Journal of Omnifarious - Protocol design question

I'm using the count type. So the per-message overhead for the length field is very small. The MAC OTOH is much larger, but your other idea of using much smaller MAC for the intermediate values is a really interesting one. That would solve the "The MAC can be used to make it seem that the message ends early." problem since the final MAC would be required to be a full 256 bits.

It isn't exactly to allow intermediaries to save overhead. It's more to allow intermediaries more flexibility in dealing with messages in whatever way is efficient for them.

And to answer your other question, my main concern is a DoS attack on the recipient. But really nothing I can do will makes this even a tiny bit harder. It's just better for a recipient to advertise a maximum message size that it can deal with without using too many resources.

Yeah, you're right. *thumps head* Sometimes you just get caught in stupid thought traps.

Oh, I just remembered the real reason... :-) I don't want people who use the protocol to be able to make assumptions about chunk lengths being preserved. If the chunk lengths are forced to be preserved by the nature of the protocol, then it would be very tempting to use that fact.

I think I will be using your solution with short MACs. I'll just use a 16 bit MAC as a health check along the way, and a full MAC at the end. The MACs will not include message lengths, but truncation will be prevented because an intermediary will not be able to extend a short MAC into a full MAC to use at the end.

I don't know whether or not the intermediate health checks are useful. But I feel better putting them in, and they shouldn't be that big an efficiency burden given that the message header will typically be more than a hundred bytes anyway.

$ ./lengthtest.py 
Expected lengths (calculated with sample size 50000):
Distribution                    Scarab  BER     Cake
paretovariate(alpha=1)          1.01    2.00    1.00
paretovariate(alpha=1/2)        1.10    2.07    1.08
paretovariate(alpha=1/5)        1.61    2.49    1.66
paretovariate(alpha=1/10)       2.59    3.34    2.75
expovariate(lambd=1)            1.00    2.00    1.00
expovariate(lambd=1/10)         1.00    2.00    1.00
expovariate(lambd=1/100)        1.28    2.08    1.11
expovariate(lambd=1/1000)       1.88    2.77    1.80
expovariate(lambd=1/10000)      2.18    2.98    2.41
lognormvariate(mu=0,sigma=1)    1.00    2.00    1.00
lognormvariate(mu=0,sigma=10)   1.59    2.49    1.67
lognormvariate(mu=0,sigma=100)  9.01    8.98    8.44
lognormvariate(mu=1,sigma=1)    1.00    2.00    1.00
lognormvariate(mu=1,sigma=10)   1.68    2.56    1.78
lognormvariate(mu=1,sigma=100)  9.11    9.06    8.53
lognormvariate(mu=2,sigma=1)    1.00    2.00    1.00
lognormvariate(mu=2,sigma=10)   1.76    2.64    1.88
lognormvariate(mu=2,sigma=100)  9.19    9.13    8.61

I'm not overly concerned with efficiency beyond a certain point. And it looks like a CAKE count has a slight advantage there in most situations anyway.

ASN.1 has a reputation for being horribly obscure and painful to use. I don't know enough about Scarab to make a judgement. I would like to use something that was relatively nice and commonly accepted. Especially if lots of parsers existed for it already. Thinking about it, this makes D-BUS vaguely attractive, though that seems to have more other baggage than I want.

OTOH, I don't need the data format to be self-describing. Having type information encoded in the data isn't a negative if it doesn't impact efficiency, but I think it's largely superfluous for CAKE.

Also, your two responses were really helpful. :-) How did you find this post? How did you find my journal at all? :-)

Allowing messages to be transported in a bittorrenty sort of way is an interesting idea. I think the operative construct here would be a Merkle Hash Tree (http://open-content.net/specs/draft-jchapweske-thex-02.html#anchor2). This allows to you pick a fixed small block size and to allow arbitrary coalescing and splitting of message data on block-size boundaries. I believe that what a .torrent file largely consists of is all the hash data for just such a construct for a 64kibibyte blocksize.

It will be possible for recipients to advertise a maximum message size to the world. So forcing messages to be small and then be split up isn't really necessary. A recipient can make this happen by advertising a maximum message size that's fairly small.

But your ideas give me some other interesting ideas, which I'll try to detail in another reply. I want to catch a bus that is coming soon though.

Oh, it doesn't? I'm mildly disappointed. Those seemed so nice. :-)

There is a way to handle a hash tree where only the top level hash needs to be handed out centrally. Then any other node can send you data for a block plus at most log_b n hashes where b is the block size and n is the total file size in order for you to verify the block it sent. And usually it's a lot less.

I hate what LJ does to links posted by OpenID users.

Merkle Hash Trees

Hash tree from Wikipedia.

My other idea that's related is to implement certain services in CAKE using a peculiar underlying model.

Anytime static data is sent back, it's never sent back within the CAKE protocol that's requested. All that's sent back is the hash of the data that was requested. Then a separate step is done to fetch the data the hash represents. This allows all kinds of arbitrary caching mechanisms to be created to handle things. It solves a couple of what I consider a major problem with the web. First that a server always has to be reachable. Secondly, that server has to have the bandwidth to send everybody the data they're asking for.

Always using the root hash of a Merkle tree hash allows a LOT more flexibility in how caching schemes might be implemented.

Hmm, at first glance it's missing one of the more important ideas which is to identify recipients first and foremost by a hash of their public key, and use various other names for them as either locations or pet names.

The messages are datagrams, but it's unlikely that they will ever be sent directly over Ethernet. So the size of the frame of the medium they are sent with isn't very important. Each message would likely be a 'transactional unit' for whatever protocol is being implemented. For example, in the case of email each message would likely be a complete email message.

Now, message chunks are something completely different. For example in HTTP a web server will run a script that does not have an output length that's known in advance. So what the webserver does is capture the output of the script and periodically send the output its collected so far to the client. It prefixes this chunk with a length. There is a special tag (in HTTPs case, a 0 length chunk) indicating that no more chunks are to follow.

Someone else pointed out, there is no reason for intermediate nodes to be able to combine or split message chunks. It buys you very little in the way of storage or bandwidth efficiency, especially if you use a very compact encoding for the chunk lengths and intermediate hashes.

So, having all the lengths as trailers defeats the purpose in several ways. First, it requires that there be an EOM delimeter that's outside the protocol. Secondly, it is still vulnerable to message truncation, since a router can just drop trailing message chunks without invalidating things. Lastly it would be nice if the thing generating the message didn't have to keep track of all the chunks its sent so it can send a trailer with all that data.

Also, I will be using MACs, not signatures. This is because MACs can be spoofed by the recipient, and I explicitly want this. If you sign every single message you send then there is a log by which the person who gets your messages can later prove to the whole world that you sent them. One of the things about having a conversation that supposedly includes you outed on the Internet is that you can claim that you didn't necessarily say all that and that someone edited the conversation. With signatures instead of MACs, that can be proven to be a lie.