> What is the basis of this random length padding? Let assume a peer does not support ESPv3 padding, but we have to pad a small packet with more than 255 bytes. We can't, the ESP padding length field is limited to 255. We could add 255 fixed bytes, but an eavesdropper could just subtract the 255 bytes from all packets smaller than the boundary, rendering our TFC efforts useless. By inserting a random length padding in the range possible, the eavesdropper knows that the packet has a length between "length" and "length - 255", but can't estimated its exact size. I'm aware that this is not optimal, but probably the best we can do(?). > Also, what happens when padto exceeds the MTU? Doesn't this > effectively disable PMTU-discovery? Yes. An administrator setting a padto value larger than PMTU can currently break PMTU discovery. > I know that your last patch allows the padto to be set by PMTU. > But why would we ever want to use a padto that isn't clamped by > PMTU? Probably never, valid point. I'll add PMTU clamping to the next revision. We probably can drop the PMTU flag then and just use USHRT_MAX instead. Thanks! Martin -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
