[babel] MAC auth. for Babel in babeld
Antonin Décimo <antonin.decimo@gmail.com> Thu, 20 August 2020 10:31 UTC
Return-Path: <antonin.decimo@gmail.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E00883A0770 for <babel@ietfa.amsl.com>; Thu, 20 Aug 2020 03:31:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3WJR2CrtIcPs for <babel@ietfa.amsl.com>; Thu, 20 Aug 2020 03:31:14 -0700 (PDT)
Received: from mail-ot1-x331.google.com (mail-ot1-x331.google.com [IPv6:2607:f8b0:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FF963A0317 for <babel@ietf.org>; Thu, 20 Aug 2020 03:31:14 -0700 (PDT)
Received: by mail-ot1-x331.google.com with SMTP id k12so1072408otr.1 for <babel@ietf.org>; Thu, 20 Aug 2020 03:31:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=GwVs1JfTQlTL+FeYvRlibmsF2LJbAe6FKsCE1bxwhmE=; b=gvwec+rns3/WqKhYOcmUcOYt+REdMJXkWjitbH94eMN+1Dw584iddHXRRzm6Il9uXK BU1+oJZZOJpRKNKfajJ/DdFFMPZjRd5cE+hCYPodpnHBfbWrRJQs1wB19wqjkIdF+GZt /Rm7FrIqeZNW1hyfKI12BXAJkuan7OjFSNndC4F9BB2RAWx25z0Wq5dUMJnSbhU6Fn0d ifWoRys5jYlq6EixKXdbv/ZgTTBe/E1z7NepE9mhLvT6vaLvrNX4lM0rOyr+Ag4OhuAV x4h5c8M/Lm9hkWKDktZWyOAAk+vUsHoGBm350GKdpCT/C+aMi5zNO9MAH39w1gNHrOOY ygkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=GwVs1JfTQlTL+FeYvRlibmsF2LJbAe6FKsCE1bxwhmE=; b=i6OO+yPNHi0jhIeIRJ51Jy9wvHBLnKsHjdSrwWDUtY9/arTCQ7UU7mVOAA1+E38XiL flMxIY6rpCVYl/h3AceIog/adnLYUy9E6tcv9wTVPt0uwIrrHOJWKdp8gSVXwF58gqkj jwPsw7y14Vkl5OGZwgtThU5OXwaINciWCDVp6qMDGzeq+xRWYRGK77fbF6XRAfmpgPDC J339Ue+d/2EKRTkQ3W6Q0uPoIwcHSf8n1n4CkAjPGo+pp59bKsWlldobnywNkjB/VmZ7 JwqFgnFmZcfgi7eGpTk7vyXGcE04/kftkdZAbLoDQKgbHJ/R6gpbwAltfIf8FKny+OgH faNQ==
X-Gm-Message-State: AOAM532Mfnq/uJuy2XsZ4NLI/HKQxD7SYEsSCLP6u89Lgmxr6CVvkaTN //dO2ftVb3baTemi2XmIPWFWGV5T8Saj26qjj7w+E6xP3U0=
X-Google-Smtp-Source: ABdhPJyQr8wi0qE7w9YrKGdC6sNEynCwZqB0nVC+4SW8ghd1FS9SQdl4CFjLS+FYQNZeCa2NwwKdH0uiYyOb/L3BO+k=
X-Received: by 2002:a9d:6502:: with SMTP id i2mr1727836otl.288.1597919473400; Thu, 20 Aug 2020 03:31:13 -0700 (PDT)
MIME-Version: 1.0
From: Antonin Décimo <antonin.decimo@gmail.com>
Date: Thu, 20 Aug 2020 12:35:31 +0200
Message-ID: <CAC=54BJasxBONeV0dV3Xv56M4R2d9=pTyb6GVEAcr8AfGq-NZw@mail.gmail.com>
To: Babel at IETF <babel@ietf.org>, babel-users <babel-users@lists.alioth.debian.org>
Content-Type: multipart/alternative; boundary="0000000000009790b105ad4c9ebb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/59yqCX3Hq6FlgUFxXcO6TGdXeNA>
Subject: [babel] MAC auth. for Babel in babeld
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2020 10:31:17 -0000
Dear all,
I’ve rolled up my sleeves and finished my implementation of the MAC
authentication protocol in babeld.
It can be found on the branch "hmac" in
https://github.com/MisterDA/babeld.git
Or on the opened pull-request in the main repository at
https://github.com/jech/babeld/pull/52
There is one bug that I’m aware of: sometimes the local configuration
interface will respond "bad", letting the user think that there was an
error during the parsing or the processing of the configuration, but
everything happened correctly.
There is one feature that I have not implemented (yet): expiring
per-neighbour state (section 4.4) using the Hello history or a timer
based on the last accepted packet.
The code has not undergone review. No interoperability testing has
been done.
I’m also looking for feedback on the user interface. Here follows the
manual page describing the new configuration options (underscores
indicate user defined values).
In particular, do you think that implementing keysets and allowing an
unbounded number of keys is too much for babeld?
Key rotation is done through the local configuration interface.
MAC authentication for the Babel routing protocol
This protocol provides basic security properties for the Babel
routing protocol. The scope of this protocol is strictly
limited: it only provides authentication (we assume that
routing information is not confidential), it only supports
symmetric keying, and it only allows for the use of a small
number of symmetric keys on every link.
Keys and keysets are reference-counted. They are discarded as
soon as they are no longer referenced.
Interface configuration
mac {true|false}
Enable MAC security on this interface.
mac-verify {true|false}
Check packet signatures, reject unsigned or
incorrectly signed packets. The default is true.
add-keyset _keyset-name_
Add the keyset _keyset-name_ to the set of keysets
of this interface.
rm-keyset _keyset-name_
Remove the keyset _keyset-name_ from the set of
keysets of this interface.
Global options
key name _name_ algorithm {hmac-sha256|blake2s} value
_value_ use {sign|verify|both}
Configure a key for use with the mac interface
option. The algorithm is either hmac-sha256 or
blake2s. The value is a hexadecimal string (up to 64
bytes for hmac-sha256 or up to 32 bytes for
blake2s). The use specifies whether the key is used
to sign packets, verify packets, or both (signing
and verifying packets).
keyset _name_
Create an empty keyset.
keyset-add-key _keyset-name_ _key-name_
Add the key _key-name_ to the keyset _keyset-name_.
keyset-rm-key _keyset-name_ _key-name_
Remove the key _key-name_ from the keyset
_keyset-name_.
Thanks!
-- Antonin
- [babel] MAC auth. for Babel in babeld Antonin Décimo
- Re: [babel] MAC auth. for Babel in babeld Juliusz Chroboczek
- Re: [babel] MAC auth. for Babel in babeld Juliusz Chroboczek
- Re: [babel] MAC auth. for Babel in babeld Antonin Décimo
- Re: [babel] [Babel-users] MAC auth. for Babel in … Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] MAC auth. for Babel in … Antonin Décimo
- Re: [babel] [Babel-users] MAC auth. for Babel in … Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] MAC auth. for Babel in … Juliusz Chroboczek
- Re: [babel] [Babel-users] MAC auth. for Babel in … Antonin Décimo
- Re: [babel] [Babel-users] MAC auth. for Babel in … Antonin Décimo
- Re: [babel] [Babel-users] MAC auth. for Babel in … Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] MAC auth. for Babel in … Juliusz Chroboczek
- Re: [babel] [Babel-users] MAC auth. for Babel in … Juliusz Chroboczek
- Re: [babel] [Babel-users] MAC auth. for Babel in … Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] MAC auth. for Babel in … Toke Høiland-Jørgensen