Re: [kitten] GSS_GetMIC and iovs
Nico Williams <nico@cryptonector.com> Tue, 03 September 2013 20:31 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD9C021F9A57 for <kitten@ietfa.amsl.com>; Tue, 3 Sep 2013 13:31:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.125
X-Spam-Level:
X-Spam-Status: No, score=-2.125 tagged_above=-999 required=5 tests=[AWL=-0.148, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Odogrr-1vLPe for <kitten@ietfa.amsl.com>; Tue, 3 Sep 2013 13:31:28 -0700 (PDT)
Received: from homiemail-a32.g.dreamhost.com (caiajhbdcbef.dreamhost.com [208.97.132.145]) by ietfa.amsl.com (Postfix) with ESMTP id D6E3321F9A37 for <kitten@ietf.org>; Tue, 3 Sep 2013 13:31:28 -0700 (PDT)
Received: from homiemail-a32.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTP id 2D6AB5840A8 for <kitten@ietf.org>; Tue, 3 Sep 2013 13:31:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=u92zD+IPL6YmDPlDxOwL mcvw52U=; b=WF+n86uS+p7U3cjor6KYP8dzDLM8+wk1sNQN5kPOzwavqbvGe/hk EVRqZhNtF0rlaCW6cfWusqpfXL+QZGLbvKjakjZhNcjEQtBmUdC6TYVPz0x2CjWe jYRFTl4dYGf6w7simowAr/PAES3tLGbV+wyuhDlqCHlbCPQIABQeqPQ=
Received: from mail-we0-f171.google.com (mail-we0-f171.google.com [74.125.82.171]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTPSA id DD774584285 for <kitten@ietf.org>; Tue, 3 Sep 2013 13:19:47 -0700 (PDT)
Received: by mail-we0-f171.google.com with SMTP id p57so5202041wes.16 for <kitten@ietf.org>; Tue, 03 Sep 2013 13:19:46 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=FOuIsQ709nmwYeJPxO/QsG4Iiyw3ATdshl2QZ7HpImE=; b=UuqL1lK/MMxkjOrDMFinGNIm6CwKbhBtRt3R0iZAyuisWk2HCcsY+AyxmocTIDNctw X7OFdxEdn3wzfS9jnvWCtC7Vh2pec5Zto6TGAj5cJ/l06wEO/kCoPaMwaP1BabIfJjhT VpoM8Xd/OUzClDFJVkHb+OSBvTdO+95cxw4z2q0C1PWmFvoLnW/CAZlM59VQDg+zsGzH 4hmy5v+DZmN6J66Pz33KM/kP19gGU3tFEyecOxAGAWVSR8U3S1Syhdx+UhlG7THmYXlZ YQDWfoBsbukyokucmzeIQXb5y3mtm00+d/dP9Pr7+YGGptWNspmspEmgf+Lvl/L2JhIG 4/7A==
MIME-Version: 1.0
X-Received: by 10.180.36.169 with SMTP id r9mr19754978wij.20.1378239586455; Tue, 03 Sep 2013 13:19:46 -0700 (PDT)
Received: by 10.216.31.193 with HTTP; Tue, 3 Sep 2013 13:19:46 -0700 (PDT)
In-Reply-To: <CF0E9F3D891D0AC164566052@96B2F16665FF96BAE59E9B90>
References: <1312896365.241.1377718317287.JavaMail.root@thunderbeast.private.linuxbox.com> <5374C814-C119-473F-83E4-254AA067C7A2@padl.com> <52240DB0.4010803@mit.edu> <CF0E9F3D891D0AC164566052@96B2F16665FF96BAE59E9B90>
Date: Tue, 03 Sep 2013 15:19:46 -0500
Message-ID: <CAK3OfOi_FnY4Cv+DVNGJyHLwc5X8XHL2tqOu=yJLjMb3+jocyw@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Chris Newman <chris.newman@oracle.com>
Content-Type: text/plain; charset="UTF-8"
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] GSS_GetMIC and iovs
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2013 20:31:33 -0000
On Tue, Sep 3, 2013 at 1:26 PM, Chris Newman <chris.newman@oracle.com> wrote: > I would recommend not adding any iovec-related APIs to a security interface. > My experience with such APIs in real-world SSL usage is that they are a > common source of serious and hard to diagnose bugs. These APIs tend to be > rarely used interfaces so they get inadequate testing, code review and > real-world use. I inherited and maintain code that made heavy use of iovecs > and I'm busy removing them whenever I can. My experience is that the > maintenance, complexity and associated negative security cost of these > interfaces far exceeds any potential performance benefit. But there really are apps that care about performance... NFS (the app in question here, via RPCSEC_GSS) is one such app. Mind you, RPCSEC_GSS if a bit of a performance disaster anyways because it requires two per-message token function calls per-RPC (when protecting the data, not just the RPC header), and should be re-done (maybe) so it at most does one GSS per-message token call per-RPC. But that wouldn't make RPCSEC_GSS not need iovec GSS calls. Nico --
- Re: [kitten] GSS_GetMIC and iovs Luke Howard
- Re: [kitten] GSS_GetMIC and iovs Chris Newman
- Re: [kitten] GSS_GetMIC and iovs Matt W. Benjamin
- [kitten] GSS_GetMIC and iovs Matt W. Benjamin
- Re: [kitten] GSS_GetMIC and iovs Luke Howard
- Re: [kitten] GSS_GetMIC and iovs Greg Hudson
- Re: [kitten] GSS_GetMIC and iovs Nico Williams
- Re: [kitten] GSS_GetMIC and iovs Nico Williams
- Re: [kitten] GSS_GetMIC and iovs Greg Hudson
- Re: [kitten] GSS_GetMIC and iovs Luke Howard
- Re: [kitten] GSS_GetMIC and iovs Martin Rex
- Re: [kitten] GSS_GetMIC and iovs Martin Rex