Presentation is loading. Please wait.

Presentation is loading. Please wait.

SEND Linux Implementation Report Jonathan Wood DoCoMo USA Labs IETF 58 November 2003.

Published byGiles Green Modified over 8 years ago

Similar presentations

Presentation on theme: "SEND Linux Implementation Report Jonathan Wood DoCoMo USA Labs IETF 58 November 2003."— Presentation transcript:

1 SEND Linux Implementation Report Jonathan Wood DoCoMo USA Labs IETF 58 November 2003

2 Overview Platform –Linux 2.5 / 2.6 –OpenSSL 0.9.7 (for crypto and ASN.1) –Radvd 0.7.2 (modified for secure RD) –Iproute2 2.4.7 (modified for CGAs) Complete implementation of SEND, no major issues found –Implementing a robust timestamp cache is tricky, however.

3 Design SEND not performance critical, so keep as much as possible out of the kernel Userspace: –Public key crypto –General ASN.1 –DCS/DCA –Utilities and management Userspace daemon handles crypto and RD operations for kernel

4 Design Kernel –CGA verification and generation –Specialized ASN.1 parser for CGA parameters –Primary focus is to hand all other secure ND and RD tasks off to userspace daemon –Keeps secure ND and RD processing out of the interrupt context

5 Complexity RD Certificate profile is single most complex piece (~3800 lines of code) CGA: ~2200 lines (kernel + user, including management tool) User crypto: ~1200 lines (mostly OpenSSL glue) Additional kernel code: ~2800 lines

6 Rough Performance Numbers Two hosts, 1.2GHz Pentium IV 100MBit Ethernet CGA Sec: 1 1024 bit RSA keys ND –Flush neighbor cache –Send a ping (Invoking secure ND) –Ping reports RTT –Instrumented code reports crypto timings

7 ND Numbers Average first ping RTT (requiring secure ND): 24ms Crypto took 21ms on average –Signing is slow, verification is fast For reference: –Average ping RTT (with insecure ND): 0.46ms –Average ping RTT (without ND): 0.13ms

8 ND Numbers Detail

9 RD Numbers Certificate chain four deep, each certificate with PKIX IP Extensions Two scenarios: –RA receiver does not have certificates cached, so it must use DCS/DCA exchange (slower) –RA receiver has all needed certificates cached Measured time from sending RA until receipt of DAD NS.

10 RD Without Cached Certificates Average total time: 31ms Crypto took 27ms on average Procedure: –Delete autoconfigured address on host, if necessary –Flush host’s certificate cache –Send RA –Sniffer and instrumented code reports timings

11 RD Detail (Uncached)

12 RD with Cached Certificates No DCS/DCA exchange needed Average total time: 13ms Average crypto time: 10ms Proceedure: –Delete autoconfigured address on host, if necessary –Send RA –Sniffer and instrumented code reports timings

13 RD Detail (cached)

14 Conclusion Implementing SEND is straightforward. –No major problems. Performance is about 2 orders of magnitude slower than without SEND. –Public key crypto is performance intensive. But ND and RD are not typically critical path items. –Mobility may need attention.

Download ppt "SEND Linux Implementation Report Jonathan Wood DoCoMo USA Labs IETF 58 November 2003."

Similar presentations

SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.

SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Doc.: IEEE 802.11-02/243r0 Submission March 2002 James Kempf, DoCoMo LabsSlide 1 802.11 and IP James Kempf Seamoby WG Co-chair DoCoMo Labs USA

Doc.: IEEE /243r0 Submission March 2002 James Kempf, DoCoMo LabsSlide and IP James Kempf Seamoby WG Co-chair DoCoMo Labs USA
Network Security: Lab#2 J. H. Wang Apr. 28, 2011.

Network Security: Lab#2 J. H. Wang Apr. 28, 2011.
IPv6 Introduction What is IPv6 Purpose of IPv6 (Why we need it)Purpose of IPv6 IPv6 Addressing Architecture IPv6 Header ICMP v6 Neighbor Discovery (ND)

IPv6 Introduction What is IPv6 Purpose of IPv6 (Why we need it)Purpose of IPv6 IPv6 Addressing Architecture IPv6 Header ICMP v6 Neighbor Discovery (ND)
Recommendations for IPv6 in 3GPP Standards draft-wasserman-3gpp-advice-00.txt IPv6-3GPP Design Team Salt Lake City IETF December 2001.

Recommendations for IPv6 in 3GPP Standards draft-wasserman-3gpp-advice-00.txt IPv6-3GPP Design Team Salt Lake City IETF December 2001.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v2.0—2-1 IPv6 Operations Defining and Configuring Neighbor Discovery.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v2.0—2-1 IPv6 Operations Defining and Configuring Neighbor Discovery.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 Chapter 5 Threads 2 Contents  Overview  Benefits  User and Kernel Threads  Multithreading Models  Solaris 2 Threads  Java Threads.

1 Chapter 5 Threads 2 Contents  Overview  Benefits  User and Kernel Threads  Multithreading Models  Solaris 2 Threads  Java Threads.
Enabling Efficient On-the-fly Microarchitecture Simulation Thierry Lafage September 2000.

Enabling Efficient On-the-fly Microarchitecture Simulation Thierry Lafage September 2000.
March 2009IETF 74 - NSIS1 Implementation of Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-02 Se Gi Hong*,

March 2009IETF 74 - NSIS1 Implementation of Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-02 Se Gi Hong*,
Emulatore di Protocolli di Routing per reti Ad-hoc Alessandra Giovanardi DI – Università di Ferrara Pattern Project Area 3: Problematiche di instradamento.

Emulatore di Protocolli di Routing per reti Ad-hoc Alessandra Giovanardi DI – Università di Ferrara Pattern Project Area 3: Problematiche di instradamento.
13 Sept 00 Token Interoperability and Portability Project status report John Hughes Montreal - 14 September 00.

13 Sept 00 Token Interoperability and Portability Project status report John Hughes Montreal - 14 September 00.
System Configuration: DHCP and Autoconfiguration Chapter 6.

System Configuration: DHCP and Autoconfiguration Chapter 6.
Gaia Context and Location-Aware Encryption for Pervasive Computing Environments Jalal Al-MuhtadiRaquel Hill Roy Campbell Dennis Mickunas University of.

Gaia Context and Location-Aware Encryption for Pervasive Computing Environments Jalal Al-MuhtadiRaquel Hill Roy Campbell Dennis Mickunas University of.
Chapter 11 Monitoring and Analyzing the Web Environment.

Chapter 11 Monitoring and Analyzing the Web Environment.
1 Network Packet Generator Characterization presentation Supervisor: Mony Orbach Presenting: Eugeney Ryzhyk, Igor Brevdo.

1 Network Packet Generator Characterization presentation Supervisor: Mony Orbach Presenting: Eugeney Ryzhyk, Igor Brevdo.
IPhone Security: Understanding the KeyChain Nicholis Bufmack and Ryan Thomas CS 691 Summer 2009.

IPhone Security: Understanding the KeyChain Nicholis Bufmack and Ryan Thomas CS 691 Summer 2009.

Similar presentations

Ads by Google