[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RRG] Tunnel fragmentation/reassembly for RRG map-and-encaps architectures
On 17.1.2008, at 0.53, Noel Chiappa wrote:
Computational overhead of public-key authentication comes in addition
to the overhead of looking up the ID/public-key mapping.
Right, but I am informed that checking authentication is a lot less
computationally intensive than signing something - which is good for
us, and
(helpfully) just the right direction for such an asymmetry!
Ok. I used to be paranoid for a living (=work with security stuff)..
There are certain schemes where the verification of something is
considerably more expensive (for example, check http://en.wikipedia.org/wiki/Hashcash)
, but in public-key cryptography the cost of encryption, decryption,
signing and signature verification are typically roughly of same
minimum cost[1]. For example, with RSA, all four operations boil down
to exponentiation + modulo operations with big numbers, give or take
hashing along the way.
Looking at the 'success' of anything that involves something
certificate-like (hint: https is only really successful 'open' system,
and that works by ignoring half the security features such as key
lengths, certificate revocation lists and so forth), I would really,
really like to steer clear of any really secure public-key based
scheme in this system.
Considering the BGP+TCP-MD5 is considered 'secure enough' by the
people around these days, while it is in truth about as secure as
sending data in envelopes made of clear plastic, I don't think this
system needs to be more ambitious if it means orders of magnitude
worse performance.
But since we have to combat mapping spoofing, either we use
self-certifying mappings (as in Six/One, e.g.), or the receiver
must do
a look-up in some trusted directory, too.
Sorry, not sure that I followed that. Did you mean that if you
received a
'gratuitous' binding, piggybacked on a request for a binding that
you held,
you'd have to do a query on that gratuitously-provided binding, to
verify that
it was valid, and not a spoof?
If so, I think the built-in authentication of bindings (above)
solves that one.
Unfortunately it is not computationally feasible.
While the benefits of public-key authentication are IMO limited in
this
case
On the contrary, it's the only way I can see to authenticate the
client's
binding 'on the spot' (i.e. without additional network traffic) if you
gratuitously provide it to the server, piggybacked on the client's
request
for the server's binding.
I am not actually claiming all of this is completely impossible; the
actual public-key infrastructure itself I find deeply depressing
though, so I would prefer to avoid it if possible. For end nodes/edge
routers, piggybacking+signature verification would still work
reasonably well, given appropriate rate limiting, due to the extra
processing power and potential slight performance savings involved.
For anything in the core, 'not going to happen' sums what I think of
the piggybacking schemes that involve anything else than blind trust.
Blind trust sounds slightly dangerous though..
Cheers,
-Markus
[1] This assumes _small_ data length; the sign+verify is faster than
encrypt+decrypt over large blocks of data due to the fact that only
hashing is performed on the data itself, but given small input data
amounts, the costs are similar. Sign/verify stay same cost regardless
of data size, however.
--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg