[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: hockeypuck recommended key size limit setting?
|
From: |
Iñaki Arenaza |
|
Subject: |
Re: hockeypuck recommended key size limit setting? |
|
Date: |
Wed, 15 Jun 2022 18:30:55 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) |
Hi Steffen,
the limit you are seeing there is for individual packets[1] inside a
key. There is a separate configurable limit for the whole key size
(which is 1 MB in the configuration used by default with the
docker-compose setup)
I use the default limits in my HockeyPuck server and I also see a lot of
such warnings (and also for oversized keys). In many cases such big
packets are from images embedded in they keys. As those are not used by
HockeyPuck or SKS at all, many operators decide to discard them. And of
course it also helps with some types of key spam attacks[2].
[1] See https://datatracker.ietf.org/doc/html/rfc4880#section-4.1 for
the meaning of packet in this context.
[2]
https://github.com/hockeypuck/hockeypuck/wiki/HIP-1:-Regaining-control-over-public-key-identity-with-authenticated-key-management#summary-of-the-key-spam-problem
Best regards,
Iñaki.
On mié, jun 15 2022, Steffen Kaiser wrote:
> On 15.06.22 13:33, Steffen Kaiser wrote:
>> On 30.05.22 22:09, Steffen Kaiser wrote:
>>
> Dear list,
>>
>> after some other issues and some testing of
>> https://deb.cyberbits.eu/hockeypuck/, I'll give Hockeypuck a try.
>
> I see lots of
>
> level=warning msg="dropped packet" length=16471 max=8192
>
> which is a key exceeding the limit of 8KB, if I'm not mistaken.
>
> What limit does the list recommend for a "pool" server? The last 3h more
> than 2500 keys seems to be ignored.
>
> Kind regards,>
signature.asc
Description: PGP signature