[noise] New draft for "chain-of-DH" approach

[Jason A. Donenfeld]

On Wed, Jul 29, 2015 at 4:48 AM, Trevor Perrin <trevp at trevp.net> wrote:
> Zero padding is fine.

Ack'd.

> But there's a bigger question of whether things like padding should be
> specified in Noise core, left to the user, or something in between.
> I'll take this up in a separate mail.

To give you an idea of some use cases before you start thinking about
this, here's how I'm currently handling padding.

Userspace sends an IP packet. The kernel allocates some memory for it,
with a little bit of extra room at the end of the allocation that
isn't used. I look at the current length of data used in this
allocation, round up to the nearest 16 bytes (side question: is this a
decent amount of padding?), and fill in zeros at the end. This data is
then passed to the noise layer, to make it into a proper noise
message, and then that's sent out over a socket to a remote computer.
The remote computer receives the packet, and allocates some memory.
The packet is authenticated/decrypted into that allocated memory. That
memory is then passed to the kernel networking stack, which parses it
as an IPv4 or IPv6 packet.

Notice in all of this: I don't store the length of the padding! Why?
Because the IPv4 or IPv6 header already stores the length of the
entire packet. The extra zeros at the end are simply discarded in the
last step above, in which I pass the packet to the networking stack.

In other words, the flexibility of noise w.r.t. padding lets me
exploit a nice property of my specific situation, in order to simplify
the implementation.