Hi Ivan, On Wed, Sep 26, 2018 at 6:00 PM Ivan Labáth <labokml@xxxxxxx> wrote: > > On 25.09.2018 16:56, Jason A. Donenfeld wrote: > > Extensive documentation and description of the protocol and > > considerations, along with formal proofs of the cryptography, are> available at: > > > > * https://www.wireguard.com/ > > * https://www.wireguard.com/papers/wireguard.pdf > [] > > +enum { HANDSHAKE_DSCP = 0x88 /* AF41, plus 00 ECN */ }; > [] > > + if (skb->protocol == htons(ETH_P_IP)) { > > + len = ntohs(ip_hdr(skb)->tot_len); > > + if (unlikely(len < sizeof(struct iphdr))) > > + goto dishonest_packet_size; > > + if (INET_ECN_is_ce(PACKET_CB(skb)->ds)) > > + IP_ECN_set_ce(ip_hdr(skb)); > > + } else if (skb->protocol == htons(ETH_P_IPV6)) { > > + len = ntohs(ipv6_hdr(skb)->payload_len) + > > + sizeof(struct ipv6hdr); > > + if (INET_ECN_is_ce(PACKET_CB(skb)->ds)) > > + IP6_ECN_set_ce(skb, ipv6_hdr(skb)); > > + } else > [] > > + skb_queue_walk (&packets, skb) { > > + /* 0 for no outer TOS: no leak. TODO: should we use flowi->tos > > + * as outer? */ > > + PACKET_CB(skb)->ds = ip_tunnel_ecn_encap(0, ip_hdr(skb), skb); > > + PACKET_CB(skb)->nonce = > > + atomic64_inc_return(&key->counter.counter) - 1; > > + if (unlikely(PACKET_CB(skb)->nonce >= REJECT_AFTER_MESSAGES)) > > + goto out_invalid; > > + } > Hi, > > is there documentation and/or rationale for ecn handling? > Quick search for ecn and dscp didn't reveal any. ECN support was developed with Dave Taht so that it does the right thing with CAKE and such. He's CC'd, so that he can fill in details, and sure, we can write these up. As well, I can add the rationale for the handshake-packet-specific DSCP value to the paper in the next few days; thanks for pointing out these documentation oversights. Jason