Re: [babel] Roman Danyliw's Discuss on draft-ietf-babel-hmac-08: (with DISCUSS and COMMENT)
Roman Danyliw <rdd@cert.org> Thu, 08 August 2019 22:03 UTC
Return-Path: <rdd@cert.org>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F5101200A3; Thu, 8 Aug 2019 15:03:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ZFFqwamWfNP; Thu, 8 Aug 2019 15:03:52 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C3B612002F; Thu, 8 Aug 2019 15:03:52 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x78M3mbv009788; Thu, 8 Aug 2019 18:03:48 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu x78M3mbv009788
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1565301829; bh=5PqN5LBZJ8WuLsLyyhijVFJJITSrVM/GAXk467KGOgs=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=MYgQYYB1SEYf86jwj6/RUR7l3r87HOmPzNYRguZmo2PK92Ry6RhZ2WlbL5qaBuf1n 4oO0V2mQhc32tcUbqcfwR3va5K17r0V8pvl+DjpL33H/ik9hBmc7Vi7L9MEUmQwlQO hrHFG2wjpdobEnRbk4/euCrtFLimEQC1enMPlOhE=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x78M3j69013680; Thu, 8 Aug 2019 18:03:45 -0400
Received: from MARCHAND.ad.sei.cmu.edu ([10.64.28.251]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.03.0468.000; Thu, 8 Aug 2019 18:03:45 -0400
From: Roman Danyliw <rdd@cert.org>
To: Juliusz Chroboczek <jch@irif.fr>
CC: Donald Eastlake <d3e3e3@gmail.com>, "babel-chairs@ietf.org" <babel-chairs@ietf.org>, The IESG <iesg@ietf.org>, "babel@ietf.org" <babel@ietf.org>, "draft-ietf-babel-hmac@ietf.org" <draft-ietf-babel-hmac@ietf.org>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-babel-hmac-08: (with DISCUSS and COMMENT)
Thread-Index: AQHVTVc7EhiAo9Vjs0mVXthEfhPXuKbxh9sAgAAnvwA=
Date: Thu, 08 Aug 2019 22:03:44 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC01B3402CA5@marchand>
References: <156520650683.8432.7109781814790904901.idtracker@ietfa.amsl.com> <87v9v7wyzz.wl-jch@irif.fr>
In-Reply-To: <87v9v7wyzz.wl-jch@irif.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/6l7odVxlL7jIbNOZxdXtzuLI3rc>
Subject: Re: [babel] Roman Danyliw's Discuss on draft-ietf-babel-hmac-08: (with DISCUSS and COMMENT)
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2019 22:03:56 -0000
Hi Juliusz! Thanks for the quick response. Responses inline ... > -----Original Message----- > From: iesg [mailto:iesg-bounces@ietf.org] On Behalf Of Juliusz Chroboczek > Sent: Thursday, August 8, 2019 9:47 AM > To: Roman Danyliw <rdd@cert.org> > Cc: Donald Eastlake <d3e3e3@gmail.com>; babel-chairs@ietf.org; The IESG > <iesg@ietf.org>; babel@ietf.org; draft-ietf-babel-hmac@ietf.org > Subject: Re: Roman Danyliw's Discuss on draft-ietf-babel-hmac-08: (with > DISCUSS and COMMENT) > > Dear Roman, > > Thank you for your review. > > > (1) Section 1.2. Per “any packet accepted as authentic is the exactly > > copy of a packet originally sent”, this text can be read two ways – > > packet as Babel packet or as an IP packet. I think mean the former. > > Recommend making this clearer as s/any packet/any Babel packet/ > > Done. > > > (2) Section 2, Per the paragraph, “By itself, this mechanism is safe > > against replay …”, please reiterate that for the attack by C to work: > > A and B must have both lost state; that C is replaying packets with PC > > previously sent by B (e.g., n+2). > > Only A needs to have lost its state. Clarified. > > > (3) Section 4.1. Per “The node takes the concatenation of the > > pseudo-header and the packet including the packet header but excluding > > the packet trailer (from octet 0 inclusive up to (Body Length + 4) > > exclusive)”, as input for the HMAC. “packet” is used to sometimes > > mean IP packet and sometimes a Babel packet carried in an IP packet. > > Clarified. Thanks. > > (4) Section 2. This section suggests that “one or more HMACs can be > > appended to the packet”. Under what conditions would it be more than > > one? What happens if only some of the HMACs are valid? Is use of the > > same key assumed? > > This section is a conceptual overview, and is optimised for easy readability. > The exact details are given in 4.3. I've added the paranthetical remark "(one > per key)", Ah, I see it now in Section 4.3 Thanks for the pointer. This text explains the issues of around keys processing. I couldn't explicitly find text explaining when multiple HMAC TLVs should be sent. Where should I be looking? > but refuse to overload this section any further. No worries. I'm not suggesting that. FWIW, I think this narrative section works really well. > > (5) Section 4.1. The hash algorithm appears to be negotiated/set out > > of band (rather than negotiated). The text should explicitly state that > somewhere. > > Section 3.1. Got it. Thanks. > > (6) Section 6. Per “In particular, reception of a packet with no > > correct HMAC creates no local state whatsoever (Section 4.3)”, unless > > this HMAC verification is happening on the NIC, this doesn’t seem > > sufficiently precise. The “no local state” claim is likely true only > > as it relates to the tables data structures describes in Section 3. > > However, the IP and DTLS stack certainly have to account for the packet. > > There is no DTLS in this protocol. Right. Sorry about that. I have both documents open. > I'm leaving this sentence as is -- after trying it out, I don't think that > mentioning the small amount of state caused by reception of a UDP packet > (an ND entry) is informative. I'm not tracking. "Whatsoever" is an absolute statement. By all means caveat the sentence by saying no local Babel state (or something to that effect). > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > (7) Section 1 enumerates a series of attacks. These are different > > than the ones listed in Section 6 of draft-ietf-babel-rfc6126bis and > > Section 1 of draft-ietf-babel-dtls. As HMAC and DTLS are mitigations > > for attacks in draft-ietf-babel-rfc6126bis, they really should be > harmonized. > > I'll look at making this uniform between the three drafts. Thanks for coordinating across documents. Your call, but an alternative to making the text more uniform might be to have the HMAC and DTLS drafts just reference the core Babel drafts in some way. > > (8) Section 1. Per the “spoof of a malformed packet”, how would an > > HMAC address this? Even assuming that a node discards the message > > without processing if the HMAC is bad, this would still be a problem > > from a malicious peer. > > Please explain. The initial situation I had in mind was if there was a compromised Babel node. It will have the key to produce a valid HMAC on the crafted packet to cause the peer Babel node to process the packet. Another situation which would not involve a malicious Babel node with the key is a node running a buggy Babel implementation. Imagine this implementation has some kind of (buffer overflow) vulnerability in the routines which parses the packet payload to find the HMAC TLV. In the worst circumstance, this could hypothetically compromise the Babel node even before the code to verified HMAC and choose to discard the packet or not is made. > > (9) Editorial nits: > > Fixed, thanks. Thanks. Regards, Roman > -- Juliusz
- [babel] Roman Danyliw's Discuss on draft-ietf-bab… Roman Danyliw via Datatracker
- Re: [babel] Roman Danyliw's Discuss on draft-ietf… Juliusz Chroboczek
- Re: [babel] Roman Danyliw's Discuss on draft-ietf… Roman Danyliw
- Re: [babel] Roman Danyliw's Discuss on draft-ietf… Juliusz Chroboczek
- Re: [babel] Roman Danyliw's Discuss on draft-ietf… Roman Danyliw
- Re: [babel] Roman Danyliw's Discuss on draft-ietf… Donald Eastlake