Re: [babel] [Babel-users] MAC rekeying in babeld and information model

"STARK, BARBARA H" <bs7652@att.com> Fri, 17 January 2020 14:51 UTC

Return-Path: <bs7652@att.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 378C9120098 for <babel@ietfa.amsl.com>; Fri, 17 Jan 2020 06:51:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ecu8wOxL1-XH for <babel@ietfa.amsl.com>; Fri, 17 Jan 2020 06:51:36 -0800 (PST)
Received: from mx0a-00191d01.pphosted.com (mx0a-00191d01.pphosted.com [67.231.149.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC918120074 for <babel@ietf.org>; Fri, 17 Jan 2020 06:51:36 -0800 (PST)
Received: from pps.filterd (m0049295.ppops.net [127.0.0.1]) by m0049295.ppops.net-00191d01. (8.16.0.42/8.16.0.42) with SMTP id 00HEjNLe006989; Fri, 17 Jan 2020 09:51:36 -0500
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0049295.ppops.net-00191d01. with ESMTP id 2xk0skwajr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 17 Jan 2020 09:51:36 -0500
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 00HEpYW0005131; Fri, 17 Jan 2020 09:51:34 -0500
Received: from zlp30486.vci.att.com (zlp30486.vci.att.com [135.47.91.177]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 00HEpU4q005048 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 17 Jan 2020 09:51:31 -0500
Received: from zlp30486.vci.att.com (zlp30486.vci.att.com [127.0.0.1]) by zlp30486.vci.att.com (Service) with ESMTP id 0E06A4009E86; Fri, 17 Jan 2020 14:51:30 +0000 (GMT)
Received: from GAALPA1MSGHUBAB.ITServices.sbc.com (unknown [130.8.218.151]) by zlp30486.vci.att.com (Service) with ESMTPS id ECE004009E70; Fri, 17 Jan 2020 14:51:29 +0000 (GMT)
Received: from GAALPA1MSGUSRBF.ITServices.sbc.com ([169.254.5.85]) by GAALPA1MSGHUBAB.ITServices.sbc.com ([130.8.218.151]) with mapi id 14.03.0468.000; Fri, 17 Jan 2020 09:51:29 -0500
From: "STARK, BARBARA H" <bs7652@att.com>
To: 'Toke Høiland-Jørgensen' <toke@toke.dk>, 'Juliusz Chroboczek' <jch@irif.fr>, "'babel-users@lists.alioth.debian.org'" <babel-users@lists.alioth.debian.org>
CC: "'babel@ietf.org'" <babel@ietf.org>
Thread-Topic: [Babel-users] MAC rekeying in babeld and information model
Thread-Index: AQHVzJ0q8jDHxzeyx0S6Gir5zXgjYKfvDLIA///hz8A=
Date: Fri, 17 Jan 2020 14:51:29 +0000
Message-ID: <2D09D61DDFA73D4C884805CC7865E61153754234@GAALPA1MSGUSRBF.ITServices.sbc.com>
References: <877e1r6y0f.wl-jch@irif.fr> <875zhaqq5v.fsf@toke.dk>
In-Reply-To: <875zhaqq5v.fsf@toke.dk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.70.107.145]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.572 definitions=2020-01-17_03:2020-01-16, 2020-01-17 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 impostorscore=0 adultscore=0 malwarescore=0 phishscore=0 mlxlogscore=999 priorityscore=1501 lowpriorityscore=0 spamscore=0 mlxscore=0 clxscore=1011 suspectscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-2001170116
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/8HXqW-84snbnoekV1MTlDPYrmrQ>
Subject: Re: [babel] [Babel-users] MAC rekeying in babeld and information model
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2020 14:51:41 -0000


> -----Original Message-----
> From: Toke Høiland-Jørgensen <toke@toke.dk>
> Sent: Friday, January 17, 2020 6:27 AM
> To: Juliusz Chroboczek <jch@irif.fr>; babel-users@lists.alioth.debian.org
> Cc: STARK, BARBARA H <bs7652@att.com>; babel@ietf.org
> Subject: Re: [Babel-users] MAC rekeying in babeld and information model
> 
> Juliusz Chroboczek <jch@irif.fr> writes:
> 
> > Dear all,
> >
> > Antonin and I have spent the afternoon looking at his work on MAC
> > rekeying in babeld.  His code is available in branch hmac-rekeying of
> >
> > <URL mauled by AT&T mail system>
> >
> > Now... we've got an issue with the information model.
> >
> > Following the information model, Antonin adds the following attribute
> > to
> > keys:
> >
> >    key-use sign|verify|both
> >
> > I'm a little puzzled by the purpose of this attribute.  What usage
> > scenarios is it useful in?  In particular, it does not appear to
> > subsume the sign-only interface attribute, which is useful in
> > incremental deployment scenarios.
> 
> Hmm, I think this notion originally comes from Bird's password configuration
> support?
> <URL mauled by AT&T mail system>
> search for 'password'.
> 
> I guess you could use it for a kind of asymmetrical verification procedure?
> I.e., a route server could have its own key that it signs with, that all peers
> with the route server will accept, but each peer has its own key it signs with,
> that the route server is set up to accept. That way the peers wouldn't peer
> with each other, but all go through the route server? This would not prevent
> malicious actors, of course (they could just start signing with the route
> server's key), but it could prevent accidental misconfiguration.
> 
> Dunno exactly what the original intention with the Bird option is, though. I
> can ask on the Bird list?
> 
> -Toke

I don't remember precisely and would need to go looking for the emails. I think it did come from Toke's comments. But if an implementation doesn't support asymmetric signing, it can just hard-code the parameter to "both", not allow configuration of the parameter, and be done with it.
Barbara