[babel] HMAC Key rotation key format (was ripemd)
Dave Taht <dave.taht@gmail.com> Mon, 26 November 2018 14:21 UTC
Return-Path: <dave.taht@gmail.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F4DC130E09 for <babel@ietfa.amsl.com>; Mon, 26 Nov 2018 06:21:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id osTYlFKhedO1 for <babel@ietfa.amsl.com>; Mon, 26 Nov 2018 06:21:39 -0800 (PST)
Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60CAE130E03 for <babel@ietf.org>; Mon, 26 Nov 2018 06:21:39 -0800 (PST)
Received: by mail-qt1-x836.google.com with SMTP id d19so17646638qtq.9 for <babel@ietf.org>; Mon, 26 Nov 2018 06:21:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=ZyeyO7OBW/qwj9AgtDwJRlSCeebXvJHwrpBGNUNNebY=; b=ss2mRH6QvMvFppsKq+u84z06wAC7fQbFdl4g+IjhDLzYmdtGYVloFTG/YNm3VViW6/ rHNhmNj5xoxEcFCKVqKAqydp6vVDkKJb/qvTJqiv0X0YVLG2OpyAoeksxuGRDOog0z+4 FbIDFn022My9tX2diZoLSIg7kTqpeDhsQye0VTJDGfgPvz/Rkvh9bLA00SUOyXyHWO28 gEitFlUh1IoHPeaPgV8SmO1v3iafAJ3i+9HPMLid3Y2Xc98ZHijO6pvMi5RkkabPdscp bNQbY6O6M4t2qbn0T5tFNJTJOvZ7bhB6Oy5sPcsZ8GiP6WvzTw23M/VA3ouYJiEyP/Rv bCpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=ZyeyO7OBW/qwj9AgtDwJRlSCeebXvJHwrpBGNUNNebY=; b=WfOHB60SuLwdn1ujy5K32gI2FOKVO43gPOT1kb9G3om35VQGcodMZS3WEoAaRj3DHa h2k+1qvILYHHg1bSjnsRa74mNMFKdAySYOS3l7K6Y593Gq+j08IoskC0HPCK9ep/c6Rr Kfhoawviufz2YP1D8THYDE0WrkG9FfhPZhdB7pOXKhBSOFSgrlqaOAG5IFeXsG7DkWuf DCogX8xGEruO8tuTHHTEYTPYVzs9OwlPtHKs9eZqmgxzpMRs00DKgPFa9VfuGmbVuZBa RlXFUq+sSy5VxgMDbKWeI/N+RuhQgLvx3vezgGsCqKfPxsys67/duR4HUMlhog9hpNSc 8s/g==
X-Gm-Message-State: AGRZ1gKfBacyZNwfE4Z120rmLtspt4Je4Do/oeie/fOdKKHno98njpRq q1Jf9WstGrNwzwSNrYLDWCcWJ4KUQzEHxzZXkSk=
X-Google-Smtp-Source: AJdET5ceqEgv9ALeGBYHz+NlZxg7JaalECNKx0w/BDIbZZlC7+ACuiTX3XLRQ5cCQ3RyyzUgaMR4ZPWEhwTpwi7n478=
X-Received: by 2002:ac8:6606:: with SMTP id c6mr25979585qtp.376.1543242098138; Mon, 26 Nov 2018 06:21:38 -0800 (PST)
MIME-Version: 1.0
References: <CAA93jw5fHRm21yEJsabiiOF1ZP7Zh3M_gEgRo0imBOpRGhf0qA@mail.gmail.com> <87in0koun6.wl-jch@irif.fr> <87in0kx98o.fsf@toke.dk> <CAA93jw5gaYgyUX-ABX156_TnFX25Sy5SLyuRgd28fMLfRW4UHA@mail.gmail.com> <871s78x7z0.fsf@toke.dk>
In-Reply-To: <871s78x7z0.fsf@toke.dk>
From: Dave Taht <dave.taht@gmail.com>
Date: Mon, 26 Nov 2018 06:21:26 -0800
Message-ID: <CAA93jw6268QC1kmHEasJ-FbyXL_mgfQc_C-6cdksHd02ceb2Kw@mail.gmail.com>
To: Toke Høiland-Jørgensen <toke@toke.dk>
Cc: Juliusz Chroboczek <jch@irif.fr>, babel-users <babel-users@lists.alioth.debian.org>, Babel at IETF <babel@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/0Xjh3qwdPBEk4SSubLf8ckLm9_I>
Subject: [babel] HMAC Key rotation key format (was ripemd)
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Nov 2018 14:21:41 -0000
To me this leaves the biggest problem remaining is key rotation. Me being me, and remembering just how hard it was to get dnssec working on systems lacking reliable time, I worry about that part. What we settled on for dnsmasq-dnssec was to write the current time to flash every day (or few hours), boot up without dnssec enabled long enough to get an ntp server... and rely on key rollover taking hours or days to *usually* get a correct result. RTCs with batteries are usually not included. that's still fragile (imagine a power failure lasting days, or a box being down for several days for repair. It happens). In the case of routing... if you don't have the correct time... and you can't get a route so you can get the correct time from ntp... then what? Do we make GPSes MTI also? Setting that aside for the moment, having a standardized file format for babel keys would be a boon and boost interoperability between bird/babel and other possible implementations. You would merely declare a key name in the main conf for bird or babel, and reference it in a separate file with a format like this: KEY START_DATE END_DATE TYPE VALUE name\wrfc3339\wrfc3339\wsha256|blake2s\wvalue https://tools.ietf.org/html/rfc3339 administrators would push out this one standard format file to routers, strongly suggesting that UTC times be used universally and that key rollover should be staged over hours or days lest connectivity be lost. Other sanity checks like ensuring there is some form of persistent and correct time on routers using authentication are also needed. alternatives might include certs and other stuff that bears drinking about. -- Dave Täht CTO, TekLibre, LLC http://www.teklibre.com Tel: 1-831-205-9740
- [babel] rather than ripemd160... Dave Taht
- Re: [babel] rather than ripemd160... Juliusz Chroboczek
- Re: [babel] [Babel-users] rather than ripemd160... Toke Høiland-Jørgensen
- [babel] HMAC and MTI [was: rather than ripemd160.… Juliusz Chroboczek
- Re: [babel] [Babel-users] rather than ripemd160... Dave Taht
- Re: [babel] [Babel-users] rather than ripemd160... Toke Høiland-Jørgensen
- Re: [babel] HMAC and MTI [was: rather than ripemd… Markus Stenberg
- Re: [babel] HMAC and MTI [was: rather than ripemd… Toke Høiland-Jørgensen
- [babel] HMAC Key rotation key format (was ripemd) Dave Taht
- Re: [babel] HMAC and MTI [was: rather than ripemd… Juliusz Chroboczek
- Re: [babel] HMAC Key rotation key format (was rip… Mahesh Jethanandani
- Re: [babel] [Babel-users] rather than ripemd160... STARK, BARBARA H
- Re: [babel] [Babel-users] rather than ripemd160... Toke Høiland-Jørgensen
- Re: [babel] HMAC Key rotation key format (was rip… Toke Høiland-Jørgensen
- Re: [babel] HMAC Key rotation key format (was rip… Dave Taht
- Re: [babel] HMAC Key rotation key format (was rip… Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] rather than ripemd160... David Schinazi
- Re: [babel] [Babel-users] HMAC Key rotation key f… David Schinazi
- Re: [babel] [Babel-users] rather than ripemd160... Dave Taht
- Re: [babel] [Babel-users] rather than ripemd160... Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] rather than ripemd160... Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] rather than ripemd160... Juliusz Chroboczek
- Re: [babel] [Babel-users] rather than ripemd160... Dave Taht
- Re: [babel] [Babel-users] rather than ripemd160... David Schinazi
- Re: [babel] [Babel-users] rather than ripemd160... Toke Høiland-Jørgensen
- [babel] DTLS and hmac co-existence Dave Taht
- Re: [babel] [Babel-users] DTLS and hmac co-existe… David Schinazi
- Re: [babel] [Babel-users] rather than ripemd160... Dave Taht
- Re: [babel] [Babel-users] HMAC Key rotation key f… Dave Taht
- Re: [babel] [Babel-users] rather than ripemd160... Dave Taht
- Re: [babel] [Babel-users] DTLS and hmac co-existe… Dave Taht
- Re: [babel] [Babel-users] HMAC Key rotation key f… Ted Lemon
- Re: [babel] [Babel-users] rather than ripemd160... Markus Stenberg
- Re: [babel] [Babel-users] rather than ripemd160... Toke Høiland-Jørgensen
- [babel] Blake2S, blake2B or neither? [was: rather… Juliusz Chroboczek
- Re: [babel] Blake2S, blake2B or neither? [was: ra… Toke Høiland-Jørgensen
- Re: [babel] Blake2S, blake2B or neither? [was: ra… Markus Stenberg
- Re: [babel] Blake2S, blake2B or neither? [was: ra… Juliusz Chroboczek
- Re: [babel] Blake2S, blake2B or neither? [was: ra… Toke Høiland-Jørgensen
- Re: [babel] Blake2S, blake2B or neither? [was: ra… Juliusz Chroboczek
- Re: [babel] [Babel-users] Blake2S, blake2B or nei… Dave Taht
- Re: [babel] [Babel-users] HMAC Key rotation key f… Juliusz Chroboczek
- Re: [babel] HMAC Key rotation key format (was rip… Juliusz Chroboczek
- Re: [babel] HMAC Key rotation key format (was rip… Dave Taht
- Re: [babel] HMAC Key rotation key format (was rip… Markus Stenberg