On Wed, Nov 26, 2008 at 01:20:42PM -0500, Peter Memishian wrote:
>
> > Rather than using the nwam-ESSID-BSSID as it currently does, nwam will
> > create a MD5/SHA1 (which one?) hash of the name(s) that it will use for
> > the names of secure objects. The name is be "nwam_hash". If the
> > tunable nwamd/strict_bssid from CR 6773627 is set, then the hash will be
> > of the string "ESSID-BSSID" ('-' between the two values), otherwise the
> > hash will be just "ESSID". Since libdladm has a length restriction of
> > DLD_SECOBJ_NAME_MAX (32) on the names, only the first 27 from the
> > characters from the hash will be used in the secobj name.
>
> How long a secobj name would you need to not have to worry about
> truncation?
If the allowed characters for secobj names allow for base64 encoding,
then you would need 43 bytes at least for 256-bit hashes, plus a prefix
to indicate that this is NWAM ("nwam-" is enough -- no need to add the
word "hash", but perhaps a hash function name would help).
I don't recommend using MD5 for this, nor SHA-1. It's not just the
recent breaks, but also the benefit of avoiding having to justify the
use of obsolete hash functions to whoever.
So I recommend a length limit of 64 characters, a limitation to US-ASCII
characters and encoding, and enough printable characters to support
base64 encoding ([a-zA-Z0-9] + two more characters, such as /, -, _,
...).
Nico
--
_______________________________________________
networking-discuss mailing list
[email protected]
