On Wed, 24 Aug 2022 14:46:32 +0200 Andrew Lunn wrote: > > I think it would make sense to push key validity times and the key selection > > policy entirely in the kernel so that it can handle key rotation/expiration > > by itself. This way userspace only has to configure the keys and doesn't > > have to touch established connections at all. > > I know nothing aobut TCP-AO, nor much about kTLS. But doesn't kTLS > have the same issue? Is there anything which can be learnt from kTLS? > Maybe the same mechanisms can be used? No point inventing something > new if you can copy/refactor working code? kTLS does not support key rotation FWIW. It's extremely rare. > > My series has a "flags" field on the key struct where it can filter by IP, > > prefix, ifindex and so on. It would be possible to add additional flags for > > making the key only valid between certain times (by wall time). > > What out for wall clock time, it jumps around in funny ways. Plus the > kernel has no idea what time zone the wall the wall clock is mounted > on is in. I'd do all of this over netlink, next-gen crypto on sockets is *the* reason I started the YAML work. Sadly my crypto config via netlink does not exist yet and is probably 2mo out ;(