IETF Logo Mail Archive

Re: [babel] [Babel-users] MAC auth. for Babel in babeld

Juliusz Chroboczek <jch@irif.fr> Mon, 28 September 2020 15:31 UTC

Return-Path: <jch@irif.fr>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BBA73A1262 for <babel@ietfa.amsl.com>; Mon, 28 Sep 2020 08:31:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ihDV-Qs1GVGL for <babel@ietfa.amsl.com>; Mon, 28 Sep 2020 08:31:10 -0700 (PDT)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C45B3A12B7 for <babel@ietf.org>; Mon, 28 Sep 2020 08:31:03 -0700 (PDT)
Received: from potemkin.univ-paris7.fr (potemkin.univ-paris7.fr [IPv6:2001:660:3301:8000::1:1]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id 08SFV1Io013938 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 28 Sep 2020 17:31:01 +0200
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by potemkin.univ-paris7.fr (8.14.4/8.14.4/relay2/82085) with ESMTP id 08SFV1Rn003280; Mon, 28 Sep 2020 17:31:01 +0200
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 7BC23BA1A7; Mon, 28 Sep 2020 17:31:01 +0200 (CEST)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id W7DxhSzHLrkG; Mon, 28 Sep 2020 17:31:00 +0200 (CEST)
Received: from pirx.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 096ECBA1A3; Mon, 28 Sep 2020 17:31:00 +0200 (CEST)
Date: Mon, 28 Sep 2020 17:30:59 +0200
Message-ID: <87d025vryk.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: Toke Høiland-Jørgensen <toke@toke.dk>
Cc: Antonin Décimo <antonin.decimo@gmail.com>, Babel at IETF <babel@ietf.org>, babel-users <babel-users@lists.alioth.debian.org>
In-Reply-To: <87h7ri3r17.fsf@toke.dk>
References: <C5Z1FPOCNQW3.2QYFDONBPHNF9@kobain> <87h7ri3r17.fsf@toke.dk>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.1 Mule/6.0
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]); Mon, 28 Sep 2020 17:31:01 +0200 (CEST)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (potemkin.univ-paris7.fr [194.254.61.141]); Mon, 28 Sep 2020 17:31:01 +0200 (CEST)
X-Miltered: at korolev with ID 5F7201B5.001 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-Miltered: at potemkin with ID 5F7201B5.001 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 5F7201B5.001 from potemkin.univ-paris7.fr/potemkin.univ-paris7.fr/null/potemkin.univ-paris7.fr/<jch@irif.fr>
X-j-chkmail-Enveloppe: 5F7201B5.001 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 5F7201B5.001 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Score: MSGID : 5F7201B5.001 on potemkin.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/6IF6wlpCI_eMr1lyDLdioDtz664>
Subject: Re: [babel] [Babel-users] MAC auth. for Babel in babeld
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Sep 2020 15:31:13 -0000

> You could simply reject 'mac true' if no key is configured (i.e., reject
> interface bring-up or reconfig, as appropriate depending on context).

Suppose you were running Babel together with a keying daemon.  Say, one
that periodically performs an authenticated supersingular isogeny
Diffie-Helman exchange and then feeds the resulting key to the Babel
daemon.

You could of course delay starting the Babel daemon until you got yourself
a non-empty set of keys, but wouldn't it be more robust to start Babel in
authenticated mode with no keys (which would cause it to drop packets) and
then incrementally feed it keys as they are learned?

-- Juliusz

v2.23.0 | Report a Bug | By Email