Re: [multipathtcp] Feedback on sha1/key exchange for MPTCP inter-op with FreeBSD
Nigel Williams <njwilliams@swin.edu.au> Tue, 16 October 2012 08:44 UTC
Return-Path: <njwilliams@swin.edu.au>
X-Original-To: multipathtcp@ietfa.amsl.com
Delivered-To: multipathtcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4F6A21F8759 for <multipathtcp@ietfa.amsl.com>; Tue, 16 Oct 2012 01:44:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D4GsdiomO5pm for <multipathtcp@ietfa.amsl.com>; Tue, 16 Oct 2012 01:44:21 -0700 (PDT)
Received: from gpo4.cc.swin.edu.au (gpo4.cc.swin.edu.au [136.186.1.33]) by ietfa.amsl.com (Postfix) with ESMTP id 08DC821F8751 for <multipathtcp@ietf.org>; Tue, 16 Oct 2012 01:44:13 -0700 (PDT)
Received: from [136.186.229.154] (nwilliams-laptop.caia.swin.edu.au [136.186.229.154]) by gpo4.cc.swin.edu.au (8.14.3/8.14.3) with ESMTP id q9G8iA8X015920; Tue, 16 Oct 2012 19:44:11 +1100
Message-ID: <507D1E56.3050701@swin.edu.au>
Date: Tue, 16 Oct 2012 19:44:06 +1100
From: Nigel Williams <njwilliams@swin.edu.au>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120912 Thunderbird/15.0.1
MIME-Version: 1.0
To: Christoph Paasch <christoph.paasch@uclouvain.be>
References: <507CDF0F.6090605@swin.edu.au> <1577583.oZiYgRU3s0@cpaasch-mac>
In-Reply-To: <1577583.oZiYgRU3s0@cpaasch-mac>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: multipathtcp <multipathtcp@ietf.org>
Subject: Re: [multipathtcp] Feedback on sha1/key exchange for MPTCP inter-op with FreeBSD
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/multipathtcp>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Oct 2012 08:44:21 -0000
Hi Christoph, Thanks for the response, it's clear where the misunderstanding is now. On 16/10/12 17:32, Christoph Paasch wrote: > Hello Nigel, > > On Tuesday 16 October 2012 15:14:07 Nigel Williams wrote: >> (1) Endianess and the sha1 hashing of local and remote keys: I initially >> had some trouble matching keys and idsns with the Linux implementation. >> Having a look through the linux code (function mptcp_key_sha1(local_key) >> in mptcp_ctrl.c) it looks like the output of sha_transform is converted >> into big-endian, and the token and idsn are then assigned (as big-endian). >> >> Once the mptcp_key_sha1() function returns, 'idsn = ntohll(idsn) + 1;' >> is called (returning the idsn to host order). The idsn is then typcast >> as a u32 and this value is used for tcb->seq (which is the starting dseq >> value of DSN mappings). All this was calculated from 'local_key', which >> is stored locally in host order. >> >> The problem arises then that the local_key is put onto the wire in host >> byte order, when we were expecting to receive it in network byte order. >> Is there a reason why the key is not transmitted in network byte order? > > the key is not stored in host-byte order. When generating the random bits we > simply store them in a u64 and send them on the wire. Thus, the keys are in > network byte-order. > > The endianness conversion in mptcp_key_sha1 is part of the SHA-1 algorithm. > SHA-1 does an endianness conversion on the input (done by sha_transform in > lib/sha1.c). > When returning the final output another conversion is done in sha1_final > (crypto/sha1_generic.c), part of the generic crypto-library of the linux > kernel. > > However, in MPTCP we don't use the crypto-library (thus, don't call > sha1_final) because we want to spare some CPU cycles. So, we have to do the > endianness conversion at the end of mptcp_key_sha1 by hand. > What caused the confusion is that the Linux key is considered to be in network order after it is generated. I don't recall the draft specifying what order the key is to be in when hashed, and it is apparent that it should. I would argue in favour of hashing in host order for semantic reasons: - It seems non-standard behaviour to not perform a network-to-host byte order conversion on arriving options. - Maintains consistency with other stack variables which are kept in host byte order for simplicity of arithmetic (or other things) >> Also, is it possible to do the conversion to host order of the idsn and >> token within mptcp_key_sha1(), rather than on return? A quick glance at >> the function does not make it immediately obvious that the values should >> be converted into host order on return. Some comments in this function >> would be useful (for instance the FreeBSD sha1 returns the hash in >> network order, while Linux does not). > > From what I see in > http://www.leidinger.net/FreeBSD/dox/crypto/html/d2/d24/sha1_8c_source.html > > the sha-1 algorithm in FreeBSD is also endianness-agnostic. Meaning, if you > call sha1_result at the end, he will also do an endianness conversion so that > your output matches the endianness of the input. > Okay. Misunderstood what the Linux code was doing (we thought the FreeBSD code was doing something different to Linux, and this is not the case). >> (2) Perhaps as a general comment/feedback, it might be worth detailing a >> little more explicitly in the implementers guide the conversions >> occurring in this process, as it is currently a little ambiguous and I >> needed to dig through the linux code in order to make my implementation >> compatible on the wire. > > I will try to add more comments in the implementation. > >> As far as I can tell, the process should be along the lines of: >> >> 1. generate 64-bit key (store in host order) > > In a certain sense, the endianness of the key doesn't matter. Because, no > arithmetic operations are done on the key. As the endianness of the key will change the hash output, it does matter. cheers, nigel
- [multipathtcp] Feedback on sha1/key exchange for … Nigel Williams
- Re: [multipathtcp] Feedback on sha1/key exchange … Christoph Paasch
- Re: [multipathtcp] Feedback on sha1/key exchange … Nigel Williams
- Re: [multipathtcp] Feedback on sha1/key exchange … Christoph Paasch
- [multipathtcp] Fwd: Re: Feedback on sha1/key exch… Nigel Williams