[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New multi6 draft: WIMP

To: Erik Nordmark <Erik.Nordmark@sun.com>
Subject: Re: New multi6 draft: WIMP
From: Jari Arkko <jari.arkko@piuha.net>
Date: Tue, 24 Feb 2004 09:36:47 +0200
Cc: Iljitsch van Beijnum <iljitsch@muada.com>, Jukka Ylitalo <jukka.ylitalo@nomadiclab.com>, Multi6 List <multi6@ops.ietf.org>
In-reply-to: <Roam.SIMC.2.0.6.1077576158.9678.nordmark@bebop.france>
Organization: None
References: <Roam.SIMC.2.0.6.1077576158.9678.nordmark@bebop.france>
Reply-to: jari.arkko@piuha.net
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007

Erik Nordmark wrote:

On 2-feb-04, at 12:30, Jukka Ylitalo wrote:

A short hash chain generation is a quite fast operation compared to signature calculation. (If I remember correct, e.g., computing SHA1 five times over a 160bit string takes under 0.5 ms with 2Ghz pentium.) The operation is efficient and makes it more diffucult for an attacker to cause a DoS situation.
Actually this is pretty poor. I seem to remember that a significantly slower Pentium can do 2000 DSA signature checks per second. Being able to bring down a host with just 2000 packets per second would be a very bad thing, as this is easily accomplished over 10 Mbps ethernet (approx 500 byte packets).
I would be interesting in seeing some apple-to-apple comparisons
between different security algorithms that might apply to multi6 solutions:
One is an anonymous DH exchange - basically the purpose-built keys approach -
how much CPU to do the modular exponentiation?
Another one is a public key signature (and verification?)

A third is performing 5 SHA1 hashes of 160 bits.
If I had a better feel for the relative CPU cost of those 3 operations it
would be easier for me to understand the performance/DoS aspects of these
schemes.


Yes. Actually, I find Jukka's numbers a bit surprising. SHA1 is used
on a per-packet basis on IPsec, for instance, and many systems can do
this at wire speed. And I always thought that bignum operations (signatures,
diffie-hellman) were significantly slower than symmetric operations (SHA1)
on the same hardware.

Reference http://www.eskimo.com/~weidai/benchmarks.html gives the performance
on a 2.1 Ghz Pentium for SHA1 as 72 Mbytes/s; for RSA signature takes 4.65 ms
and verification 0.19 according to the same source. However, this does not tell
us how many individual SHA1 operations were run, just the data amount.
Digging into the source code of Crypto++ library on which the tests from
the above link were made... hmm.... it seems that it simply calls hash.update
repeatedly. Are we comparing apples to oranges if I assume an individual
SHA1 operation cost is according to 72 Mbytes/s? I seem to recall that
at least HMAC_SHA1 had some fixed cost component. If anyone has better
benchmarks, tell us...

Anyway, the way I read Wimp is that the amount of SHA1 data to be calculated
under the hash in the packet is ~ 90 bytes. For this, using the above numbers
I get 1.19 *microsecond*, not millisecond. The RSA for this would be 4.65
millisecond, or about 4000 times slower. DSA signature would be 2.14 millisecond,
or about 2000 times slower (without precomputation).

--Jari

Follow-Ups:
- Re: New multi6 draft: WIMP
  - From: Jukka Ylitalo <jukka.ylitalo@nomadiclab.com>

References:
- Re: New multi6 draft: WIMP
  - From: Erik Nordmark <Erik.Nordmark@sun.com>

Prev by Date: Re: modules of a mh solution (was RE: New multi6 draft: WIMP)
Next by Date: RE: I-D ACTION:draft-coene-multi6-sctp-00.txt
Previous by thread: Re: New multi6 draft: WIMP
Next by thread: Re: New multi6 draft: WIMP
Index(es):
- Date
- Thread