IETF Logo Mail Archive

Re: [babel] [Babel-users] Babel MAC auth fails due to packet reordering

Juliusz Chroboczek <jch@irif.fr> Fri, 06 May 2022 20:15 UTC

Return-Path: <jch@irif.fr>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48AA7C157B32 for <babel@ietfa.amsl.com>; Fri, 6 May 2022 13:15:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mmJCe19LEREL for <babel@ietfa.amsl.com>; Fri, 6 May 2022 13:15:15 -0700 (PDT)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 943F5C14F72D for <babel@ietf.org>; Fri, 6 May 2022 13:15:14 -0700 (PDT)
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id 246KF8dG006250; Fri, 6 May 2022 22:15:08 +0200
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 0FDD8EA158; Fri, 6 May 2022 22:15:08 +0200 (CEST)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id K_U1QrD4sPCs; Fri, 6 May 2022 22:15:06 +0200 (CEST)
Received: from pirx.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 330DDEA155; Fri, 6 May 2022 22:15:06 +0200 (CEST)
Date: Fri, 06 May 2022 22:15:06 +0200
Message-ID: <87mtfufmet.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: babel-users@alioth-lists.debian.net
CC: babel@ietf.org, Toke Høiland-Jørgensen <toke@toke.dk>, Daniel Gröber <dxld@darkboxed.org>
In-Reply-To: <874k233pwi.fsf@toke.dk>
References: <20220505085059.mxbt3ssvryxw4doh@House> <87ilqj52bz.fsf@toke.dk> <20220506034354.kpj3rwkyw7rj2oe3@House> <874k233pwi.fsf@toke.dk>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.1 Mule/6.0
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Fri, 06 May 2022 22:15:08 +0200 (CEST)
X-Miltered: at korolev with ID 627581CC.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 627581CC.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 627581CC.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/13yN7OAFaoZpSBb7gH2lqB5a21E>
Subject: Re: [babel] [Babel-users] Babel MAC auth fails due to packet reordering
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 May 2022 20:15:17 -0000

CC-ing babel@ietf.  List, Daniel has reported that multicast packets are
delayed in his network by up to 200ms, which breaks Babel-MAC's PC check.
Toke has determined that the issue is with WiFi powersave, which is
unfortunately not something we can control.  Toke has proposed a patch
against his implementation of Babel that implements window-based PC
validation, in the style of RFC 4303 Section 3.4.3.

> I took a shot at implementing window-based PC verification in Bird,
> patch below (compile-tested only);

That should work, although I fear that a window size of 64 is not enough,
especially since RFC 8967 Section 4.2 allows increasing the PC by more
than one.  So we'd either need to remove that latitude from the spec, or
require the use of a more complicated data structure.

But I've been thinking the issue is that we require a single strictly
monotonic sequence of PCs that mixes up unicast and multicast packet.
What about relaxing the requirement so that the sequence of unicast
packets is monotonic, the sequence of multicast packets is monotonic, but
the two sequences can grow independently?  This will still prevent replay:
a unicast packet won't be possibly replayed as unicast, due to the
monotonicity condition, and it cannot be replayed as multicast, since the
MAC covers the pseudo-header

More precisely, I propose that we maintain two distinct "last PC" fields
in the neighbour table, called PCu and PCm.  These behave as follows:

  - when we receive a challenge reply, we set both PCu and PCm to the
    value received in the challenge reply;
  - when we receive a normal packet, we compare its PC against *either*
    PCu or PCm, depending on whether it's unicast or multicast;
  - if the packet is accepted, we update *either* PCu or PCm, leaving the
    other value unchanged.

(We could generalise that to having one PC value per destination address,
but I'm not sure it's useful.)

-- Juliusz

v2.23.0 | Report a Bug | By Email