[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RRG] Tunnel fragmentation/reassembly for RRG map-and-encaps architectures

To: Noel Chiappa <jnc@mercury.lcs.mit.edu>
Subject: Re: [RRG] Tunnel fragmentation/reassembly for RRG map-and-encaps architectures
From: David Conrad <drc@virtualized.org>
Date: Fri, 18 Jan 2008 13:05:24 -0800
Cc: rrg@psg.com
In-reply-to: <20080117140822.49F3A872EA@mercury.lcs.mit.edu>
References: <20080117140822.49F3A872EA@mercury.lcs.mit.edu>

Noel,

On Jan 17, 2008, at 6:08 AM, Noel Chiappa wrote:

Well, I'm not so sure. I'm not a crypto math expert, but...


Neither am I, but...

AFAIK, this isn't an issue with public-private encryption, so Idon't see aneed to do periodic key rollover. (If I'm wrong about any of thecrypto
aspects of all this, someone please enlighten me! :-)

My understanding is that you need to periodically replace keys inorder to thwart brute force attacks (among other reasons). RFC 4641discusses this in the context of DNSSEC in section 3.3.

And how much 'touching' of the trust hierarchy you want to impose on
the lookup agents.

Sorry, didn't follow that - can you expand a bit?

Typically, the lookup agents will need to have the trust anchorsconfigured by some means (usually, manually). If you have multipletrust anchors, you'll need to reconfigure those trust anchors in thelookup agents every time there is a change. In RFC 4641, therecommended period for key rollover is 12 months. If you'repartitioning the namespace into 256 pieces, this implies making (atleast) 256 changes to the configuration of each lookup agent you areresponsible for per year where one implication of doing it wrong is tocompletely disable routing of systems dependent on that lookup agentfor some or all of the partitions of the namespace.

while only having 2 things to break when you configure your lookup
agent...
I don't expect people to be typing the master keys in! Yes, theywould bedistributed out-of-band ("printed in the newspaper", one wagsuggested), butI was assuming they would more be included in software distributionsas a
file.

This puts much trust in the software distribution mechanism (chicken-or-egg problems may lie here). In the case of DNSSEC, this turns outto be a non-trivial problem. This may be because of theidiosyncrasies of the DNS (e.g., distributed authority) and may not beapplicable to what we're discussing here, however one of the lessonsDNSSEC has taught me (over the 10+ years I've been involved in it,either directly or on the periphery): ignoring operational keymanagement requirements can render whatever you come up withcompletely useless. FWIW.


Regards,
-drc


--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg

References:
- Re: [RRG] Tunnel fragmentation/reassembly for RRG map-and-encaps architectures
  - From: jnc@mercury.lcs.mit.edu (Noel Chiappa)

Prev by Date: Re: [RRG] Properties of mapping solutions
Next by Date: [RRG] Replacement for BGP-TCP-MD5
Previous by thread: Re: [RRG] Tunnel fragmentation/reassembly for RRG map-and-encaps architectures
Next by thread: Re: [RRG] MTU/fragmentation AGAIN
Index(es):
- Date
- Thread