[cryptography] cjdns review

Jonas Wielicki development at sotecware.net
Fri Oct 5 09:20:50 EDT 2012


On 05.10.2012 10:58, Guus Sliepen wrote:
> I found a benchmark here: https://github.com/cjdelisle/cjdns/blob/master/rfcs/benchmark.txt
> 
> So it seems that is not as slow as I suspected: it can forward packets at a
> rate of 7 Gbit/s on an Opteron 6128. 
I think you have misread. The benchmark actually shows 700Mb/s, not
7Gb/s. Just pointing it out to avoid confusion when checking local
performance.

Also, cjd (aka Caleb James DeLisle, developer of cjdns) asked me to
share some words from him to this list (edited for readability):

<cjd>
There are 3 (or possibly 2) layers of encryption on cjdns traffic. The
innermost layer is the end-to-end crypto which most people agree makes
sense. The outermost layer (hop-to-hop) is entirely optional since you
can speak with your neighbor in any protocol you and he can agree on.
This leaves the middle layer which is between "routers", since traffic
only needs to be sent to another router if a path to it's final
destination is not known, router-to-router traffic is not as common as
one would expect.
>From a security perspective, the most troubling fact is that poly1305
authentication is switched off for the inner 2 layers of crypto to save
overhead, relying instead on the TCP/UDP checksum to indicate forgery.
This can however easily be fixed by sending an "authenitcate packets"
bit when beginning a session.
The implementation just currently chooses not to.
</cjd>

-- Jonas



More information about the cryptography mailing list