Re: [babel] Roman Danyliw's Discuss on draft-ietf-babel-hmac-08: (with DISCUSS and COMMENT)
Juliusz Chroboczek <jch@irif.fr> Fri, 16 August 2019 22:53 UTC
Return-Path: <jch@irif.fr>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8E7A120113; Fri, 16 Aug 2019 15:53:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tse5IuSDlE10; Fri, 16 Aug 2019 15:53:37 -0700 (PDT)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 696211200F8; Fri, 16 Aug 2019 15:53:37 -0700 (PDT)
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id x7GMrPoL030379; Sat, 17 Aug 2019 00:53:25 +0200
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 93C9D57422; Sat, 17 Aug 2019 00:53:28 +0200 (CEST)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id BcgLTXYFdts4; Sat, 17 Aug 2019 00:53:27 +0200 (CEST)
Received: from pirx.irif.fr (82-64-141-196.subs.proxad.net [82.64.141.196]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id E826F57420; Sat, 17 Aug 2019 00:53:22 +0200 (CEST)
Date: Sat, 17 Aug 2019 00:53:23 +0200
Message-ID: <87blwoiuxo.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: Roman Danyliw <rdd@cert.org>
Cc: Donald Eastlake <d3e3e3@gmail.com>, "babel-chairs@ietf.org" <babel-chairs@ietf.org>, The IESG <iesg@ietf.org>, "babel@ietf.org" <babel@ietf.org>, "draft-ietf-babel-hmac@ietf.org" <draft-ietf-babel-hmac@ietf.org>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC01B3402CA5@marchand>
References: <156520650683.8432.7109781814790904901.idtracker@ietfa.amsl.com> <87v9v7wyzz.wl-jch@irif.fr> <359EC4B99E040048A7131E0F4E113AFC01B3402CA5@marchand>
User-Agent: Wanderlust/2.15.9
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Sat, 17 Aug 2019 00:53:26 +0200 (CEST)
X-Miltered: at korolev with ID 5D5733E5.001 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 5D5733E5.001 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 5D5733E5.001 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/3KoOXI-R_DXWxi8a9cxjw0bUuCw>
Subject: Re: [babel] Roman Danyliw's Discuss on draft-ietf-babel-hmac-08: (with DISCUSS and COMMENT)
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Aug 2019 22:53:40 -0000
> Ah, I see it now in Section 4.3 Thanks for the pointer. This text > explains the issues of around keys processing. I couldn't explicitly > find text explaining when multiple HMAC TLVs should be sent. Where > should I be looking? Section 5 (key rotation), formerly Appendix A: In order to perform key rotation, the new key is added to all the nodes; once this is done, both the old and the new key are sent in all packets, and packets are accepted if they are properly signed by either of the keys. At that point, the old key is removed. >> I'm leaving this sentence as is -- after trying it out, I don't think that >> mentioning the small amount of state caused by reception of a UDP packet >> (an ND entry) is informative. > I'm not tracking. "Whatsoever" is an absolute statement. By all means > caveat the sentence by saying no local Babel state (or something to that > effect). Done. >>> (8) Section 1. Per the “spoof of a malformed packet”, how would an >>> HMAC address this? Even assuming that a node discards the message >>> without processing if the HMAC is bad, this would still be a problem >>> from a malicious peer. >> Please explain. > The initial situation I had in mind was if there was a compromised Babel > node. It will have the key to produce a valid HMAC on the crafted > packet to cause the peer Babel node to process the packet. Yes, this protocol assumes that only honest nodes know the secret key. We make no guarantees, not even of any kind, if you've lost your keys. > Another situation which would not involve a malicious Babel node with > the key is a node running a buggy Babel implementation. Imagine this > implementation has some kind of (buffer overflow) vulnerability in the > routines which parses the packet payload to find the HMAC TLV. In the > worst circumstance, this could hypothetically compromise the Babel node > even before the code to verified HMAC and choose to discard the packet > or not is made. Yes, it could. That is the reason why HMAC keys sit in the packet trailer rather than in the packet body: you may use a simplified parser that is only able to parse the packet trailer. This parser does not modify any global state, it does not modify the packet (there's no need to clear the MAC before recomputing it), and it just returns one bit of information. You are expected to vet this specialised parser very carefully, or even run it out-of-process. This was debated by the WG; however, once both Toke (BIRD) and Weronika and Clara (babeld) had implemented parsing the packet trailer, we agreed that this approach makes the implementation much simpler and less error-prone. -- Juliusz
- [babel] Roman Danyliw's Discuss on draft-ietf-bab… Roman Danyliw via Datatracker
- Re: [babel] Roman Danyliw's Discuss on draft-ietf… Juliusz Chroboczek
- Re: [babel] Roman Danyliw's Discuss on draft-ietf… Roman Danyliw
- Re: [babel] Roman Danyliw's Discuss on draft-ietf… Juliusz Chroboczek
- Re: [babel] Roman Danyliw's Discuss on draft-ietf… Roman Danyliw
- Re: [babel] Roman Danyliw's Discuss on draft-ietf… Donald Eastlake