diff options
| author | Antonio Quartulli <[email protected]> | 2025-04-15 11:17:37 +0000 |
|---|---|---|
| committer | Paolo Abeni <[email protected]> | 2025-04-17 10:30:03 +0000 |
| commit | 89d3c0e4612afa1c6429ed68d298e35592fbe208 (patch) | |
| tree | 2ac3e9e54daac4358e1c2fa97724cf522149ef8e /lib/ucs2_string.c | |
| parent | ovpn: implement key add/get/del/swap via netlink (diff) | |
| download | kernel-89d3c0e4612afa1c6429ed68d298e35592fbe208.tar.gz kernel-89d3c0e4612afa1c6429ed68d298e35592fbe208.zip | |
ovpn: kill key and notify userspace in case of IV exhaustion
IV wrap-around is cryptographically dangerous for a number of ciphers,
therefore kill the key and inform userspace (via netlink) should the
IV space go exhausted.
Userspace has two ways of deciding when the key has to be renewed before
exhausting the IV space:
1) time based approach:
after X seconds/minutes userspace generates a new key and sends it
to the kernel. This is based on guestimate and normally default
timer value works well.
2) packet count based approach:
after X packets/bytes userspace generates a new key and sends it to
the kernel. Userspace keeps track of the amount of traffic by
periodically polling GET_PEER and fetching the VPN/LINK stats.
Signed-off-by: Antonio Quartulli <[email protected]>
Link: https://patch.msgid.link/[email protected]
Reviewed-by: Sabrina Dubroca <[email protected]>
Tested-by: Oleksandr Natalenko <[email protected]>
Signed-off-by: Paolo Abeni <[email protected]>
Diffstat (limited to 'lib/ucs2_string.c')
0 files changed, 0 insertions, 0 deletions