IETF Logo Mail Archive

Re: [Detnet] DetNet Use Cases comment - time properties of cryptographic algorithms used to verify traffic

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Thu, 20 December 2018 07:34 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 142D213109F for <detnet@ietfa.amsl.com>; Wed, 19 Dec 2018 23:34:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ndNzu7V09eLP for <detnet@ietfa.amsl.com>; Wed, 19 Dec 2018 23:34:55 -0800 (PST)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40B091310A1 for <detnet@ietf.org>; Wed, 19 Dec 2018 23:34:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13006; q=dns/txt; s=iport; t=1545291295; x=1546500895; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=7UWcdszSYV5wRj1e075/XUSTODkwNEheD8Wl2+O9OTY=; b=hTthl9wHk7T0pPBQh+Qi1POfMl1qgkAlCNWzkwgzN/Dah3x5B+JCnkiQ 8CMVsKZ4JCYedtpsB1/ISkIGHWUahQWQwUSRbpOw/4sMoy50qKsnjvCS4 jcgxob9Rlf+AQAp9d5n8RVXysc6W5CB5XjwQ+TLoXFlg1oKY8KdTzHuKc Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ADAADpRBtc/4sNJK1jGQEBAQEBAQEBAQEBAQcBAQEBAQGBUQQBAQEBAQsBgQ12ZoECJwqMDIt8gg2SAoVbFIFnCwEBhGwCgmsiNAkNAQMBAQIBAQJtKIU8AQEBAQIBLUwFCwIBCBEBAwEBKAcyFAMGCAEBBAENBQiDG4EdXAiobYotiXeBBoEkHheBQD+BEYJkLoROAQsHAVWFKQKJS4V5X5BAWgkCkVsgkVyDDIZAkBgCERSBJx84ZXFwFTuCbIJQjgtBMYwaDxeBCIEfAQE
X-IronPort-AV: E=Sophos;i="5.56,376,1539648000"; d="scan'208,217";a="215317519"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Dec 2018 07:34:53 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by alln-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id wBK7YrCS027819 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 20 Dec 2018 07:34:53 GMT
Received: from xch-rcd-001.cisco.com (173.37.102.11) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 20 Dec 2018 01:34:53 -0600
Received: from xch-rcd-001.cisco.com ([173.37.102.11]) by XCH-RCD-001.cisco.com ([173.37.102.11]) with mapi id 15.00.1395.000; Thu, 20 Dec 2018 01:34:52 -0600
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: "Black, David" <David.Black@dell.com>, "Grossman, Ethan A." <eagros@dolby.com>, "detnet@ietf.org" <detnet@ietf.org>
CC: "ekr@rtfm.com" <ekr@rtfm.com>
Thread-Topic: DetNet Use Cases comment - time properties of cryptographic algorithms used to verify traffic
Thread-Index: AdSX+/sLTp7DPyO1QkG1vyM68OeTlQAEW9GwAAoIQfA=
Date: Thu, 20 Dec 2018 07:34:28 +0000
Deferred-Delivery: Thu, 20 Dec 2018 07:34:25 +0000
Message-ID: <85ff3ddbde5f498ab1c680e1a7d97641@XCH-RCD-001.cisco.com>
References: <BY1PR0601MB1403A041DF88D362261DA127C4BF0@BY1PR0601MB1403.namprd06.prod.outlook.com> <CE03DB3D7B45C245BCA0D24327794936303A55D1@MX307CL04.corp.emc.com>
In-Reply-To: <CE03DB3D7B45C245BCA0D24327794936303A55D1@MX307CL04.corp.emc.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.61.252.67]
Content-Type: multipart/alternative; boundary="_000_85ff3ddbde5f498ab1c680e1a7d97641XCHRCD001ciscocom_"
MIME-Version: 1.0
X-Outbound-SMTP-Client: 173.37.102.15, xch-rcd-005.cisco.com
X-Outbound-Node: alln-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/a1Nu9UXPxciw8i_SfA9axSe3YSM>
Subject: Re: [Detnet] DetNet Use Cases comment - time properties of cryptographic algorithms used to verify traffic
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Dec 2018 07:34:58 -0000

Hello David :

Asymmetric is a lot more expensive, I'm hearing, but could be very useful to ensure that the packets in a DetNet flow are from the proper source.
Say that the DetNet flow is associated with a keypair, and that the private key is available to the source of the flow whereas the public key is distributed with the flow information.
We should not preclude that should we? As long as the crypto time is bounded we should be OK.

All the best

pascal

From: detnet <detnet-bounces@ietf.org> On Behalf Of Black, David
Sent: jeudi 20 décembre 2018 03:47
To: Grossman, Ethan A. <eagros@dolby.com>; detnet@ietf.org
Cc: ekr@rtfm.com
Subject: Re: [Detnet] DetNet Use Cases comment - time properties of cryptographic algorithms used to verify traffic

> Good question, for example do such algorithms have deterministic execution times?

Generally, yes, to a first approximation, as the algorithms used to encrypt and verify traffic are usually symmetric crypto algorithms such as AES and SHA-2 which perform the same computation regardless of input.   Non-deterministic execution times are associated with asymmetric crypto algorithms (e.g., public key algorithms), which are not typically used on a packet-by-packet basis - they're used for session setup, including key exchange, from which keys are derived for the symmetric algorithms.

Thanks, --David

From: detnet [mailto:detnet-bounces@ietf.org] On Behalf Of Grossman, Ethan A.
Sent: Wednesday, December 19, 2018 7:42 PM
To: detnet@ietf.org<mailto:detnet@ietf.org>
Cc: ekr@rtfm.com<mailto:ekr@rtfm.com>
Subject: [Detnet] DetNet Use Cases comment - time properties of cryptographic algorithms used to verify traffic


[EXTERNAL EMAIL]

Hi All,

In going over the remaining IESG review comments, there is this question on Sec 11.5 (Security). I don't think it is worth holding up the Use Cases draft for, but it seems worth a conversation on the list.



Text from Section 11.5:

>      addition to arriving with the data content as intended, the data must

>      also arrive at the expected time.  This may present "new" security

>      challenges to implementers, and must be addressed accordingly.  There

>      are other security implications, including (but not limited to) the

>      change in attack surface presented by packet replication and

>      elimination.



Reviewer's Comment:

Do these requirements impose new requirements on the cryptographic algorithms used to verify traffic?



Ethan's thoughts:

Good question, for example do such algorithms have deterministic execution times? Is there a large spread between best- and worst-case execution times? Is this a topic for the Security draft? The Architecture draft? Or is this a more general matter of network (or network silicon) design/implementation/performance, and thus doesn't get covered in DetNet drafts?
--------------------------------------------------

v2.23.0 | Report a Bug | By Email