Some ASN.1 compilers have had some bugs, however, this does not to indicate that
ASN.1 is bug prone. Just the opposite: Once you have a secure compiler, you can
be assured that certain kinds of bugs don't exist.
Further, in the few cases of the bugs that were found, once the bug is fixed in
the ASN.1 compiler, the application just needs to be relinked (or given new
shared library) with the new generated runtime. And any other application which
used a vulnerable runtime, but for which the vulnerability was unknown, is also
fixed. So, users of compiled runtime benefit from usage experience by the
entire group.
Building tools that make trustable runtimes is a good approach to certain
classes of security problems. You can't get this by hand written protocol
encode/decode layers.
--Dean
On Mon, 5 Jun 2006, Iljitsch van Beijnum wrote:
I was wondering:
What is considered best practice for encoding data in protocols
within the IETF's purview?
Traditionally, many protocols use text but obviously this doesn't
really work for protocols that carry a lot of data, because text
lacks structure so it's hard to parse. XML and the like are text-
based and structured, but take huge amounts of code and processing
time to parse (especially on embedded CPUs that lack the more
advanced branch prediction available in the fastest desktop and
server CPUs). Then there is the ASN.1 route, but as we can see with
SNMP, this also requires lots of code and is very (security) bug
prone. Many protocols use "hand crafted" binary formats, which has
the advantage that the format can be tailored to the application but
it requires custom code for every protocol and it's hard to get
right, especially the simplicity/extendability tradeoff.
The ideal way to encode data would be a standard that requires
relatively little code to implement, makes for small files/packets
that are fast to process but remains reasonably extensible.
So, any thoughts? Binary XML, maybe?
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf