[RFC] IMA Log Snapshotting Design Proposal - network bandwidth

Paul Moore paul at paul-moore.com
Thu Sep 7 20:40:16 UTC 2023


On Wed, Sep 6, 2023 at 4:21 PM Ken Goldman <kgold at linux.ibm.com> wrote:
> On 9/1/2023 5:20 PM, Tushar Sugandhi wrote:
> > On 8/30/23 11:06, Ken Goldman wrote:
> >> On 8/1/2023 3:12 PM, Sush Shringarputale wrote:
> >>> In addition, a large IMA log can add pressure on the network
> >>> bandwidth when
> >>> the attestation client sends it to remote-attestation-service.
> >>
> >> I would not worry too much about network bandwidth.
> > Our bandwidth concerns are about scaled out system.
> >
> > When IMA log size increases in the range of megabytes, and when the
> > number of client devices increases, it makes an impact on the overall
> > network bandwidth.
>
> It should not, because the client only sends new measurements.  It only
> sends the entire list once per boot.
>
> Does a megabyte matter in a modern network? As for overall performance,
> a megabyte may take 10 msec, while the TPM quote could take 1000 msec,
> and verifier hash and asymmetric signature checks are also slower.

I think there are two issues here: the first is the attestation
methodology, the second is simply the size of the deployment.

There is rarely just one answer to a question, and in the case of
remote attestation I believe that holds true.  Sending some delta of
measurements to a remote node performing attestation does reduce the
amount of network traffic, but it does add an additional burden of
state tracking to the attestation node.  Sending the full measurement
log decreases this tracking burden, but it does result in more network
traffic.  Arguably the "best" choice is likely going to be dependent
on a number of complex factors including the size and complexity of
the deployment.

However, the snapshotting work is not about managing network traffic,
it is about mitigating an unbounded memory buffer that has been
causing problems in at least one real world deployment.  The IMA
measurement log snapshot is designed to allow an admin, or some other
privileged entity, to checkpoint the log and trim the old entries in
such a way as to preserve the ability to perform a meaningful
attestation without having to maintain the entire measurement log in a
memory buffer.

-- 
paul-moore.com



More information about the Linux-security-module-archive mailing list