Re: [babel] Mirja Kühlewind's Discuss on draft-ietf-babel-dtls-07: (with DISCUSS and COMMENT)
Mirja Kuehlewind <ietf@kuehlewind.net> Thu, 08 August 2019 11:45 UTC
Return-Path: <ietf@kuehlewind.net>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7310712006F; Thu, 8 Aug 2019 04:45:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FGfDteDz17dC; Thu, 8 Aug 2019 04:45:02 -0700 (PDT)
Received: from wp513.webpack.hosteurope.de (wp513.webpack.hosteurope.de [IPv6:2a01:488:42:1000:50ed:8223::]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 691541200D6; Thu, 8 Aug 2019 04:45:02 -0700 (PDT)
Received: from 200116b82cfdec0099e7fb8bcda09050.dip.versatel-1u1.de ([2001:16b8:2cfd:ec00:99e7:fb8b:cda0:9050]); authenticated by wp513.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1hvgqp-000206-2u; Thu, 08 Aug 2019 13:44:59 +0200
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Mirja Kuehlewind <ietf@kuehlewind.net>
In-Reply-To: <87a7cjq53f.wl-jch@irif.fr>
Date: Thu, 08 Aug 2019 13:44:58 +0200
Cc: babel-chairs <babel-chairs@ietf.org>, Babel at IETF <babel@ietf.org>, Donald Eastlake <d3e3e3@gmail.com>, The IESG <iesg@ietf.org>, David Schinazi <dschinazi.ietf@gmail.com>, draft-ietf-babel-dtls@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <110AD4FB-186C-4C87-8BAF-7D8F4A04BC6F@kuehlewind.net>
References: <156518163926.8337.14198016212015161206.idtracker@ietfa.amsl.com> <CAPDSy+5mjQOj7qvvW+L-tYiP=Oet-QKf=FqjxzgxFw7YgabgtA@mail.gmail.com> <A9C9E93D-BBE1-4307-A47D-0E90006B3EC9@kuehlewind.net> <87a7cjq53f.wl-jch@irif.fr>
To: Juliusz Chroboczek <jch@irif.fr>
X-Mailer: Apple Mail (2.3445.104.11)
X-bounce-key: webpack.hosteurope.de;ietf@kuehlewind.net;1565264702;a0e91bb2;
X-HE-SMSGID: 1hvgqp-000206-2u
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/3vfgfzpBAKX0IPFUYK7L5lkzuRU>
Subject: Re: [babel] Mirja Kühlewind's Discuss on draft-ietf-babel-dtls-07: (with DISCUSS and COMMENT)
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2019 11:45:08 -0000
> On 8. Aug 2019, at 13:17, Juliusz Chroboczek <jch@irif.fr> wrote: > >>> Using an ephemeral port that is discovered at runtime would add a failure mode >>> to the protocol and make it less robust. > >> Can you please explain why that would make it less robust? I would >> actually think that is would make it more robust. In any case you need >> to somehow discovery the neighbour. Usually the babel HELLO would be >> used for that. When you add an new TLV to that HELLO that indicates >> a port that should be used for DTLS, this also gives you and additional >> indication that the peer sending the hello actually supports DTLS which >> I believe would make it more robust. > > That's an intruiguing idea. > >> Further with respect to security and topics probably recently discussed, not having a default port would make it harder for an attacker to flood a route with DTLS handshakes on that port. > > Could you please explain what happens if an attacker sends out 65535 > spoofed multicast Hellos indicating 65535 distinct ports? You maybe rate limit DTLS connection attempts…? I didn’t fully design the protocol here but would like the wg to consider such an approach. However, I guess it might make sense to even rate limit in the proposed approach, or cache for a certain time that a connection attempt to a certain peer failed before trying again. Mirja > > -- Juliusz > >
- [babel] Mirja Kühlewind's Discuss on draft-ietf-b… Mirja Kühlewind via Datatracker
- Re: [babel] Mirja Kühlewind's Discuss on draft-ie… David Schinazi
- Re: [babel] Mirja Kühlewind's Discuss on draft-ie… Mirja Kuehlewind
- Re: [babel] Mirja Kühlewind's Discuss on draft-ie… Juliusz Chroboczek
- Re: [babel] Mirja Kühlewind's Discuss on draft-ie… Mirja Kuehlewind
- Re: [babel] Mirja Kühlewind's Discuss on draft-ie… Juliusz Chroboczek
- Re: [babel] Mirja Kühlewind's Discuss on draft-ie… David Schinazi
- Re: [babel] Mirja Kühlewind's Discuss on draft-ie… Mirja Kuehlewind
- Re: [babel] Mirja Kühlewind's Discuss on draft-ie… Juliusz Chroboczek
- Re: [babel] Mirja Kühlewind's Discuss on draft-ie… Benjamin Kaduk