[nanomsg] Re: accessing control IDs
- From: Martin Sustrik <sustrik@xxxxxxxxxx>
- To: nanomsg@xxxxxxxxxxxxx
- Date: Wed, 07 May 2014 07:47:38 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Drew,
> For one thing it requires allocating storage for this is in the
> messages. It is an interesting question how much storage is
> required but the naive implementation would be a 128-bit GUID. For
> a 4-byte messages this bloats the network traffic significantly.
> Particularly when there is a simple solution with zero
> overhead—pull the pipe key from nanomsg.
The pipe ID is not guaranteed to be permanently associated with a
single endpoint. Because of connects and disonnects you can get one
message with pipe ID 123 from peer A and next one with the same pipe
ID from peer B.
Thus, you could use the ID only as a hint to the oracle: "Do full
authentication, but start checking the peer known so far under ID 123."
That being the case, you can as well embed 2-byte or 4-byte random
integer to each message and use that as a hint. In former case the
probability of collision drops 65536x, in the latter 4294967296x,
which looks sufficient IMO.
As for the TCP level: If you are a MITM and you are able to intercept
the TCP connection to get the ID to used for a DoS attack, you can as
well send some fake RST packets to kill the old connection. Sending a
RST packet is definitely simpler than doing DPI.
Martin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTacj6AAoJENTpVjxCNN9YoGMH/iIo1Fcl4QgJCVtt10iPidcV
pwHdH1e4/e2sFyiRGG/urx1PNwWj/FOeDHcjuhTUG+GpGNOG9+4wbeIO9NGO5XIl
JXrq5FZexxnyBWfJdvzy83vC5iJyfEKe8GUkMQ45L0V/maD+/cfYLNf2a52ys2m7
uY2foYTG93ifur5xTQpzWZVNuCNYoPECwviQv+KG1xnVOUfdxOWRMaIx6C/eEmwd
WQAcHMmhz+XNfbNstwHSbGlhMtjAzBumOWos5mtR6NzRVcvelBvFhWKhATJB5kjc
IHMPqaonoGXl9oa0UC6ZNT/L9SFFYo4uat9XqnDUNci7HDpzjxZ8+A2PJ5tBG18=
=Cf0B
-----END PGP SIGNATURE-----
Other related posts:
