[Cryptography] crypto software design advice; separate admin interface, or not?
ianG
iang at iang.org
Tue May 6 17:15:35 EDT 2014
On 6/05/2014 05:46 am, Bear wrote:
>
> I'm coding ...
> Now, my basic question here is, is there a good reason for this to have
> a separate administrative interface?
>
> Someone could use the administrative interface to do things we don't
> want strangers across the net to do, such as accessing link keys by
> port, dumping our (limited) routing information, shutting down the peer
> or something. The usual method of securing this would guard against that
> by having the admin interface on a separate port.
>
> But the fact of the matter is that nobody who isn't the real admin ought
> to be able to get an admin command accepted, because absolutely every
> packet is encrypted and nobody else ought to have the admin's key. So
> the admin can (and maybe should?) just connect using the listener, like
> any peer.
>
> I like this because it would make the program simpler; no separate admin
> interface means not as many special cases and not as much complexity to
> set it up or administrate it.
If you trust your crypto then this is a way to deliver more value from
it. More reliability over all as you just have one crypto-channel to
worry about and improve.
Also, if you do trust your crypto, but wonder how to detect attacks,
then it is likely that the admin interface is a higher value target than
any particular pass-thru traffic, so you'll see more attention to that
key. Watch it more closely, ignore the rest? Speculation...
> But is it reasonable to accept
> (encrypted) admin commands on a regular port accessible to random remote
> peers?
If one is doing some form of high security setup then one would likely
have the admin access come in through another net / interface. This
might be as simple adding an option to open two sockets and combine them
into one incoming stream internally. Or as differentiated as only
allowing UNIX style commands in some fashion, so the admin has to SSH in
and run some local command.
Also, if you are subject to DOS considerations then a flooding on the
traffic channel will also impact admin access.
But I agree that having one single channel makes a lot of sense, from a
software engineering perspective.
> Opinions?
Opinions!
iang
More information about the cryptography
mailing list