On 2017-07-13, Florian Obser <flor...@openbsd.org> wrote:
> It switches the hash function to SipHash24 from sha512 as suggested by dlg
It's for from clear to me whether SipHash is suitable for crypto
operations, and which ones, other than the hash tables it was
designed for.
We went with SHA-512 for RFC 1948 TCP initial sequence number
generation, which is arguably performance-sensitive, while RFC 7217
addresses are certainly not. I think we should use a SHA-2-family
function such as SHA-512 here.
> +# Apply soiikey.conf settings.
> +soiikey_conf() {
> + stripcom /etc/soiikey.conf |
> + while read _line; do
> + sysctl -q "net.inet6.ip6.soiikey=$_line"
> + done
> +}
I think .conf is a strange choice of name for what is not a
configuration file but effectively a private key, cf.
/etc/{iked,isakmpd}/private/local.key
/etc/ssh/ssh_host_<algorithm>_key
> +SOOIs use the whole 64 bit of the host part while SLAAC addresses are
> +formed from MAC addresses and have 48 bits of entropy at most.
46 bits.
(The first bit of a MAC address is 0 for unicast addresses, the
second is 0 for "universally administered" addresses, i.e., those
that are uniquely assigned to a device by its manufacturer.)
--
Christian "naddy" Weisgerber na...@mips.inka.de
