All for it, if we agree on the challenges with it (which i think are "easily"
solved).
My use-case is signing of objectives in flood-messages doing service
announcements,
e.g.: with my DNS-SD compatible approach (or any other approach).
1) We want the flooded message to be protected against replay attacks.
The usual way to do this is to include some form of sequence-number /
timestamp
into the signed object.
The existing grasp message element that could serve this purpose is the
session-id.
This is not in the objective. I think it's the most important choice anyhow
to decide
how to do replay protection / freshness. If we decide we can use the
session-id,
then we need to do some "virtual extended objective" against which the
signature is done,
which includes the session-id. I would be fine with it. Same think i think
UDP does
(or at least did in IPv4) for checksum.
2) Likewise, the signature MUST for the use-cases i am interested in protect the
locator-option for the objective, because that locator-option is how the
DDoS attack
would work, and if we want to permit third-party service announcements via
flood-message,
we at least want to make sure we know cryptographically who originated it.
Aka, maybe solution is:
Given an objective:
data-to-be-signed = [session-id, initiator, ?locator-option, objective ]
locator-option is included whenever it is also included in the flood-message
together with
the objective
objective-with-signature = [ ~objective, signature(data-to-be-signed) ]
Objectives just need to ensure that their format is such that tailing
signatures
can be recognized.
Cheers
Toerless
On Wed, Aug 24, 2022 at 06:35:33PM +0800, Sheng Jiang wrote:
> >If that's the case, we are on the wrong track. Should we be discussing
> >signing GRASP objectives, rather than messages?
>
> Agreed. We can work on a mechanism that can sign objectives first. Later,
> if there were use cases that signed objectives were not sufficient, we can
> define a flood message.
>
> Sheng
>
> On Wed, 24 Aug 2022 at 07:02, Brian E Carpenter <[email protected]>
> wrote:
>
> > On 23-Aug-22 21:56, Toerless Eckert wrote:
> >
> > > Agreed. My opininion is that the mandatory-to-verify is not at the
> > > level of the flood-message, but at the objective definition level.
> >
> > If that's the case, we are on the wrong track. Should we be discussing
> > signing GRASP objectives, rather than messages?
> >
> > In many ways, that would be much easier to design and retro-fit.
> >
> > Brian
> >
> > _______________________________________________
> > Anima mailing list
> > [email protected]
> > https://www.ietf.org/mailman/listinfo/anima
> >
>
>
> --
> Sheng Jiang
--
---
[email protected]
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
