It should probably be mentioned that this comes from ports.

.Xr netdump 4 here and elsewhere?

e.g.

I'd suggest avoiding "NIC" and just write "network interface".

"same link" would be more correct.

"Support for encrypted kernel core dumps and ..." sounds more natural to me.

What does "reference" mean here? Man page?

"cannot" is used elsewhere.

"full dump" means something else in this page.

Trivial to someone who understands the implications of adding padding bytes to a crypto scheme? It's trivial to implement, I agree, but I'm not sure if it's trivial to implement correctly. I'm not sure that this sentence is adding much. :)

Didn't realize there was a netdump(4) page. Will fix.

I should not write docs at night, will fix. Thanks.

For my edification, what's the distinction? I will go ahead and change it assuming you know what you're talking about — I'm not exactly a networking expert.

Agreed, will fix.

Yeah. The exact language was borrowed from mdoc.7. I'm not attached to it and obviously it isn't clear, so I'll fix it.

Hm. As far as 'full dump', I think that is intentional. The only case where we can know the dump size in advance is for full dumps (under the assumption that RAM does not grow online), right? Minidumps are variable sized and compressed dumps are variable sized.

It just happens that check_size() is skipped outside of the function for netdump or gzip, and inside the function for debug.minidump==1. Go figure. Maybe that should be cleaned up. I can send a patch ;-).

I've clarified the language around what kinds of dumps have predictable size (just uncompressed full dumps) and predictable storage (local disk).

I'm not totally convinced 'cannot' and 'can not' are identical. In my dialect they are subtly different — separate words are used for emphasis. But I am happy to change it.

Putting the most important bit first: I'm happy to drop the sentence and agree it's utterly unhelpful for documentation. :-)

I'm not sure the implications re: padding are really significant. One of the weaknesses of the EKCD design we have now is that we *don't* MAC either the kerneldumpheader or the encrypted contents, so both are subject to arbitrary tampering. It's purely a privacy scheme. So what I'm saying is, naively padding the plaintext with zeros rather than PKCS#7 likely doesn't increase our attack surface at all.

OTOH, I'd suggest just abandoning block ciphers altogether instead of worrying about correct PKCS padding. None AES-CTR, AES-GCM, nor Chacha20 care about plaintexts being multiple of block sized.

I will probably end up doing it eventually.

Ah, I guess the distinction is you could theoretically have multiple distinct IP (layer 3) subnets on the same layer 2 fabric. It seems like a weird way to configure a network, but I'm sure inevitably someone has done it. Thanks.

Heh, no worries. Re: not committing it, that was a very reasonable choice. With crypto it's always better to err on the side of caution.

Oh yes. IIRC, OneFS clusters in the various test labs all live in a big broadcast domain (at least on the management side, not sure about frontend data). Ideally you'd use VLANs to logically partition such a network.