> On Sep 8, 2025, at 3:26 AM, Vasilenko Eduard via NANOG
> <[email protected]> wrote:
>
> Sorry. It looks like I was not clear enough. My question was not related to
> the discussed MD5 strength that occurred during the last week.
> Public key is not needed very often, no need to pay attention to the speed of
> fingerprint generation.
> I was talking about Hash usage in many networking protocols, where it delays
> a network control plane message.
You'd have to be clearer about what protocol and what hash you're asking after.
Two of the common cases where such things show up is for authentication and for
integrity checks.
For authentication in control protocols, the balance you're looking for is
being able to do the operation fast enough for expected traffic load among all
of the other work being done by the system. If you're lucky, you might have
hardware support for the cryptographic operation. For control planes,
sometimes it's just the router's general purpose CPU. Easy examples of this
sort of thing are the authentication fields for the IGPs, or for TCP-MD5/TCP-AO
used by BGP, LDP, etc.
For integrity checks, you have a set of data you're trying to provide a
short-hand as to whether it's been passed around intact. You'll often see this
for detached file signatures, although protocols may do similar things for
internal checksum purposes as well.
Cryptography of any sort can be an attack on the device implementing it. Use
expensive ciphers and do volumetric attacks that cause that code to run, you'll
burn CPU in some cases. Most protocols try to do the cryptographic checks far
down their validation procedures.
A regular conversation for BFD, as an example, is how often you want to do some
bit of cryptography. Line card CPUs are usually puny and MIGHT have access to
some hardware support for common ciphers like MD5/SHA-1/SHA-2. BFD sends tiny
packets often some tens of ms apart. Now scale that up to a potentially large
number of session on a line card. Using better ciphers, if you want
authentication (many don't) gets expensive, so there's need to potentially
think differently about when you do it. For example:
https://datatracker.ietf.org/doc/html/draft-ietf-bfd-optimizing-authentication
-- Jeff
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/[email protected]/message/5TO3EN2JS7YO4CVNTPLY56ZO7VAUQ55Y/
