diff options
Diffstat (limited to 'draft-summermatter-set-union.xml')
-rw-r--r-- | draft-summermatter-set-union.xml | 71 |
1 files changed, 42 insertions, 29 deletions
diff --git a/draft-summermatter-set-union.xml b/draft-summermatter-set-union.xml index e0ea02f..4531e19 100644 --- a/draft-summermatter-set-union.xml +++ b/draft-summermatter-set-union.xml | |||
@@ -2390,7 +2390,7 @@ FUNCTION unpack_counter(ibf, offset, count, cbl, pd) | |||
2390 | # Returns: Salted value | 2390 | # Returns: Salted value |
2391 | 2391 | ||
2392 | FUNCTION se_key_salting(value, salt) | 2392 | FUNCTION se_key_salting(value, salt) |
2393 | s=(salt * 7) % 64 | 2393 | s = (salt * 7) % 64 |
2394 | return (value >> s) | (value << (64 - s)) | 2394 | return (value >> s) | (value << (64 - s)) |
2395 | 2395 | ||
2396 | ]]></artwork> | 2396 | ]]></artwork> |
@@ -2406,44 +2406,38 @@ FUNCTION se_key_salting(value, salt) | |||
2406 | 2406 | ||
2407 | <section anchor="security" numbered="true" toc="default"> | 2407 | <section anchor="security" numbered="true" toc="default"> |
2408 | <name>Security Considerations</name> | 2408 | <name>Security Considerations</name> |
2409 | |||
2410 | <t> | 2409 | <t> |
2411 | The security considerations in this document focus mainly on the security | 2410 | The security considerations in this document focus mainly on the security |
2412 | goal of availability. The primary goal of the protocol is to prevent an attacker from | 2411 | goal of availability. The primary goal of the protocol is to prevent an attacker from |
2413 | wasting cpu and network resources of the attacked peer. | 2412 | wasting computing and network resources of the attacked peer. |
2414 | </t> | 2413 | </t> |
2415 | <t> | 2414 | <t> |
2416 | To prevent denial of service attacks, it is vital to check that peers can only | 2415 | To prevent denial of service attacks, it is vital to check that peers can only |
2417 | reconcile a set once in a predefined time span. This is a predefined value and needs | 2416 | reconcile a set once in a predefined time span. This is a predefined value and needs |
2418 | to be adapted per use basis. To enhance reliability and to allow | 2417 | to be adapted per use basis. To enhance reliability and to allow |
2419 | failed decoding attempts in the protocol, it is possible to introduce a threshold for max failed reconciliation | 2418 | for legitimate failures, say due to network connectivity issues, |
2420 | ties. | 2419 | applications SHOULD define a threshold for |
2421 | </t> | 2420 | the maximum number of failed reconciliation attempts in a given time period. |
2422 | <t> | ||
2423 | The formal format of all messages needs to be properly validated. This is important to prevent many | ||
2424 | attacks on the code. The application data MUST be validated by the application using | ||
2425 | the protocol not by the implementation of the protocol. | ||
2426 | In case the format validation fails the set operation MUST be terminated. | ||
2427 | </t> | 2421 | </t> |
2428 | |||
2429 | <t> | ||
2430 | To prevent an attacker from sending a peer into an endless loop between active and passive decoding, a | ||
2431 | limitation for active/passive roll switches is required. This can be implemented by | ||
2432 | a simple counter which terminates the operation after a predefined number of switches. | ||
2433 | The number of switches needs to be defined in such a way that it is very unprobable that more | ||
2434 | switches are required an the malicious intend of the other peer can be assumed. | ||
2435 | </t> | ||
2436 | |||
2437 | <t> | 2422 | <t> |
2438 | It is important to close and purge connections after a given timeout | 2423 | It is important to close and purge connections after a given timeout |
2439 | to prevent draining attacks. | 2424 | to prevent draining attacks. |
2440 | </t> | 2425 | </t> |
2441 | <section anchor="security_generic_functions" numbered="true" toc="default"> | 2426 | <section anchor="security_generic_functions" numbered="true" toc="default"> |
2442 | <name>General Security Check</name> | 2427 | <name>General Security Checks</name> |
2443 | <t> | 2428 | <t> |
2444 | In this section general checks are described which should be applied to multiple states. | 2429 | In this section general checks are described which should be applied to multiple states. |
2445 | </t> | 2430 | </t> |
2446 | 2431 | ||
2432 | <section anchor="security_generic_input_validation" numbered="true" toc="default"> | ||
2433 | <name>Input validation</name> | ||
2434 | <t> | ||
2435 | The format of all received messages needs to be properly validated. This is important to prevent many | ||
2436 | attacks on the code. The application data MUST be validated by the application using | ||
2437 | the protocol not by the implementation of the protocol. | ||
2438 | In case the format validation fails the set operation MUST be terminated. | ||
2439 | </t> | ||
2440 | </section> | ||
2447 | <section anchor="security_generic_functions_check_byzantine_boundaries" numbered="true" toc="default"> | 2441 | <section anchor="security_generic_functions_check_byzantine_boundaries" numbered="true" toc="default"> |
2448 | <name>Byzantine Boundaries</name> | 2442 | <name>Byzantine Boundaries</name> |
2449 | <t> | 2443 | <t> |
@@ -2481,9 +2475,21 @@ FUNCTION END | |||
2481 | ]]></artwork> | 2475 | ]]></artwork> |
2482 | </figure> | 2476 | </figure> |
2483 | <t> | 2477 | <t> |
2484 | For the byzantine upper bound checks to function flawlessly, it needs to be ensured that the estimates of the set size | 2478 | For the byzantine upper bound checks to function |
2485 | difference added together never exceed the set byzantine upper bound. This could for example happen | 2479 | correctly, implementations must ensure that the |
2486 | if the strata estimator overestimates the set difference. | 2480 | estimates of the set size difference added together |
2481 | never exceed the set byzantine upper bound. This | ||
2482 | could for example happen if the strata estimator | ||
2483 | overestimates the set difference. | ||
2484 | <!-- FIXME: if an implementation does this, then | ||
2485 | the first two parts of the check are trivially | ||
2486 | satisfied; so likely we should formulate this | ||
2487 | not as a 'check' function to be _actually_ | ||
2488 | executed, but as a plausibility check which | ||
2489 | is to be applied after the SE calculation to | ||
2490 | the computed set size differences, resulting | ||
2491 | in a hard cap on the set size difference estimate | ||
2492 | that is then actually used. --> | ||
2487 | </t> | 2493 | </t> |
2488 | </section> | 2494 | </section> |
2489 | 2495 | ||
@@ -2510,13 +2516,13 @@ FUNCTION END | |||
2510 | # Returns TRUE if message is valid in state and FALSE if not | 2516 | # Returns TRUE if message is valid in state and FALSE if not |
2511 | 2517 | ||
2512 | FUNCTION check_valid_state (as, s) | 2518 | FUNCTION check_valid_state (as, s) |
2513 | FOR (as in as) | 2519 | FOR (as in as) ## FIXME: WTF? as in as??? Also: overall terrible way to do this -- where would 'as' come from? Also, I do not think this function SHOULD even be in the RFC (technically, all you want to say is 's in as'). |
2514 | IF (as == s) | 2520 | IF (as == s) |
2515 | RETURN TRUE | 2521 | RETURN TRUE |
2516 | END IF | 2522 | END IF |
2517 | FOR END | 2523 | FOR END |
2518 | RETURN FALSE | 2524 | RETURN FALSE |
2519 | FUNCTION END | 2525 | FUNCTION END # FIXME: you did not use FUNCTION END above... Be consistent! |
2520 | ]]></artwork> | 2526 | ]]></artwork> |
2521 | </figure> | 2527 | </figure> |
2522 | </section> | 2528 | </section> |
@@ -2708,9 +2714,16 @@ FUNCTION END | |||
2708 | <section anchor="security_generic_functions_active_passive_switches" numbered="true" toc="default"> | 2714 | <section anchor="security_generic_functions_active_passive_switches" numbered="true" toc="default"> |
2709 | <name>Limit Active/Passive Decoding changes</name> | 2715 | <name>Limit Active/Passive Decoding changes</name> |
2710 | <t> | 2716 | <t> |
2711 | The limitation of the maximum allowed active/passive changes during differential synchronisation is key | 2717 | To prevent an attacker from sending a peer into an endless loop between active and passive decoding, a |
2712 | to security. By limiting the maximum rounds in differential synchronisation an attacker can not waste | 2718 | limitation for active/passive roll switches is required. This can be implemented by |
2713 | unlimited amount of resources by just pretending an IBF does not decode. | 2719 | a simple counter which terminates the operation after a predefined number of switches. |
2720 | The number of switches needs to be defined in such a way that it is very unprobable that more | ||
2721 | switches are required an the malicious intend of the other peer can be assumed. | ||
2722 | </t> | ||
2723 | <t> | ||
2724 | Thus, the limitation of the maximum allowed active/passive changes during differential synchronisation is key | ||
2725 | to security. By limiting the maximum rounds in differential synchronisation an attacker can not waste | ||
2726 | unlimited amount of resources by just pretending an IBF does not decode. | ||
2714 | </t> | 2727 | </t> |
2715 | <t> | 2728 | <t> |
2716 | The question after how many active/passive switches it can be assumed that the other peer is not honest, | 2729 | The question after how many active/passive switches it can be assumed that the other peer is not honest, |