KEYDIST mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: keydist@cafax.se
Cc: bmanning@isi.edu (Bill Manning)
From: Bill Manning <bmanning@isi.edu>
Date: Fri, 4 Oct 2002 13:05:57 -0700 (PDT)
Sender: owner-keydist@cafax.se
Subject: spinning thread


This is a summary of the thread that I promulgated last month on this list.
Its not ID-worthy, but its useful (to me) to have the thoughts in one place.
	----------------------
        experimenting with DS keys of various lengths shows that
        when keys are over a certain size, UDP fragmentation sets
        in.  In some cases, it is possible to actually get rollover
        to TCP (although this seems to be a corner case)

        now I've been told that UDP fragmentation can be a bad thing,
        leading to all sorts (well some kinds anyway) of odd
        operational failures that are hard to debug.  UDP failure
        and rolling over to TCP is also considered a bad thing.

        so this question, "should key lengths be selected to
        avoid fragmentation/TCP use?"

        if so, why?
        if not, why not?

        testing was done using single keys.  RSA/SHA1 keys of 512 & 1024
        bits, which generated "reasonable" packets.  RSA/SHA1 keys of 4096
        bits, generated UDP fragmentation. Multiple keys will aggrevate the
        issue.

        Somewhat sidenote:  there has been some discussion that RSA keys
        over 2048 in length incurred a significant performance impact over
        smaller keys.  This performance impact hits the resolver though,
        "on the wire" usage wasn't mentioned.  Further testing is needed.


Thoughtful responses follow:

-  "no" I don't think operational issues should dictate key
   lengths, but huge keys don't necessarily mean more secure either :)

-  some IDS/firewalls toss UDP packets larger than 512 bytes. Maybe the
   right answer is to tune the EDNS packet size to avoid UDP
   fragmentation?  4096 is bigger than most MTUs, but 1280 probably isn't,
   and should be enough for most common responses.

- this is not just a server/resolver issue. if transit infrastructure is
  making assumptions on "viable" datagram sizes, we will have to make a
  tradeoff in recommended key lengths.
  In an ideal world, security reasons (whatever that means) may be the only
  vector for selecting length.  This being the "real" world, it may be that
  to be useful, one has to trade of between "enough" crypto-strength and the
  ability to deliver the key(s) to the intended target.)

- one experience is that keeping DNSSEC messages (plus overhead) below a
  MTU of 1500 can be sort of difficult and too restrictive besides.


- a general opinion is that the firewall or router that drops UDP fragments
  or large UDP packets is broken and will need to be upgraded/replaced.
  if clients behind such broken devices set their EDNS0 max buffer size to
  something that will fit in the MTU, everything should work.  There will
  probably be a lot of TCP DNS traffic, but it should work.


Acknowledgements:

        David Blacka  Scott Rose  Brian Wellington
        Mark Andrews  Ed Lewis  Joahn Ihren  Olaf M. Kolkman

--bill manning
-- 
--bill

Prev by Date: Re: I intend to have a document ready for Atlanta on this subject.
Next by Date: Re: I intend to have a document ready for Atlanta on this subject.
Prev by thread: Re: I intend to have a document ready for Atlanta on this subject.
Next by thread: [vet-DS] November testing
Index(es):
- Date
- Thread

Home | Date list | Subject list