IETF Logo Mail Archive

Re: [sidr] Keys and algorithms for Updates - feasibility analysis? (was Re: RPKI and private keys)

Christopher Morrow <morrowc.lists@gmail.com> Mon, 14 May 2012 14:37 UTC

Return-Path: <christopher.morrow@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CA5121F87F2 for <sidr@ietfa.amsl.com>; Mon, 14 May 2012 07:37:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.576
X-Spam-Level:
X-Spam-Status: No, score=-103.576 tagged_above=-999 required=5 tests=[AWL=0.023, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YkwzlybbIHxJ for <sidr@ietfa.amsl.com>; Mon, 14 May 2012 07:37:09 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id C42B121F87F1 for <sidr@ietf.org>; Mon, 14 May 2012 07:37:09 -0700 (PDT)
Received: by yhq56 with SMTP id 56so5231565yhq.31 for <sidr@ietf.org>; Mon, 14 May 2012 07:37:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=PnqsKbxaM4rhp5TIvJoZPzStCXRwgXv2MBJ9oOPhxGQ=; b=A5O2wSKKDzxwjRZo3Wrfe0uWci8oF0aJn6zqaJx5a+xywSNh4/UBwsImqv00P8ScLi W4u2biJwpQUzMoUfU1hlLskOlBuS7nfX5bAvgIR19QBpxNE5aghmi4sDK99YMY4L4wFD A1faAGIPmH7XMaLGiHmXPDgJgS1NpzL6Owj3MW5tYMmq4olAX77esZt0Icz68dDzkDdu STPjvDwQp3U2tLx0GlKAqlMviwNBLNidsNpoyR6JeDIJxI6sMy8PTqaCo3ziI4BzS4ig X/8cIUj5/mOUJe4goU1UuwwqVAhC8Ucok15894tnaAPRA3K7t7p2JoLFzvNYmAJp77J4 1z3A==
MIME-Version: 1.0
Received: by 10.60.9.102 with SMTP id y6mr11836944oea.46.1337006229274; Mon, 14 May 2012 07:37:09 -0700 (PDT)
Sender: christopher.morrow@gmail.com
Received: by 10.182.166.71 with HTTP; Mon, 14 May 2012 07:37:09 -0700 (PDT)
In-Reply-To: <CAH1iCioSxfswyorBr8R+VpHCDcMqyA9QqYgog7C3wcoh17mRMw@mail.gmail.com>
References: <CAH1iCiruThFzpef5u9NVt+3AokGnuFhq-GrbqEOkkKnVhav4zQ@mail.gmail.com> <CAL9jLab2XT-4NWr8KyHKOiQMTWqE5cTavmEr4Uw+S4zhrA=YLA@mail.gmail.com> <CAH1iCiq3so54pE9XBM5Bp13xaERbmShipmCg=ckEySiDsh5ZPQ@mail.gmail.com> <D7A0423E5E193F40BE6E94126930C4930B990A66A8@MBCLUSTER.xchange.nist.gov> <CAH1iCirMKm1TbtBzWSKy=vHGLdYHvbtnXcwO1G9aG00n3DXmyw@mail.gmail.com> <D7A0423E5E193F40BE6E94126930C4930B990A6710@MBCLUSTER.xchange.nist.gov> <D7A0423E5E193F40BE6E94126930C4930B990A6716@MBCLUSTER.xchange.nist.gov> <CABFLmSTVmEUMYZmXNkbhSac0_jb0o-2nPG2_58Si0SGmF0podA@mail.gmail.com> <D7A0423E5E193F40BE6E94126930C4930B985DEF48@MBCLUSTER.xchange.nist.gov> <24B20D14B2CD29478C8D5D6E9CBB29F60F70871E@Hermes.columbia.ads.sparta.com> <CAH1iCio4_PaLFACs_cDZRV9c3iYhn93XqCrQrR5PD48bpyM3BA@mail.gmail.com> <CAL9jLab0aSJBpQTtbNLq_qLbxwhXj7Y3-_aqZVeMPoTB5C8DTA@mail.gmail.com> <CAH1iCioDW_mBWNyMy8K-jOrjdNqtnpQjdneSvWdRg0NWLNYV3w@mail.gmail.com> <CAL9jLabs4RtS-EsHP6DwtMbsQz6GJSCZrv24N118HMHYCDe_Sg@mail.gmail.com> <CAH1iCioSxfswyorBr8R+VpHCDcMqyA9QqYgog7C3wcoh17mRMw@mail.gmail.com>
Date: Mon, 14 May 2012 10:37:09 -0400
X-Google-Sender-Auth: MJc-CJP0NqogUyNq-fKGe8sgCIQ
Message-ID: <CAL9jLaYEjOhLvKV88QX_GygYqUWxV03J1CnRtDAPqXF0uENa2g@mail.gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>, "Murphy, Sandra" <Sandra.Murphy@sparta.com>, "sidr wg list (sidr@ietf.org)" <sidr@ietf.org>
Subject: Re: [sidr] Keys and algorithms for Updates - feasibility analysis? (was Re: RPKI and private keys)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 May 2012 14:37:10 -0000

On Mon, May 14, 2012 at 10:27 AM, Brian Dickson
<brian.peter.dickson@gmail.com> wrote:
> We can't do the crypto without HW on some of the routers involved in
> deployment of bgpsec.
>
> I've heard just about everyone say that, quite possibly including yourself.

I don't think I've said that recently, one of the items brought out
during discussions of this was that often the hardware accelerators
for this are optimised for 'use one key a lot', not for 'swap in a new
key for every operation' (the key swap is very costly).

Sriram has some numbers for different co-processors which are
interesting, but I don't think that means we need on-board crypto
accelerators.

> One of the reasons for questioning the choice of crypto, is exploring the
> feasibility of solutions which do not require on-router HW for doing
> signing.

sure, but you also invented a whole other (seemingly complex) system
to keep track of data (nonces and such) across multiple
trust/administrative domains. it seems unwieldy, to me at least.

One of the larger stumbling blocks though is ram for RIB storage. (or
that seems to be one of the larger problems to address)

-chris

>
> Brian
>
>
> On Fri, May 11, 2012 at 9:23 PM, Christopher Morrow
> <morrowc.lists@gmail.com> wrote:
>>
>> On Fri, May 11, 2012 at 5:27 PM, Brian Dickson
>> <brian.peter.dickson@gmail.com> wrote:
>> > The argument that "we can't do the crypto without HW"
>>
>> i didn't see anyone say that though.
>
>

v2.29.0 | Report a Bug | By Email | System Status