[AFS3-std] draft-tkeiser-rxrpc-sec-clear and the node identifier problem

Simon Wilkinson simon@sxw.org.uk
Fri, 25 Feb 2011 00:17:04 +0000


On 24 Feb 2011, at 23:54, Tom Keiser wrote:

> What do people think of such a proposal?

My preference would be to require that new security layers include a =
place in which application specific data may be inserted to encode =
endpoint information. We'd then define both a "clear" security class =
that purely carries application specific data, and what that data should =
look like for the AFS-3 protocol. rxgk already contains space to carry =
this kind of data as part of the connection negotiation.

I had thought that our discussion in Edinburgh had concluded that the =
correct place for encoding endpoint information was during security =
layer establishment. However, rxrpc-sec-clear seems to be proposing that =
the information is carried as part of the security header on every =
packet. This is a significant overhead, especially given the limited =
size of rx/udp packets, and the existing security overhead on these. =
It's unclear to me what benefits attaching this header to every packet =
provides, in contrast to the significant performance impact it will =
cause on bulk transfers.

Cheers,

Simon.