this use, especially when the hash is then truncated to a
32-bit value anyway.

> When preparing this patch I was about to choose a different keyed hash function,
> but decided to separate
> * Using a keyed has functions as the offset for the TCP time stamp.
> * Choose a good keyed hash function.
>
> That is why I isolated the keyed hash function. So it is simple to replace
> it with a different one.

That seems very reasonable to me, thanks.

> I think it would be good to change this keyed hash function to SIP-HASH (both
> for the initial sequence number and the time stamp). Opinions?

Well, sip-hash is no cryptographic hash, but it is unclear to me if
that is needed or meaningful for this use.  There may be good modern
keyed cryptographic hashes with comparable performance to MD5 (i.e.,
according to https://www.cryptopp.com/benchmarks.html Blake2 may have
comparable performance to MD5, although it is unclear how performance
compares for very small "messages" like this use).  But I admit I am
unfamiliar with the requirements here and therefore am hesitant to
make any recommendation.

All the best,
Conrad



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG6CVpUfrBcTr9TqDFAnZz0sZhD=c6Tc-Xa6-GfXJvJ%2B964jFg>