Re: [P2PSIP] 10.3.1 Self-Generated Credentials

Wed, 30 Sep 2009 11:09:49 -0700

This is greater than the MTU of an xbox 360 but less than your averge router at 1492. Doesn't DTLS in OpenSSL already have the real path MTU after the handshake? If not I know it can do this for you. You can use that MTU and fragment your packets. 

Julian

Sent from my iPhone
On Sep 30, 2009, at 10:50 AM, Michael Chen <[email protected]> wrote: 


Julian,
I have no scientific data, just a personal concern. Consider a Reload STORE request with your 691 byte cert, the total fat (non- payload) on the wire for a UDP/DTLS transport is: 

DTLS header (13 bytes)
Reload header
  Forward header (38 bytes)
  Destination list (18 bytes, single hop)
Reload Message
  STORE (SIP_REGISTRATION)
    AOR
    RSA Signature (256 bytes)
Reload Security Block
  Certificates (691 bytes)
  Signer ID (20+ bytes)
  RSA Signature (256 bytes)
DTSL MAC and padding (20+ bytes)
These are rough numbers, and it total 1292 bytes excluding the AOR. It is very close to the 1500 byte network packet size (MTU). 

--Michael

jc wrote:


On Sep 24, 2009, at 9:35 PM, Michael Chen wrote:
I also want to point out that even with the most simple encoding (JDK keytool), a 1024 bit RSA public key certificate takes up 619 bytes. A production strength 2048 bit RSA cert is 880 bytes. If a peer can only be reached via UDP, the overhead of DTLS + Reload Signature on message leaves very little room for the relevant data fragment (e.g. 1500 packet size), which means UDP transport may be very inefficient. Transport overhead should be a separate discussion thread.
In my RELOAD implementation a 2048 bit RSA public key is 691 bytes long, see output below. Do you have statistics that show the current fragmentation algorithm to be sub-optimal? 
Julian

*
*
*Running 1 test case...*
*......................+++*
*........................+++*
*debug: RSA* junglecat::rsa::generate_key_pair(): Succeeded generating RSA key.* 
*..............................+++*
*..............+++*
*debug: RSA* junglecat::rsa::generate_key_pair(): Succeeded generating RSA key.* *debug: X509_NAME* junglecat::x509::allocate_common_name(const char*): Allocated* *debug: X509_NAME* junglecat::x509::allocate_common_name(const char*): Allocated* *debug: X509* junglecat::x509::generate_certificate(RSA*, RSA*, const char*, const char*, unsigned int, const EVP_MD*): Success* 
*Certificate:*
*    Data:*
*        Version: 3 (0x2)*
*        Serial Number: 1253857645 (0x4abc596d)*
*        Signature Algorithm: sha1WithRSAEncryption*
*        Issuer: CN=common_name_issuer*
*        Validity*
*            Not Before: Sep 25 05:47:25 2009 GMT*
*            Not After : Sep 25 06:47:25 2009 GMT*
*        Subject: CN=common_name*
*        Subject Public Key Info:*
*            Public Key Algorithm: rsaEncryption*
*            RSA Public Key: (2048 bit)*
*                Modulus (2048 bit):*
*                    00:ab:54:2c:7b:9a:d8:3c:4b:b8:08:46:04:ee:02:*
*                    51:8a:94:4c:62:58:d0:ed:50:f8:2f:5a:43:b2:b0:*
*                    aa:1a:7c:46:32:ad:93:b3:80:1b:dd:62:d7:72:14:*
*                    aa:0e:43:7c:6b:00:a6:56:f3:62:ed:b5:d4:ff:c4:*
*                    da:72:6c:ff:8c:75:a2:8a:0c:e9:fb:9d:f0:f3:6f:*
*                    d8:65:1e:85:7b:7c:91:cc:b3:8a:eb:f7:ff:1d:c7:*
*                    e0:9f:e5:d3:e0:d4:23:3a:e9:0a:9c:be:f7:fc:44:*
*                    59:3f:03:19:65:8c:fd:07:bd:40:c0:40:3c:04:8e:*
*                    46:5c:13:1a:85:68:d8:48:01:f9:03:75:98:e9:1f:*
*                    a7:bb:d7:75:c7:dc:6b:3c:eb:6e:6c:ee:21:73:94:*
*                    66:dd:d6:4a:13:79:7b:19:91:75:f8:14:0e:ba:dd:*
*                    01:79:83:0e:3f:e1:9a:10:ea:98:cc:ae:d5:41:d7:*
*                    2d:33:0e:ab:6c:be:49:d3:cd:dd:fe:f4:5e:0c:ef:*
*                    b8:cb:ae:bf:80:e4:cf:9e:66:86:42:2a:1c:3a:ca:*
*                    d0:d5:ab:ad:34:ba:eb:6e:2d:33:86:4e:29:e8:1b:*
*                    cb:ee:f4:d5:8f:2c:d1:f6:10:a6:84:4b:4f:05:2d:*
*                    17:31:09:03:bd:9e:63:32:0f:14:ae:a6:0c:74:aa:*
*                    0a:d3*
*                Exponent: 65537 (0x10001)*
*    Signature Algorithm: sha1WithRSAEncryption*
*        52:2a:cd:4d:f3:cc:c1:94:5e:5e:09:63:34:f6:fb:9b:c0:52:*
*        dc:98:90:30:88:44:bd:f6:73:0a:e2:ed:6c:f1:bc:26:f0:d9:*
*        72:c0:a7:d1:79:85:8d:f1:eb:4c:cc:d1:b0:73:fa:8f:de:e1:*
*        81:9d:32:fa:c6:c3:eb:37:5e:7f:30:c6:7e:a2:34:e0:d1:9d:*
*        af:a2:e7:00:59:68:eb:7c:f6:c1:6d:18:0e:f5:14:5e:cc:c9:*
*        f2:07:f1:60:a3:b4:a3:28:89:23:93:ac:14:d4:1e:69:f5:c7:*
*        b8:90:68:b7:f2:bc:70:6c:2b:7e:01:48:34:77:ae:67:b2:ff:*
*        0f:b7:15:c6:42:4c:9f:c6:dd:02:ed:06:9b:04:60:4a:74:52:*
*        ee:03:29:0e:e3:75:62:07:92:a3:48:f6:a4:f5:bb:8c:09:b0:*
*        cf:71:12:24:63:33:0f:9f:97:d4:ab:01:da:d7:d8:7f:c8:17:*
*        94:0e:70:03:7a:f0:5e:14:8b:ec:c8:11:d9:b4:b4:74:2c:4e:*
*        0c:56:35:c7:0f:b0:9e:6a:df:b2:63:68:3e:05:53:05:86:7c:*
*        45:82:a4:94:93:12:8e:b4:a2:0d:5f:29:d8:7d:52:d3:ab:8f:*
*        d4:cf:6f:26:b7:36:f6:5f:a4:c7:64:da:a2:ec:da:74:3b:e5:*
*        8d:2a:7b:21*

*X509 structure size: 92*
*RSA structure size: 88*
len:691

**** No errors detected*
*
*

_______________________________________________
P2PSIP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/p2psip

Reply via email to