Re: [P2PSIP] 10.3.1 Self-Generated Credentials

Wed, 30 Sep 2009 19:19:43 -0700 

Julian,
My point is that what's left for Reload payload is 1492-1292 = 200 bytes. Many Reload messages will have to be fragmented. 

--Michael

jc wrote:

This is greater than the MTU of an xbox 360 but less than your averge 
router at 1492. Doesn't DTLS in OpenSSL already have the real path MTU 
after the handshake? If not I know it can do this for you. You can use 
that MTU and fragment your packets.


Julian

Sent from my iPhone


On Sep 30, 2009, at 10:50 AM, Michael Chen <[email protected]> 
wrote:



Julian,


I have no scientific data, just a personal concern. Consider a Reload 
STORE request with your 691 byte cert, the total fat (non-payload) on 
the wire for a UDP/DTLS transport is:


DTLS header (13 bytes)
Reload header
  Forward header (38 bytes)
  Destination list (18 bytes, single hop)
Reload Message
  STORE (SIP_REGISTRATION)
    AOR
    RSA Signature (256 bytes)
Reload Security Block
  Certificates (691 bytes)
  Signer ID (20+ bytes)
  RSA Signature (256 bytes)
DTSL MAC and padding (20+ bytes)


These are rough numbers, and it total 1292 bytes excluding the AOR.  
It is very close to the 1500 byte network packet size (MTU).


--Michael

jc wrote:


On Sep 24, 2009, at 9:35 PM, Michael Chen wrote:


I also want to point out that even with the most simple encoding 
(JDK keytool), a 1024 bit RSA public key certificate takes up 619 
bytes. A production strength 2048 bit RSA cert is 880 bytes. If a 
peer can only be reached via UDP, the overhead of DTLS + Reload 
Signature on message leaves very little room for the relevant data 
fragment (e.g. 1500 packet size), which means UDP transport may be 
very inefficient.  Transport overhead should be a separate 
discussion thread.



In my RELOAD implementation a 2048 bit RSA public key is  691 bytes 
long, see output below. Do you have statistics that show the current 
fragmentation algorithm to be sub-optimal?

Julian

*
*
*Running 1 test case...*
*......................+++*
*........................+++*

*debug: RSA* junglecat::rsa::generate_key_pair(): Succeeded 
generating RSA key.*

*..............................+++*
*..............+++*

*debug: RSA* junglecat::rsa::generate_key_pair(): Succeeded 
generating RSA key.*
*debug: X509_NAME* junglecat::x509::allocate_common_name(const 
char*): Allocated*
*debug: X509_NAME* junglecat::x509::allocate_common_name(const 
char*): Allocated*
*debug: X509* junglecat::x509::generate_certificate(RSA*, RSA*, 
const char*, const char*, unsigned int, const EVP_MD*): Success*

*Certificate:*
*    Data:*
*        Version: 3 (0x2)*
*        Serial Number: 1253857645 (0x4abc596d)*
*        Signature Algorithm: sha1WithRSAEncryption*
*        Issuer: CN=common_name_issuer*
*        Validity*
*            Not Before: Sep 25 05:47:25 2009 GMT*
*            Not After : Sep 25 06:47:25 2009 GMT*
*        Subject: CN=common_name*
*        Subject Public Key Info:*
*            Public Key Algorithm: rsaEncryption*
*            RSA Public Key: (2048 bit)*
*                Modulus (2048 bit):*
*                    00:ab:54:2c:7b:9a:d8:3c:4b:b8:08:46:04:ee:02:*
*                    51:8a:94:4c:62:58:d0:ed:50:f8:2f:5a:43:b2:b0:*
*                    aa:1a:7c:46:32:ad:93:b3:80:1b:dd:62:d7:72:14:*
*                    aa:0e:43:7c:6b:00:a6:56:f3:62:ed:b5:d4:ff:c4:*
*                    da:72:6c:ff:8c:75:a2:8a:0c:e9:fb:9d:f0:f3:6f:*
*                    d8:65:1e:85:7b:7c:91:cc:b3:8a:eb:f7:ff:1d:c7:*
*                    e0:9f:e5:d3:e0:d4:23:3a:e9:0a:9c:be:f7:fc:44:*
*                    59:3f:03:19:65:8c:fd:07:bd:40:c0:40:3c:04:8e:*
*                    46:5c:13:1a:85:68:d8:48:01:f9:03:75:98:e9:1f:*
*                    a7:bb:d7:75:c7:dc:6b:3c:eb:6e:6c:ee:21:73:94:*
*                    66:dd:d6:4a:13:79:7b:19:91:75:f8:14:0e:ba:dd:*
*                    01:79:83:0e:3f:e1:9a:10:ea:98:cc:ae:d5:41:d7:*
*                    2d:33:0e:ab:6c:be:49:d3:cd:dd:fe:f4:5e:0c:ef:*
*                    b8:cb:ae:bf:80:e4:cf:9e:66:86:42:2a:1c:3a:ca:*
*                    d0:d5:ab:ad:34:ba:eb:6e:2d:33:86:4e:29:e8:1b:*
*                    cb:ee:f4:d5:8f:2c:d1:f6:10:a6:84:4b:4f:05:2d:*
*                    17:31:09:03:bd:9e:63:32:0f:14:ae:a6:0c:74:aa:*
*                    0a:d3*
*                Exponent: 65537 (0x10001)*
*    Signature Algorithm: sha1WithRSAEncryption*
*        52:2a:cd:4d:f3:cc:c1:94:5e:5e:09:63:34:f6:fb:9b:c0:52:*
*        dc:98:90:30:88:44:bd:f6:73:0a:e2:ed:6c:f1:bc:26:f0:d9:*
*        72:c0:a7:d1:79:85:8d:f1:eb:4c:cc:d1:b0:73:fa:8f:de:e1:*
*        81:9d:32:fa:c6:c3:eb:37:5e:7f:30:c6:7e:a2:34:e0:d1:9d:*
*        af:a2:e7:00:59:68:eb:7c:f6:c1:6d:18:0e:f5:14:5e:cc:c9:*
*        f2:07:f1:60:a3:b4:a3:28:89:23:93:ac:14:d4:1e:69:f5:c7:*
*        b8:90:68:b7:f2:bc:70:6c:2b:7e:01:48:34:77:ae:67:b2:ff:*
*        0f:b7:15:c6:42:4c:9f:c6:dd:02:ed:06:9b:04:60:4a:74:52:*
*        ee:03:29:0e:e3:75:62:07:92:a3:48:f6:a4:f5:bb:8c:09:b0:*
*        cf:71:12:24:63:33:0f:9f:97:d4:ab:01:da:d7:d8:7f:c8:17:*
*        94:0e:70:03:7a:f0:5e:14:8b:ec:c8:11:d9:b4:b4:74:2c:4e:*
*        0c:56:35:c7:0f:b0:9e:6a:df:b2:63:68:3e:05:53:05:86:7c:*
*        45:82:a4:94:93:12:8e:b4:a2:0d:5f:29:d8:7d:52:d3:ab:8f:*
*        d4:cf:6f:26:b7:36:f6:5f:a4:c7:64:da:a2:ec:da:74:3b:e5:*
*        8d:2a:7b:21*

*X509 structure size: 92*
*RSA structure size: 88*
len:691

**** No errors detected*
*
*




_______________________________________________
P2PSIP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/p2psip























					Reply via email to