Re: [babel] [Babel-users] MAC auth. for Babel in babeld
Antonin Décimo <antonin.decimo@gmail.com> Wed, 23 September 2020 15:12 UTC
Return-Path: <antonin.decimo@gmail.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DB713A11D6 for <babel@ietfa.amsl.com>; Wed, 23 Sep 2020 08:12:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bG98SQooUaBd for <babel@ietfa.amsl.com>; Wed, 23 Sep 2020 08:12:02 -0700 (PDT)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE2913A0A3F for <babel@ietf.org>; Wed, 23 Sep 2020 08:12:01 -0700 (PDT)
Received: by mail-wr1-x42b.google.com with SMTP id a17so422434wrn.6 for <babel@ietf.org>; Wed, 23 Sep 2020 08:12:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:content-transfer-encoding:subject:from:to:date :message-id:in-reply-to; bh=ACQq6Nk8CnXnhw2vjAKEa2DRP3GgdLesNCqcb/jjK2M=; b=j8yGJKBSKLIZxrR7luP6hczz/V/gTxbQWlq3MyJAjZVvL6g0ThCjyz5o26dqYTPFzj RAtMVBtRwioa0ipEafq6Aw6CqlH+BvI1Q15mwv8/wVms3Hk4Ro/hxjZMyi2jOMoLV57F /4Zph+4hv/IR3rwA52iM/0E5QJ33M3K+7MMDdH3oyBIaaD39REfAv6sG/9L/kCcXq/Ni 9/FR+PJkfBPzpE15SFZTbQUDmORAyFVCScGlsY05GOqmVPRsOAFejf2c5PD9ASo+bZN5 m1z3NvAi7gUywMuKPGRbS+jDI8MXfrb4DX4GBntWAxApnwsai2Gawcfj7elkyEfIrDAR qTEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:content-transfer-encoding:subject :from:to:date:message-id:in-reply-to; bh=ACQq6Nk8CnXnhw2vjAKEa2DRP3GgdLesNCqcb/jjK2M=; b=cGnfW3uT4+T/MI1uOoju/T0Re2n2N038i/zmGffVCmySvhsbfQHukLrK3aIC9KkXtM u0BAFBUK8cw9ZTpCpABeKtW0wfl23oE7+pNEXszSz+6FDG0zpUbFOJ7HFJo78sw1S3Px LMbye3Od2v5D8Sr3m9U5GVY4aDPXjYDk4Ve1iWHrJMAJAveWYhh6FqZl0+WIavPYNAbk 9o3HOXVGmhIIF/fsPY333KmB3CJvF0M8j2Q/099pOEFCcPry6BeBwgIro7OkNN2IHrqa 9UYiX+yKJ5dAASPIjqn286UdB0bdSLQGM+HH6SfvBXqcmTGTCf8/dVRUU+Lg123s/Tsi wPjg==
X-Gm-Message-State: AOAM532bDoQVBa2tqjp/3lmJlgOSe9YE+tIgX8A9P8dJXOsRqTybbsme eL+BCiWGybV2vrJ6+SQgrt4=
X-Google-Smtp-Source: ABdhPJwSvPX6PUrJIoBgXzp+j/0J57GRbxR6cxeQmGuSqqZsROLM+po48Wqijp10rJ4lTc5UmIAUcw==
X-Received: by 2002:adf:ec0a:: with SMTP id x10mr106582wrn.47.1600873920080; Wed, 23 Sep 2020 08:12:00 -0700 (PDT)
Received: from localhost (2a01cb0802a40500020ec6fffed9ad5a.ipv6.abo.wanadoo.fr. [2a01:cb08:2a4:500:20e:c6ff:fed9:ad5a]) by smtp.gmail.com with ESMTPSA id e18sm128942wra.36.2020.09.23.08.11.59 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 23 Sep 2020 08:11:59 -0700 (PDT)
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
From: Antonin Décimo <antonin.decimo@gmail.com>
To: Toke Høiland-Jørgensen <toke@toke.dk>, Babel at IETF <babel@ietf.org>, babel-users <babel-users@lists.alioth.debian.org>
Date: Wed, 23 Sep 2020 16:59:51 +0200
Message-Id: <C5UU6NMIAW8I.3RALHZUWY7BJO@kobain>
In-Reply-To: <87sgb9fnwd.fsf@toke.dk>
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/5XLO5qukZdovkHPIoT7sTm9k0JA>
Subject: Re: [babel] [Babel-users] MAC auth. for Babel in babeld
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2020 15:12:03 -0000
Hello Toke, > I've done basic interoperability testing with the latest version of my > MAC implementation for Babel in Bird. They can successfully exchange > messages with both hmac-sha256 and blake2s hash algorithms configured. Yay! Thank you very much! I’m glad it worked (on the first try) :-) > - You don't enforce a minimum key length. This was on purpose, but maybe it was a bad idea. > For blake2s this means the key will effectively be zero-padded up to > the block size of 32 bytes (not sure what hmac-sha256 does). hmac-sha256 is the same. Under the block size, the key is padded with zeroes, above, the key is pre-hashed. > For Bird I'm enforcing that the key size must match the hash output > size (32 bytes for both blake2s and hmac-sha256). This is based on > the security considerations section in the draft; should babeld do > the same? Now babeld requires keys of 32 bytes for both algorithms. > - I think the configuration is a bit verbose. This was the minimal > config I needed to enable MAC in babeld: > > key name test algorithm hmac-sha256 value > 7465737474657374746573747465737474657374746573747465737474657374 use > both > keyset test > keyset-add-key test test > interface veth0 mac true add-keyset test > > The two middle lines feel like they are a bit redundant; could we go > without them for simple configs? You’re right; at least the line `keyset test` can go, keysets are now implicitly created. I don’t see how I can further simplify without losing the idea that interfaces may share keysets and keysets may share keys. One thing that is still buggy in my implementation is to use the "default" pseudo-interface with keysets and keys, this may simplify the configuration for common usecases. -- Antonin
- [babel] MAC auth. for Babel in babeld Antonin Décimo
- Re: [babel] MAC auth. for Babel in babeld Juliusz Chroboczek
- Re: [babel] MAC auth. for Babel in babeld Juliusz Chroboczek
- Re: [babel] MAC auth. for Babel in babeld Antonin Décimo
- Re: [babel] [Babel-users] MAC auth. for Babel in … Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] MAC auth. for Babel in … Antonin Décimo
- Re: [babel] [Babel-users] MAC auth. for Babel in … Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] MAC auth. for Babel in … Juliusz Chroboczek
- Re: [babel] [Babel-users] MAC auth. for Babel in … Antonin Décimo
- Re: [babel] [Babel-users] MAC auth. for Babel in … Antonin Décimo
- Re: [babel] [Babel-users] MAC auth. for Babel in … Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] MAC auth. for Babel in … Juliusz Chroboczek
- Re: [babel] [Babel-users] MAC auth. for Babel in … Juliusz Chroboczek
- Re: [babel] [Babel-users] MAC auth. for Babel in … Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] MAC auth. for Babel in … Toke Høiland-Jørgensen