[langsec-discuss] Parallel Systems/Automata

Felix 'FX' Lindner fx at recurity-labs.com
Tue Jun 18 19:31:55 UTC 2013


Hi,

On Tue, 18 Jun 2013 10:31:25 +0200 Fabian Fäßler <fabi at fabif.de> wrote:
> But then he told me that in the networking environment you have to
> think in parallel and the LANGSEC idea is probably very different in
> such an environment. He was talking about the Switches and Routers,
> which have dozens of cables to process packets in parallel
> (forwarding, rerouting or setting up internal databases). So
> basically you have independent automata interacting with each other
> through messages.

having looked at one or two routers in my life, I strongly disagree
with your supervisor's view. 

People writing code in the OSI Layer 2 and 3 worlds, specifically
router vendors, focus solely on "line speed", meaning how much packet
data can they forward per unit of time (while I think the term is more
telling about certain practices in marketing departments of said
vendors).

They use the performance argument to justify their shotgun parsers.
While a perfect 802.2 Ethernet switch is a single pellet shotgun parser
(reads 6 bytes at fixed offset), it doesn't mean that all other code is
fine doing the same, just because it's in network equipment. Look at
the nightmare that is IPv6 RA guard and extention headers. This is the
result of people ignoring the message of full recognition before
processing. Sure it's slower, but there is no big router I know where
you even have the choice. They all try to put more pellets in their
shotgun parser shells and hope to hit something. Since this is bound to
fail, there is a debate about disallowing extention headers from IPv6
ICMP, meaning the spec is modified because the shotgun is not working.

What your supervisor probably thinks of is the current reality: You
watch as many shotguns as you have interfaces going off at more or less
the same time. Now go and try make sense of the packet splater in your
IO memory. If you do it wrong, doing it in parallel rarely makes it
better.

I'm sure that parallel automata are a very interesting topic, but I
don't think they apply in this case (please correct me if I'm wrong).
Once a full recognition is completed, you will have a nice and
ordered list of packets/frames received that you can perform your
processing on - and only valid packets they are.

cheers
FX

-- 
Recurity Labs GmbH           | Felix 'FX' Lindner 
http://www.recurity-labs.com | fx at recurity-labs.com 
Wrangelstrasse 4             | Fon: +49 30 69539993-0
10997 Berlin                 | PGP: A740 DE51 9891 19DF 0D05  
Germany                      |      13B3 1759 C388 C92D 6BBB
HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner


More information about the langsec-discuss mailing list