IETF Logo Mail Archive

Re: [babel] [Babel-users] Babel MAC auth fails due to packet reordering

Toke Høiland-Jørgensen <toke@toke.dk> Sat, 07 May 2022 11:23 UTC

Return-Path: <toke@toke.dk>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CA9AC1594B8 for <babel@ietfa.amsl.com>; Sat, 7 May 2022 04:23:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=toke.dk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HLq9-eewzXlN for <babel@ietfa.amsl.com>; Sat, 7 May 2022 04:23:14 -0700 (PDT)
Received: from mail.toke.dk (mail.toke.dk [IPv6:2a0c:4d80:42:2001::664]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CC2FC157B33 for <babel@ietf.org>; Sat, 7 May 2022 04:23:12 -0700 (PDT)
From: Toke Høiland-Jørgensen <toke@toke.dk>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023; t=1651922587; bh=/25MBJzMEZ+EopjUe40pO3s5be0ubUmLxdd2eilyHGM=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=FvKJVGKoCAEFlNik7tHnm+7Dthgn0ywr4st+m6Kcl/LRdiDcYIsjC7pkC+6hKI00q dF7jItZl9daSBcrL2H7e3SEzPEjBxuSFCQi81ZY+y+nxw8aV/t5l/gsxYJbNwQJuFw 5ppYT9Q773VZ6CQID7EuRXcky513k0jI0Z1+m95EVJfOa8zHcNGFxUp+sxak8jMzFB plSFvidf8XVT5tjScVZJprbMUT7Dk4c42Yc7XlZHVjmkyZH/4RbHaSMtOhpQyoPZE+ YZRPjKn2B8QsyK3Qx5DvjMq7nN5X3v88TXS5CzlyVKSZLj5d5cRctwCoI2+oQL1fAy 5tG9Wkte8m8LQ==
To: Juliusz Chroboczek <jch@irif.fr>
Cc: babel-users@alioth-lists.debian.net, babel@ietf.org, Daniel Gröber <dxld@darkboxed.org>
In-Reply-To: <87czgqfb6m.wl-jch@irif.fr>
References: <20220505085059.mxbt3ssvryxw4doh@House> <87ilqj52bz.fsf@toke.dk> <20220506034354.kpj3rwkyw7rj2oe3@House> <874k233pwi.fsf@toke.dk> <87mtfufmet.wl-jch@irif.fr> <87wney1aw7.fsf@toke.dk> <87czgqfb6m.wl-jch@irif.fr>
Date: Sat, 07 May 2022 13:23:07 +0200
X-Clacks-Overhead: GNU Terry Pratchett
Message-ID: <87sfpl1t9g.fsf@toke.dk>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/0BbzdM6QeQELDdwY2-iDyKnUlN8>
Subject: Re: [babel] [Babel-users] Babel MAC auth fails due to packet reordering
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 May 2022 11:23:18 -0000

Juliusz Chroboczek <jch@irif.fr> writes:

>> Hmm, I certainly see where you're coming from; having separate sequence
>> numbers for unicast/multicast would neatly sidestep this particular
>> problem. However, one problem with this is that it's not straight-forwardly
>> backward compatible.
>
> No, no sender changes.  Just receiver changes.
>
> The sender still sends packets in a single sequence.  The receiver,
> however, makes a more relaxed check on the received packet: it merely
> checks that the received PC has a larger value than that received in the
> last packet *of the same type*.
>
> In other words, the receiver is checking that unicast packets come in
> ascending order, and that multicast packets come in ascending order.  It
> does not verify the relative ordering of unicast vs. multicast.

Ah, I see! Okay, that makes sense. Also, it occurred to me that the
window-based approach likely isn't enough when there are multiple
neighbours and you do unicast updates, as then another neighbour can eat
up a whole chunk of PC number space that you never see.

However, what about other sources of reordering? Should we still do
window-based verification to deal with this?

Also, I guess this could all be described in a "relaxed PC verification
to deal with reordering" document that could be optional to implement
(i.e., you could still be compliant with RFC 8967 if you don't implement
it)?

>> As for the size of the window (setting aside the case where an
>> implementation increases the PC by more than one for every packet), I
>> guess we'd need it to be large enough to contain a full routing table
>> dump. A window of 64 packets can fit several thousand routes even in the
>> worst case with no compression;
>
> Expect on the order of 60 routes per packet. 64 packets gives you on
> the order of 3800 routes.

Right. Which is a lot for a local mesh network, but not a lot for the
internet. Do you have any insights into typical sizes of real-world
babel deployments in terms of the number of routes?

-Toke

v2.23.0 | Report a Bug | By Email