[Cerowrt-devel] linus vs wireguard
Dave Taht
dave.taht at gmail.com
Thu Aug 2 14:56:59 EDT 2018
I note that I too really, really like wireguard. it's ~4000 lines of
auditable code. ipsec is crypto-by-committee. It doesn't need to run
in kernel space but in order to be speed competitive with ipsec, it
has to.
I share your deep concern about least privilege, and I'd dearly like a
do-over in OS and cpu design, starting with a processor like the mill
- or maybe a risc-v, if it can context switch fast enough. Without
fast context/priv switch uKernels are hopeless.
I just spent a few hugely frustrating days trying to code in and being
frightened by, ebpf. While I hates it thus far, a mini-language of
some sort suitable for hardware offloads seems useful.
On Thu, Aug 2, 2018 at 11:41 AM dpreed at deepplum.com <dpreed at deepplum.com> wrote:
>
> I don't like complexity invading the kernel, personally. But it's Linux's monstrous kernel these days. We also seem to have user code being executed in the kernel (eBPF), another very risky thing regarding security, especially.
>
> The kernel mode of a system has incredible and universal power over the entire system. That's why the Principle of Least Privilege, part of the security canon that has proven itself worthy over and over, is as important to OS kernels as the End to End argument is to the Internet.
>
> But Linus, never a security expert himself, has become a celebrity, and therefore his bad ideas are brilliant by definition.
>
> As to the ugliness of IPSec, well, the Linux implementation might be ugly, but its the goddamn standard. Fix the stupid implementation if that is the problem.
>
> Nope, not gonna happen.
>
> -----Original Message-----
> From: "Dave Taht" <dave.taht at gmail.com>
> Sent: Thursday, August 2, 2018 2:26pm
> To: cerowrt-devel at lists.bufferbloat.net
> Subject: [Cerowrt-devel] linus vs wireguard
>
> ---------- Forwarded message ---------
> From: Linus Torvalds <torvalds at linux-foundation.org>
> Date: Thu, Aug 2, 2018 at 11:19 AM
> Subject: Re: [GIT] Networking
> To: David Miller <davem at davemloft.net>
> Cc: Andrew Morton <akpm at linux-foundation.org>, Network Development
> <netdev at vger.kernel.org>, Linux Kernel Mailing List
> <linux-kernel at vger.kernel.org>
>
>
> On Wed, Aug 1, 2018 at 9:37 PM David Miller <davem at davemloft.net> wrote:
> >
> > Fixes keep trickling in:
>
> Pulled.
>
> Btw, on an unrelated issue: I see that Jason actually made the pull
> request to have wireguard included in the kernel.
>
> Can I just once again state my love for it and hope it gets merged
> soon? Maybe the code isn't perfect, but I've skimmed it, and compared
> to the horrors that are OpenVPN and IPSec, it's a work of art.
>
> Linus
>
>
> --
>
> Dave Täht
> CEO, TekLibre, LLC
> http://www.teklibre.com
> Tel: 1-669-226-2619
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>
>
--
Dave Täht
CEO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-669-226-2619
More information about the Cerowrt-devel
mailing list