making SCTP loadable and removing it from GENERIC

[Mark Johnston]

On Thu, Jul 09, 2020 at 11:13:00AM -0400, Mark Johnston wrote:
> Hi,
> 
> I spent some time working on making it possible to load the SCTP stack
> as a kernel module, the same as we do today with IPSec.  There is one
> patch remaining to be committed before that can be done in head.  One
> caveat is that the module can't be unloaded, as some work is needed to
> make this safe.  However, this obviously isn't a regression.
> 
> The work is based on the observations that:
> 1) the in-kernel SCTP stack is not widely used (I know that the same
>    code is used in some userland applications), and
> 2) the SCTP stack is quite large, most FreeBSD kernel developers are
>    unfamiliar with it, and bugs in it can easily lead to security holes.
> 
> Michael has done a lot of work to fix issues in the SCTP code,
> particularly those found by syzkaller, but given that in-kernel SCTP has
> few users (almost certainly fewer than IPSec), it seems reasonable to
> require users to opt in to having an SCTP stack with a simple "kldload
> sctp".  Thus, once the last patch is committed I would like to propose
> removing "options SCTP" from GENERIC kernel configs in head, replacing
> it with "options SCTP_SUPPORT" to enable sctp.ko to be loaded.
> 
> I am wondering if anyone has any objections to or concerns about this
> proposal.  Any feedback is appreciated.

As a follow-up, here is the proposed change now that requisite code has
been committed to head: https://reviews.freebsd.org/D25611
I will wait for a week or so for feedback.