Re: [nbs] [Int-area] New draft related to name-based sockets

Pete McCann <mccap@petoni.org> Sat, 11 December 2010 22:56 UTC

Return-Path: <mccap@petoni.org>
X-Original-To: nbs@core3.amsl.com
Delivered-To: nbs@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 971CA3A6D54; Sat, 11 Dec 2010 14:56:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8h+kaZanOIx3; Sat, 11 Dec 2010 14:56:36 -0800 (PST)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by core3.amsl.com (Postfix) with ESMTP id B9EF53A6D4F; Sat, 11 Dec 2010 14:56:32 -0800 (PST)
Received: by wyf23 with SMTP id 23so4784257wyf.31 for <multiple recipients>; Sat, 11 Dec 2010 14:58:06 -0800 (PST)
MIME-Version: 1.0
Received: by 10.227.198.67 with SMTP id en3mr663345wbb.179.1292108285078; Sat, 11 Dec 2010 14:58:05 -0800 (PST)
Received: by 10.227.13.136 with HTTP; Sat, 11 Dec 2010 14:58:05 -0800 (PST)
X-Originating-IP: [64.53.131.166]
In-Reply-To: <4D03D7EE.9010308@isi.edu>
References: <AANLkTin4-uiFXoS9DaDWtTQartUb6DKEee+B8717odm5@mail.gmail.com> <4CFFFD8D.2000601@isi.edu> <AANLkTi=KG_CL5hQ0k4JQAy6oB=3RV3UWGQxTbYzGmsR3@mail.gmail.com> <72504C2E-CE17-4AE0-ACBC-E6BB4F002267@isi.edu> <AANLkTimmQ-HKJBpoqQCc9t1P=GFPFa8VojPTFh-D8Nay@mail.gmail.com> <4D011EF3.8080407@isi.edu> <AANLkTi=+PQKxMj4C83A90-DK3V-89ydBR02rR5zvA68L@mail.gmail.com> <4D0129B3.4050906@isi.edu> <AANLkTi=j1NdofgpJUDjFPcGSTT_96GByLaNTRxx7yuCy@mail.gmail.com> <4D01CE2A.9090804@isi.edu> <AANLkTim4jRQUE=FOvtQRZa7mFH1LS1h=OwkdspEV2k_J@mail.gmail.com> <4D02E9D9.2030508@isi.edu> <AANLkTimFfCcd4AnVejtp0cBwj6y-KVF+jCdH69nw3=xr@mail.gmail.com> <4D03D7EE.9010308@isi.edu>
Date: Sat, 11 Dec 2010 16:58:05 -0600
Message-ID: <AANLkTinKWs0-5d0BjzLPGQxEMc6E5DBkMtVA1TDEg02A@mail.gmail.com>
From: Pete McCann <mccap@petoni.org>
To: Joe Touch <touch@isi.edu>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: "int-area@ietf.org" <int-area@ietf.org>, "nbs@ietf.org" <nbs@ietf.org>
Subject: Re: [nbs] [Int-area] New draft related to name-based sockets
X-BeenThere: nbs@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Name based sockets discussion list <nbs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nbs>, <mailto:nbs-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nbs>
List-Post: <mailto:nbs@ietf.org>
List-Help: <mailto:nbs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nbs>, <mailto:nbs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Dec 2010 22:56:41 -0000

Hi, Joe,

On Sat, Dec 11, 2010 at 1:58 PM, Joe Touch <touch@isi.edu> wrote:
>> An elliptic curve cofactor diffie-hellman computation on known keys
>> takes less than 10^6 cycles:
>>
>> http://cr.yp.to/ecdh/reports.html
>>
>> This would be under a millisecond on modern processors in software.
>
> Right, but that's 1,000 such attempts per second. That puts a cap on
> software support for middleboxes that is fairly low.

Remember, this only happens for new communication peers, at the
time the transport connection is established.  1000 connections established
per second is a pretty high number, let alone connections from DNS names
that you've never heard from before.

>> I haven't run the experiments, but from data on the web it looks like
>> an HMAC is about two orders of magnitude faster than a D-H key
>> derivation.
>
> My previous experiments suggest that HMAC calculations are fairly
> prohibitive for line-rate devices in the middle of the net as well.

Ok.  Need more data to answer this.

>> I think we could get up to a substantial fraction of 1gpbs
>> even with a software implementation.
>
> See RFC1810; MD5 is one of the fastest algorithms. You're now talking about
> a single CPU running flat-out 100% just to keep up with the line rate,
> maybe...

Many devices such as home gateways would likely be just fine with
a much lower line rate.  If this really does catch on in the core, I
would expect hardware acceleration to be available.  I don't expect
every router along the path to participate; most likely you would
only do this at administrative boundaries.

>> Hopefully the discussion above clarifies.  The public key operations are
>> only on the first time two parties interact in some way.  An ECC digital
>> signature with NIST P-256 is 64 octets long.  The HMAC tag in subsequent
>> packets (when using the pickle packet fragment signature header given
>> in the draft) is 20 bytes plus variable amount depending on what level
>> of protection is desired.  I expect SHA-1 (20 bytes) to be nominal for
>> most connections.  The draft has enough flexibility to allow multiple
>> HMACs on each packet to account for multiple middleboxes that all
>> want to validate a tag from the same endpoint; however, I expect in
>> most deployments that the tags will be computed on a pairwise basis
>> between adjacent middleboxes so only one signature per packet will
>> be needed.
>
> Not sure what that means; why would adjacent middleboxes be involved, vs.
> separate interactions between each such middlebox and the endpoint. This
> needs to be made more clear in your architecture.

Just as endpoints build up knowledge about the topology of the middleboxes,
the middleboxes would learn about each other and could develop their
own security associations pairwise between them.  If you consider the
pickle-aware middleboxes to be like beads on a string, adjacent beads
could develop shared secrets and perform HMACs on the packets passing
through.  A typical operation for a middlebox would then be to validate
HMAC on an arriving packet, perform its middlebox type operations, and
then re-sign the packet on the way out.  So, security associations could
be hop-by-hop along the path in addition to end-to-end.

> TCP-AO can easily be extended to include other algorithms that support
> public-key (you just need to specify the other algs and register them with
> IANA, as per RFC 5926, AFAICT.

So in the language of RFC 5926, I am talking about the method used
to configure the Master_Key.  I think it's an assumption of all the TCP-AO
work that such a Master_Key is configured out-of-band in two peers and
consists of a symmetric (not public key) shared secret.  5926 contains
algorithm IDs for the actual per-packet MAC algorithm (HMACs and CMACs)
as well as the KDFs that are used to derive per-connection keying material
from the preconfigured master key.  However, neither of these registries
has anything to do with methods for provisioning the Master_Key.

Pickle packets provides a DNS-based framework for distributing public
keys tied to DNS names, and for deriving Long-Term-Shared-Secrets
(the Master_Keys) from pairs of public/private key pairs.  I am not aware
of any similar specification for TCP-AO.  I agree that the per-transport
key derivation is similar in concept to what is described in the pickle packet
draft.

-Pete