IETF Logo Mail Archive

Re: [Rift] RIFT fingerprint coverage

Bruno Rijsman <brunorijsman@gmail.com> Sun, 21 July 2019 15:52 UTC

Return-Path: <brunorijsman@gmail.com>
X-Original-To: rift@ietfa.amsl.com
Delivered-To: rift@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F02371201AA for <rift@ietfa.amsl.com>; Sun, 21 Jul 2019 08:52:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4ESN0K9Ae1ih for <rift@ietfa.amsl.com>; Sun, 21 Jul 2019 08:52:18 -0700 (PDT)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAA61120157 for <rift@ietf.org>; Sun, 21 Jul 2019 08:52:17 -0700 (PDT)
Received: by mail-ed1-x52b.google.com with SMTP id w13so38554181eds.4 for <rift@ietf.org>; Sun, 21 Jul 2019 08:52:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=SKPhCwH1FVm2j25iDYUcBl81bs3yvEvI64IVDI9cG6c=; b=FLo+a1JErLizqYMHIN/DtT3Xq80EOafwLyheQn4xI52bSM8OiEQ3yWvxzvqag78Da+ cCJUZ3XUNPXCabWuKnX468HfPHe5WESTkCuLfynhQLAyP5o+gvqM3qtYoMC5z1tG6gjJ xKBJkLVF78RHsX0hubWjNz/hxBzMSFINJEEckxUYVx0QroDrz9ACxqtUa12d2iyl7x8G yBIRXIn3WV/dvkqjJv9tQrpGIuysPKQNzu5Yta4ROjCY4nQsxJcTd275HeSqT0UbcoMQ wq5ftzsSK4eAaPIo5f4aUBK5VLdbMi3b17bvbs1VBRwoEmlmUdy+cSi3tSUmCKpOYDJ0 hAzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=SKPhCwH1FVm2j25iDYUcBl81bs3yvEvI64IVDI9cG6c=; b=gD+LYdXGwWEHsvZKZgu+WKHvmFiyuwn8kIga3TzbocCmCwRr8XwkyfRXc2sEjJedsM 50HKEZGo5M5EyQOHL0psnT8WUaFcm1tuuU1lMarIM46sj0SXjCJbJ+GFzbqJDDNlPgzA a/lGd9PYWmijM390vbq9Tzs5JpZiStpJnqBqbou0/lkfVc76StQk7G+wnVvos23UobTo Xv+bv/xTanAU3ax+1WOLB/dwwN10M1FelwRRTVKLIojCaK01DN8Xct0v4R7+jZLsVPK3 yuSSgI7gZFNaThyW3dBWmABq+27IO+KbwFNHEgYjgnes9fk4uj+NBPMen9JzXD6TM6R0 JqHw==
X-Gm-Message-State: APjAAAVaKOwrsKO6lvi7ahSQ42bGUoqIpS1xND3C91LSYPTH+0O8Bc6l nY39L0qRQQJDA+ban9tVEqpk+qMBmbU=
X-Google-Smtp-Source: APXvYqwg/bFDIfWmd0GhLWInswU3p48GX+FjmrF0kqsAjfep3dJo3EeW96P5L2kbyX2Aiq3/Rg7/0g==
X-Received: by 2002:a17:906:2b47:: with SMTP id b7mr49283006ejg.117.1563724336236; Sun, 21 Jul 2019 08:52:16 -0700 (PDT)
Received: from [192.168.178.122] (ip-213-127-48-174.ip.prioritytelecom.net. [213.127.48.174]) by smtp.gmail.com with ESMTPSA id o21sm9970711edt.26.2019.07.21.08.52.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 21 Jul 2019 08:52:15 -0700 (PDT)
From: Bruno Rijsman <brunorijsman@gmail.com>
Message-Id: <6FC83580-E58B-4F6D-96B7-F420A8164C0C@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4E77DA6A-6469-473A-989B-8EA838F2E3BE"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Sun, 21 Jul 2019 17:52:13 +0200
In-Reply-To: <MWHPR05MB32795B106572C9AD42A30DCFACC50@MWHPR05MB3279.namprd05.prod.outlook.com>
Cc: Tony Przygienda <tonysietf@gmail.com>, "rift@ietf.org" <rift@ietf.org>
To: Antoni Przygienda <prz@juniper.net>
References: <CF366357-79EA-4395-9024-09A371795695@gmail.com> <F165CA6D-3537-4310-8453-77B069F69414@gmail.com> <MWHPR05MB32795B106572C9AD42A30DCFACC50@MWHPR05MB3279.namprd05.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rift/Vzwhe2XfKHNVRHFgF-sBxd-81Bs>
Subject: Re: [Rift] RIFT fingerprint coverage
X-BeenThere: rift@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Routing in Fat Trees <rift.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rift>, <mailto:rift-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rift/>
List-Post: <mailto:rift@ietf.org>
List-Help: <mailto:rift-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rift>, <mailto:rift-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jul 2019 15:52:23 -0000

> On Jul 21, 2019, at 4:22 PM, Antoni Przygienda <prz@juniper.net> wrote:

> 2. first, you can't extend the protection the way you like unless we have a complicated procedure where you protec with fingerprint 0, then you write fingerprint and on the other side you ahve to 0 out the fingerprint to check and so on. I wrote such code over protocols and it's very fragile. 


I think we should focus on whether it is a security issue or not (which was #3 of your response) rather than whether the implementation is difficult or not.

That said, the implementation is actually quite trivial and not fragile. 

Every signing library that I ever worked with has an update method that allows you to incrementally compute a digest.

Python provides hmac.update() and hashlib.update(). Rust provides hmac.input().

Python example:

import hmac
packet = b'Just imagine for a second that this is a protocol packet.'
signer = hmac.new(key=b'top-secret', digestmod='sha256')
signer.update(packet[5:10])  # Digest over bytes 5-10
signer.update(packet[15:20]) # and also bytes 15-20
signer.update(packet[25:30]) # and also bytes 25-30
print(signer.digest())

You can use this feature to make re-computing the outer fingerprint for TIEs that are stored in the TIE database much cheaper, knowing that you have already computed (and saved the signer for) the inner fingerprint.

v2.23.0 | Report a Bug | By Email