Thread Links | Date Links | ||||
---|---|---|---|---|---|
Thread Prev | Thread Next | Thread Index | Date Prev | Date Next | Date Index |
Marek,
Designing chips for full functionality at extreme corner-case configurations would make them enormously expensive. At the same time, these chips may never get deployed in such extreme corner case configurations.
For that reason, a lot of resources in chips are designed as common sharable pools. Think about queue memory, MAC learning table, pool of shapers, table of rules, etc. Different users (operators) can decide whether to spread these resources wider and more thinly or narrower and deeper. That is why the spec has statements like this in many places: “The ONU shall respond with the “Insufficient Resources” code <…> to a request to add a new service port entity if the queues <…> cannot be allocated.” Same is with key memory. Why should the spec require a huge on-chip memory for 512 ONUs if in 99% of cases, operator will only use 64 or 128 ONUs?
On the other hand, to be fair, compared to other constrained resources, the key memory may not be the most critical. After all, 25G-EPON requires much fewer keys than the 10G-EPON, because instead of key per every LLID, now we only need a key per ONU and a key per multicast LLID. So, let’s scratch that argument that the key memory will be a limiting factor.
Even without the key memory argument, I feel very uneasy to burn the AES-128 bridge and only support AES-256. What if an operator doesn’t have the rest of infrastructure that is needed to support 256-bit keys?
I really don’t understand the argument for specifically precluding the 128 bit keys. I am usually enthusiastically in favor of simplified specifications and not carrying forward any obsolete baggage. But this is different -- AES-128 is not yet obsolete. If the OLT is going to support a mix of 10G-EPON ONUs and 25G-EPON ONUs, the AES-128 will be supported by the chip anyway. The only difference between the 1904.4 supporting and not supporting AES-128 comes to whether we define an attribute for key size selection or not. In other words, the restriction of AES-128 in 25G mode is entirely artificial, and as such, it will only incentivize a vendor to offer the AES-128 at 25G as a proprietary option, contrary to the goals of the standard.
Also, since encryption at the network layer is done on per-hop basis, the fact that older network segments use no encryption or weaker encryption schemes should not preclude us from using stronger encryption. I think we should level up, not down, in terms of security, especially if we can help it. I agree with this line of thinking by an operator when it plans a deployment and develops the default configuration for the OLT and ONUs. But having an AES-128 as one of the options does not preclude an operator from using a stronger encryption. If the operator has no any technical or regulatory reasons to use AES-128, then they will configure and use AES-256. But if there are any such reasons, the operator will use AES-128, whether it is part of the standard or proprietary option. Or maybe this would be seen as an incentive to switch to a different PON standard that does formally support AES-128.
Glen
From: Marek Hajduczenia <mxhaj79@xxxxxxxxx>
Glen, I do not know how much the 128b vs 256b selection would impact the OLT implementation cost. You would be better positioned to speak what relative cost increase that would result in on the OLT and ONU side. I would point out, that the need to support both 256b and 128b keys does not lower the memory requirement because you'd still need to support the same number of LLIDs per OLT, irrespective. I do not think the solution like "with 128b keys, we support X LLIDs, with 256b keys, we support X/2 LLIDs" would be really viable as a marketable solution. Operators will expect the same number of LLIDs, irrespective of the key size, at which time, memory demand is the same, ergo the argument on memory saving will not hold then. As far as the other argument goes - OTT encryption schemes change key size easily, since they are software based, so the fact that most encryption schemes use 128b keys today will not hold true likely in 2-3 years. PON implementation has to last much longer, IMHO, so it is likely that we will see 256b and likely longer encryption keys for OTT services. Also, since encryption at the network layer is done on per-hop basis, the fact that older network segments use no encryption or weaker encryption schemes should not preclude us from using stronger encryption. I think we should level up, not down, in terms of security, especially if we can help it. regards Marek On 3/22/23 17:34, Glen Kramer wrote:
To unsubscribe from the STDS-1904-4-TF list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-1904-4-TF&A=1 To unsubscribe from the STDS-1904-4-TF list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-1904-4-TF&A=1 |
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature