IETF Logo Mail Archive

Re: [babel] Minor clarification to HMAC

Juliusz Chroboczek <jch@irif.fr> Sat, 29 June 2019 09:52 UTC

Return-Path: <jch@irif.fr>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96B371200FF for <babel@ietfa.amsl.com>; Sat, 29 Jun 2019 02:52:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L2nA4ZT9j2jd for <babel@ietfa.amsl.com>; Sat, 29 Jun 2019 02:52:05 -0700 (PDT)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAFFE120033 for <babel@ietf.org>; Sat, 29 Jun 2019 02:52:04 -0700 (PDT)
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id x5T9pxR1007104; Sat, 29 Jun 2019 11:52:00 +0200
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 9C7C74C4EE; Sat, 29 Jun 2019 11:52:02 +0200 (CEST)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id f98Vc3S8xOt0; Sat, 29 Jun 2019 11:52:01 +0200 (CEST)
Received: from pirx.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 857FF4C4EB; Sat, 29 Jun 2019 11:52:01 +0200 (CEST)
Date: Sat, 29 Jun 2019 11:52:01 +0200
Message-ID: <87d0iw1zy6.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
Cc: Babel at IETF <babel@ietf.org>
In-Reply-To: <B3BD48E4-BAE6-480A-AE3C-A912D5A861FD@gmail.com>
References: <874l49j158.wl-jch@irif.fr> <6C3AA518-8EF8-493A-835D-DE096E75D07B@iki.fi> <CAPDSy+4GeUfq50NcF5xZg_2cb78w76FjYYFnffqWtKm=Kha+fw@mail.gmail.com> <B3BD48E4-BAE6-480A-AE3C-A912D5A861FD@gmail.com>
User-Agent: Wanderlust/2.15.9
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Sat, 29 Jun 2019 11:52:00 +0200 (CEST)
X-Miltered: at korolev with ID 5D1734BF.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 5D1734BF.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 5D1734BF.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/6u5Krpaig3M8QdkTy5OnH_IthGI>
Subject: Re: [babel] Minor clarification to HMAC
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jun 2019 09:52:07 -0000

> To me this sounds much like a SYN flood attack in TCP, where TCP resources were
> allocated before the ACK came back. And TCP had to come back to clarify this,
> rather than leave it as a implementation level detail.

RFC 4987.  The issues are similar, the same defenses apply, but there is
one significant difference.

The very first thing that happens is that the HMAC is verified.  No state
is created if the HMAC fails (Section 4.3, first bullet).  What is more,
the HMAC includes a pseudo-header (Section 4.1), so a packet can only be
replayed by spoofing the source address it was originally sent from.

Since neighbour entries are indexed by source address, the amount of state
an attacker can create is limited by the number of different source
addresses in his collection of previously captured packets.  What is more,
everytime the network undergoes key rotation, all of the captured packets
are invalidated.

So an easy defense is to roll over the keys often enough so that the
attacker can only create a bounded amount of state.

> If we agree that a MAY should be allowed, I would like to see some guidance
> given on some implementation choices including the fact that a separate table
> of pending challenges should be kept to prevent an attack. 

Please check the last two paragraphs of Section 6 (Security Considerations),
and let me know if you think I should add something there.

-- Juliusz

v2.23.0 | Report a Bug | By Email