Re: [secdir] secdir review of draft-ietf-alto-protocol

"Dan Harkins" <> Mon, 03 February 2014 03:09 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 798A91A0036; Sun, 2 Feb 2014 19:09:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.968
X-Spam-Status: No, score=-1.968 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2w4nez2vo28i; Sun, 2 Feb 2014 19:09:00 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 293F21A0032; Sun, 2 Feb 2014 19:09:00 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id E29611022400A; Sun, 2 Feb 2014 19:08:50 -0800 (PST)
Received: from (SquirrelMail authenticated user by with HTTP; Sun, 2 Feb 2014 19:08:51 -0800 (PST)
Message-ID: <>
In-Reply-To: <>
References: <> <>
Date: Sun, 02 Feb 2014 19:08:51 -0800
From: Dan Harkins <>
To: Jeffrey Hutzelman <>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Subject: Re: [secdir] secdir review of draft-ietf-alto-protocol
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 03 Feb 2014 03:09:01 -0000

On Sun, February 2, 2014 11:33 am, Jeffrey Hutzelman wrote:
> On Sat, 2014-02-01 at 10:54 -0800, Dan Harkins wrote:
>>  Also, given those
>>      restrictions and the fact that a tag just has to be less than
>>      or equal to 64 octets, the probability of identical tags being
>>      used is not zero. I think the probability of the tag from
>>      example is 0.5 to collide with one of just 460
>>      other Network Maps.
>>      I suggest requiring a tag to be 64 octets. That will make
>>      even money probability of collision among nearly 3000
>>      other Network Maps, which is safer.
> OK, maybe I'm confused and reading out of context here.  But I once had
> someone tell me I needed to change my 5-character username because they
> were requiring all usernames to be at least 6 characters, _in order to
> increase the number of possible usernames_.  That is, they claimed they
> were increasing the size of a namespace by eliminating possible names.

  Well that's a hair brained policy, but username selection is not a good
analogy. I was at a company that had no strict requirements on a username
so there should have been a near infinite size of the namespace. But we had
a collision when the company had less than 10 employees because there
was another "dan" at the company.

> The point is, if a tag is required to be exactly 64 octets, you get
> 0x5e^64 possible tags.  But if it is required to be up to 64 octets, you
> get Sum(i=0..64) 0x5e^i possible tags, which is strictly greater than
> 0x5e^64.  So, requiring a tag to be 64 octets _reduces_ the number of
> possible tags, thereby increasing the chance of collision.

  That would be the case if all tags in the Sum(i=1..64) 0x5e^i tagspace
were equally probable of being chosen. Which implies implementations
choosing a random tag length for each tag generated in addition to a
random tag selection scheme for the randomly chosen length. I suspect,
though, that in practice the tag length will be fixed for a particular
implementation and the tag selection scheme will not necessarily be
random. So the herd mentality, plus the proliferation of one or two
companies' ALTO servers, will result in a severely reduced size of the
effective tagspace and the increased possibility of collisions.

  A tag generated as SHA256(NetworkMap) represented in 64 hex
characters would basically guarantee you'd never have a collision.
Saying, "it can be anything you want as long as it's less than 64
octets" would not.