[babel] MAC auth. for Babel in babeld
Antonin Décimo <antonin.decimo@gmail.com> Thu, 20 August 2020 10:31 UTC
Return-Path: <antonin.decimo@gmail.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E00883A0770 for <babel@ietfa.amsl.com>; Thu, 20 Aug 2020 03:31:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3WJR2CrtIcPs for <babel@ietfa.amsl.com>; Thu, 20 Aug 2020 03:31:14 -0700 (PDT)
Received: from mail-ot1-x331.google.com (mail-ot1-x331.google.com [IPv6:2607:f8b0:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FF963A0317 for <babel@ietf.org>; Thu, 20 Aug 2020 03:31:14 -0700 (PDT)
Received: by mail-ot1-x331.google.com with SMTP id k12so1072408otr.1 for <babel@ietf.org>; Thu, 20 Aug 2020 03:31:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=GwVs1JfTQlTL+FeYvRlibmsF2LJbAe6FKsCE1bxwhmE=; b=gvwec+rns3/WqKhYOcmUcOYt+REdMJXkWjitbH94eMN+1Dw584iddHXRRzm6Il9uXK BU1+oJZZOJpRKNKfajJ/DdFFMPZjRd5cE+hCYPodpnHBfbWrRJQs1wB19wqjkIdF+GZt /Rm7FrIqeZNW1hyfKI12BXAJkuan7OjFSNndC4F9BB2RAWx25z0Wq5dUMJnSbhU6Fn0d ifWoRys5jYlq6EixKXdbv/ZgTTBe/E1z7NepE9mhLvT6vaLvrNX4lM0rOyr+Ag4OhuAV x4h5c8M/Lm9hkWKDktZWyOAAk+vUsHoGBm350GKdpCT/C+aMi5zNO9MAH39w1gNHrOOY ygkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=GwVs1JfTQlTL+FeYvRlibmsF2LJbAe6FKsCE1bxwhmE=; b=i6OO+yPNHi0jhIeIRJ51Jy9wvHBLnKsHjdSrwWDUtY9/arTCQ7UU7mVOAA1+E38XiL flMxIY6rpCVYl/h3AceIog/adnLYUy9E6tcv9wTVPt0uwIrrHOJWKdp8gSVXwF58gqkj jwPsw7y14Vkl5OGZwgtThU5OXwaINciWCDVp6qMDGzeq+xRWYRGK77fbF6XRAfmpgPDC J339Ue+d/2EKRTkQ3W6Q0uPoIwcHSf8n1n4CkAjPGo+pp59bKsWlldobnywNkjB/VmZ7 JwqFgnFmZcfgi7eGpTk7vyXGcE04/kftkdZAbLoDQKgbHJ/R6gpbwAltfIf8FKny+OgH faNQ==
X-Gm-Message-State: AOAM532Mfnq/uJuy2XsZ4NLI/HKQxD7SYEsSCLP6u89Lgmxr6CVvkaTN //dO2ftVb3baTemi2XmIPWFWGV5T8Saj26qjj7w+E6xP3U0=
X-Google-Smtp-Source: ABdhPJyQr8wi0qE7w9YrKGdC6sNEynCwZqB0nVC+4SW8ghd1FS9SQdl4CFjLS+FYQNZeCa2NwwKdH0uiYyOb/L3BO+k=
X-Received: by 2002:a9d:6502:: with SMTP id i2mr1727836otl.288.1597919473400; Thu, 20 Aug 2020 03:31:13 -0700 (PDT)
MIME-Version: 1.0
From: Antonin Décimo <antonin.decimo@gmail.com>
Date: Thu, 20 Aug 2020 12:35:31 +0200
Message-ID: <CAC=54BJasxBONeV0dV3Xv56M4R2d9=pTyb6GVEAcr8AfGq-NZw@mail.gmail.com>
To: Babel at IETF <babel@ietf.org>, babel-users <babel-users@lists.alioth.debian.org>
Content-Type: multipart/alternative; boundary="0000000000009790b105ad4c9ebb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/59yqCX3Hq6FlgUFxXcO6TGdXeNA>
Subject: [babel] MAC auth. for Babel in babeld
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2020 10:31:17 -0000
Dear all, I’ve rolled up my sleeves and finished my implementation of the MAC authentication protocol in babeld. It can be found on the branch "hmac" in https://github.com/MisterDA/babeld.git Or on the opened pull-request in the main repository at https://github.com/jech/babeld/pull/52 There is one bug that I’m aware of: sometimes the local configuration interface will respond "bad", letting the user think that there was an error during the parsing or the processing of the configuration, but everything happened correctly. There is one feature that I have not implemented (yet): expiring per-neighbour state (section 4.4) using the Hello history or a timer based on the last accepted packet. The code has not undergone review. No interoperability testing has been done. I’m also looking for feedback on the user interface. Here follows the manual page describing the new configuration options (underscores indicate user defined values). In particular, do you think that implementing keysets and allowing an unbounded number of keys is too much for babeld? Key rotation is done through the local configuration interface. MAC authentication for the Babel routing protocol This protocol provides basic security properties for the Babel routing protocol. The scope of this protocol is strictly limited: it only provides authentication (we assume that routing information is not confidential), it only supports symmetric keying, and it only allows for the use of a small number of symmetric keys on every link. Keys and keysets are reference-counted. They are discarded as soon as they are no longer referenced. Interface configuration mac {true|false} Enable MAC security on this interface. mac-verify {true|false} Check packet signatures, reject unsigned or incorrectly signed packets. The default is true. add-keyset _keyset-name_ Add the keyset _keyset-name_ to the set of keysets of this interface. rm-keyset _keyset-name_ Remove the keyset _keyset-name_ from the set of keysets of this interface. Global options key name _name_ algorithm {hmac-sha256|blake2s} value _value_ use {sign|verify|both} Configure a key for use with the mac interface option. The algorithm is either hmac-sha256 or blake2s. The value is a hexadecimal string (up to 64 bytes for hmac-sha256 or up to 32 bytes for blake2s). The use specifies whether the key is used to sign packets, verify packets, or both (signing and verifying packets). keyset _name_ Create an empty keyset. keyset-add-key _keyset-name_ _key-name_ Add the key _key-name_ to the keyset _keyset-name_. keyset-rm-key _keyset-name_ _key-name_ Remove the key _key-name_ from the keyset _keyset-name_. Thanks! -- Antonin
- [babel] MAC auth. for Babel in babeld Antonin Décimo
- Re: [babel] MAC auth. for Babel in babeld Juliusz Chroboczek
- Re: [babel] MAC auth. for Babel in babeld Juliusz Chroboczek
- Re: [babel] MAC auth. for Babel in babeld Antonin Décimo
- Re: [babel] [Babel-users] MAC auth. for Babel in … Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] MAC auth. for Babel in … Antonin Décimo
- Re: [babel] [Babel-users] MAC auth. for Babel in … Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] MAC auth. for Babel in … Juliusz Chroboczek
- Re: [babel] [Babel-users] MAC auth. for Babel in … Antonin Décimo
- Re: [babel] [Babel-users] MAC auth. for Babel in … Antonin Décimo
- Re: [babel] [Babel-users] MAC auth. for Babel in … Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] MAC auth. for Babel in … Juliusz Chroboczek
- Re: [babel] [Babel-users] MAC auth. for Babel in … Juliusz Chroboczek
- Re: [babel] [Babel-users] MAC auth. for Babel in … Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] MAC auth. for Babel in … Toke Høiland-Jørgensen