Re: [secdir] secdir review of draft-ietf-alto-protocol

[Richard Alimi <ralimi@google.com>]

On Mon, Feb 17, 2014 at 6:38 AM, Dan Harkins <dharkins@lounge.org> wrote:

>
>   Hi RIchard,
>
> On Sun, February 9, 2014 11:03 pm, Richard Alimi wrote:
> > On Sun, Feb 2, 2014 at 7:08 PM, Dan Harkins <dharkins@lounge.org> wrote:
> >
> >>
> >> On Sun, February 2, 2014 11:33 am, Jeffrey Hutzelman wrote:
> >> > On Sat, 2014-02-01 at 10:54 -0800, Dan Harkins wrote:
> >> >
> >> >>  Also, given those
> >> >>      restrictions and the fact that a tag just has to be less than
> >> >>      or equal to 64 octets, the probability of identical tags being
> >> >>      used is not zero. I think the probability of the tag from
> >> >>      example 11.3.1.7 is 0.5 to collide with one of just 460
> >> >>      other Network Maps.
> >> >>
> >> >>      I suggest requiring a tag to be 64 octets. That will make
> >> >>      even money probability of collision among nearly 3000
> >> >>      other Network Maps, which is safer.
> >> >
> >> > OK, maybe I'm confused and reading out of context here.  But I once
> >> had
> >> > someone tell me I needed to change my 5-character username because
> >> they
> >> > were requiring all usernames to be at least 6 characters, _in order to
> >> > increase the number of possible usernames_.  That is, they claimed
> >> they
> >> > were increasing the size of a namespace by eliminating possible names.
> >>
> >>   Well that's a hair brained policy, but username selection is not a
> >> good
> >> analogy. I was at a company that had no strict requirements on a
> >> username
> >> so there should have been a near infinite size of the namespace. But we
> >> had
> >> a collision when the company had less than 10 employees because there
> >> was another "dan" at the company.
> >>
> >> > The point is, if a tag is required to be exactly 64 octets, you get
> >> > 0x5e^64 possible tags.  But if it is required to be up to 64 octets,
> >> you
> >> > get Sum(i=0..64) 0x5e^i possible tags, which is strictly greater than
> >> > 0x5e^64.  So, requiring a tag to be 64 octets _reduces_ the number of
> >> > possible tags, thereby increasing the chance of collision.
> >>
> >>   That would be the case if all tags in the Sum(i=1..64) 0x5e^i tagspace
> >> were equally probable of being chosen. Which implies implementations
> >> choosing a random tag length for each tag generated in addition to a
> >> random tag selection scheme for the randomly chosen length. I suspect,
> >> though, that in practice the tag length will be fixed for a particular
> >> implementation and the tag selection scheme will not necessarily be
> >> random. So the herd mentality, plus the proliferation of one or two
> >> companies' ALTO servers, will result in a severely reduced size of the
> >> effective tagspace and the increased possibility of collisions.
> >>
> >>   A tag generated as SHA256(NetworkMap) represented in 64 hex
> >> characters would basically guarantee you'd never have a collision.
> >> Saying, "it can be anything you want as long as it's less than 64
> >> octets" would not.
> >>
> >
> > Should I interpret your comment to say that we should to require
> > particular
> > mechanisms for generating version tags, or be more explicit about
> > suggesting mechanisms that have a low collision probability?
>
>   Yes, I think you should. Suggestions on how to ensure a low
> probability of collision would be helpful.
>

We've added the following text to section 10.3:

It is RECOMMENDED that the tag have a low collision probability with other
tags. One suggested mechanism is to compute it using a hash of the data
content of the resource.


>
> > To help steer readers towards better implementation practices, we'll
> > change
> > the examples to use hashes in the version tags.
>
>   That's a great idea. So people who implement ALTO and check
> the example will use hashes themselves and that will help ensure
> a low probability of collision.
>

This change has been made to our copy in SVN.


>
> > Thank you again for the review!
>
>   You're very welcome!
>
>   regards,
>
>   Dan.
>
>
>