IETF Logo Mail Archive

[sidr] Keys and algorithms for Updates - feasibility analysis? (was Re: RPKI and private keys)

Brian Dickson <brian.peter.dickson@gmail.com> Mon, 07 May 2012 18:58 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7545C21F85E5 for <sidr@ietfa.amsl.com>; Mon, 7 May 2012 11:58:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.205
X-Spam-Level:
X-Spam-Status: No, score=-2.205 tagged_above=-999 required=5 tests=[AWL=-1.021, BAYES_40=-0.185, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1dKpYQOF74cE for <sidr@ietfa.amsl.com>; Mon, 7 May 2012 11:58:35 -0700 (PDT)
Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) by ietfa.amsl.com (Postfix) with ESMTP id 19C8E21F8534 for <sidr@ietf.org>; Mon, 7 May 2012 11:58:31 -0700 (PDT)
Received: by wibhq2 with SMTP id hq2so719870wib.13 for <sidr@ietf.org>; Mon, 07 May 2012 11:58:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=IqRcpD360XO6+/4CWHFQ3VmkDO0oh4SE7uPEYGMN2GI=; b=1I4gZeAXpj0mOe/BkuQfzsBCwm3P6N1g2WYrCCxGtKxSKAwNv/O9dRm0sSSGNkm+GI ICKAElMiuZXu1TYzxinvGOeXSGTE6TEoNyA8uZtzXtLACZ2+SxbgVnsE4ERjyt5aYS4f /PwLeMRhtv1zQDOnV3sF2+d1g3p1ARGH3HIS0eIFZWFl1CBvJcQBoYIHWv3VQmFUuSUY VF5uRNpmJ4VuSnhpw8ZrCt1u2j13e22o4rB7hqqfi04l7NSoSjJ15+vs9VmVSxSFP7se AIQHgTcjElHno9louODD+tuk+m1axNj4OG3c6Gn21K0ZQuzYHuhcVm6iA9HH+lGzVa7Y yB7g==
MIME-Version: 1.0
Received: by 10.180.105.69 with SMTP id gk5mr43236014wib.3.1336417111287; Mon, 07 May 2012 11:58:31 -0700 (PDT)
Received: by 10.223.93.138 with HTTP; Mon, 7 May 2012 11:58:31 -0700 (PDT)
Date: Mon, 07 May 2012 14:58:31 -0400
Message-ID: <CAH1iCiruThFzpef5u9NVt+3AokGnuFhq-GrbqEOkkKnVhav4zQ@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: sidr wg list <sidr@ietf.org>
Content-Type: multipart/alternative; boundary="f46d04426f1430a89804bf76db1f"
Subject: [sidr] Keys and algorithms for Updates - feasibility analysis? (was Re: RPKI and private keys)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 May 2012 18:58:36 -0000

At the interim meeting (30th of April 2012), I briefly discussed the
performance differential of doing something other than the proposed crypto,
for "signing" updates.

While the relative benefit I suggested, "100x - 1000x" raised some
eyebrows, it was something I thought worth exploring a bit further. It
turns out to be 7000x (to as much as 50,000x, depending on amount of
entropy desired.)

I did some simple benchmarks, to try to compare a very limited work-load,
apples-to-apples.

The test cases all presume everything/nothing regarding validation; I was
interested only in the absolute and relative workloads imposed by "signing"
when done by a bgpsec-speaker in sending to another bgpsec-speaker.

Any of the per-session (initialization overhead) was ignored, since that is
presumed only needed for setting up the initial state for the speakers'
session.

These test cases are designed to compare what is currently specified in the
-algorithms (and referenced via the -protocol) specs, to something based on
random data, where the latter would require some out-of-band method for
doing validation.

The results were a real eye-opener, and as such, I am hoping I'm not the
only one to have done this, and that there exists some of this kind of
testing, done previously.

So, what I'm asking is, have such results been published or shared to the
SIDR group, and if so, would someone please send me a link to them?

And if not, then maybe this is something that either needs to be discussed,
or is a big enough deal that I will feel obliged to work on my own stuff,
outside of SIDR.

Brian

Simple test results follow:
===================

Scenario 1:
perform basic update signature once, repeat for routing table of 400,000 in
size.
  signature operation:
     set message size to N bytes, representing size of previous sig, plus
added elements (receiver ASN, etc.)
     perform sha256 on message, producing digest
     perform ecdsa on digest, using secp256r1, producing signature

Scenario 1 platform: Macbook Pro late 2011, 15" (intel i7 single cpu,
dual-core, 8GB ram)
Scenario 1 results, estimated: 700 seconds

Scenario 2:
perform basic pseudo-signature once, repeat for routing table of 400,000 in
size.
  pseudo-signature operation:
     use N distinct pseudo-random number generators (PNRG), seeded
separately with state preservation (N=8 corresponds to 256 bits of entropy)
     call random() from each preserved state to generate a 32-bit random
number, concatenate the N x 32 bit values

Scenario 2 platform - same as Scenario 1
Scenario 2 results, estimated: 0.09 seconds

==================

While the 7000+ relative performance is pretty substantial, the absolute
time required is the deal-breaker.

Getting signatures attached to one copy of the routing table, being sent
over a single BGPSEC session, taking 700 seconds on modern commodity
hardware is beyond the pale.
And given that current generation hardware has CPUs at least an order of
magnitude slower, or possibly two orders of magnitude, suggests that
software-based bgpsec can never work.
The fact that bgpsec is strictly an overhead function, generating no
revenue, means that requiring hardware support for crypto is mandatory, for
every router in the signing path.

When this is contrasted with 0.09 seconds (for adding a high-entropy,
unique nonce, to every prefix on a copy of the full routing table sent over
a single session), the contrast is stark.

If alternatives to the heavy crypto have never been explored, maybe they
should be.

Yes, the OOB validation presents a challenge, for validation. But, given
that validation itself in the current protocol requires yet-to-be-designed
methods for getting certs onto routers (with the embedded public keys), I'm
not sure this is a de-facto valid criticism, or is at best hypocritical.

I suspect that while I may be participating as an observer in SIDR, without
looking at alternatives like this, the only real value I see in the work by
SIDR is the RPKI (and maybe rpki-rtr).

I do want to work on things that will provide protection against threats to
BGP.
However, the solution IMHO needs to be incrementally deployable, meaning on
existing classes of hardware.
And the threats need to include path shortening, route leaks, and
replay/withdrawl-blocking.

I'm not sure I expect responses from anyone in particular, but want to be
clear on where I see the important issues as lying.
If the work I'm interested in isn't something the WG wants to pursue,
that's okay - I'll pursue it on my own.

Regards,
Brian

v2.29.0 | Report a Bug | By Email | System Status