[babel] Fwd: [Babel-users] HOWTO: MAC security for Babel

Juliusz Chroboczek <jch@irif.fr> Tue, 08 June 2021 12:14 UTC

Return-Path: <jch@irif.fr>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0450D3A2EBF for <babel@ietfa.amsl.com>; Tue, 8 Jun 2021 05:14:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1uqblVCIBHwJ for <babel@ietfa.amsl.com>; Tue, 8 Jun 2021 05:14:28 -0700 (PDT)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0B613A2EC4 for <babel@ietf.org>; Tue, 8 Jun 2021 05:14:27 -0700 (PDT)
Received: from potemkin.univ-paris7.fr (potemkin.univ-paris7.fr [IPv6:2001:660:3301:8000::1:1]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id 158CENDA003763 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <babel@ietf.org>; Tue, 8 Jun 2021 14:14:23 +0200
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by potemkin.univ-paris7.fr (8.14.4/8.14.4/relay2/82085) with ESMTP id 158CELt0012442 for <babel@ietf.org>; Tue, 8 Jun 2021 14:14:23 +0200
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 262C5DC171 for <babel@ietf.org>; Tue, 8 Jun 2021 14:14:21 +0200 (CEST)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id pv0gAedeO_Hw for <babel@ietf.org>; Tue, 8 Jun 2021 14:14:18 +0200 (CEST)
Received: from pirx.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id CBCB6DC166 for <babel@ietf.org>; Tue, 8 Jun 2021 14:14:12 +0200 (CEST)
Date: Tue, 08 Jun 2021 14:14:12 +0200
Message-ID: <87eedcsgdn.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: babel@ietf.org
References: <87fsxssgem.wl-jch@irif.fr>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/28.0 Mule/6.0
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: message/rfc822
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]); Tue, 08 Jun 2021 14:14:23 +0200 (CEST)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (potemkin.univ-paris7.fr [194.254.61.141]); Tue, 08 Jun 2021 14:14:23 +0200 (CEST)
X-Miltered: at korolev with ID 60BF5F1F.002 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-Miltered: at potemkin with ID 60BF5F1D.003 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 60BF5F1F.002 from potemkin.univ-paris7.fr/potemkin.univ-paris7.fr/null/potemkin.univ-paris7.fr/<jch@irif.fr>
X-j-chkmail-Enveloppe: 60BF5F1D.003 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 60BF5F1F.002 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Score: MSGID : 60BF5F1D.003 on potemkin.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/AcQWdG3hwGO0ropYJeM9hfzBIsE>
Subject: [babel] Fwd: [Babel-users] HOWTO: MAC security for Babel
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2021 12:14:33 -0000

--- Begin Message ---
Dear all,

A quick tutorial on protecting your Babel network with cryptographic
signatures using the Babel-MAC protocol extension.


0. What does MAC security do?
=============================

It protects your Babel infrastructure by preventing an attacker from
impersonating a Babel router by either spoofing Babel packets or replaying
old Babel packets.

It does not encrypt your Babel traffic: Babel packets are signed, not
encrypted.  This means that tcpdump and wireshark can still be used for
debugging.

It is cheap: you should not see a significant increase in CPU load due to
MAC protection, and the per-packet overhead is moderate (51 bytes for
SHA-256, 35 bytes for Blake2s-128).  It also does not significantly slow
down neighbour acquisition: the initial cryptographic handshake is just
one packet exchange.

It does not protect your non-Babel traffic: for example, it doesn't
prevent an attacker from sending data packets from a spoofed IP address;
you still need to rely on higher-level (HTTPS, SSH, etc.) or lower-layer
(WPA3, OpenVPN, Wireguard) mechanisms for that.  However, since Babel-MAC
will prevent an attacker from spoofing their location in the network
(which router they're using to access the network), it will make it easier
to find the attacker and kindly explain to them that there's a bug
somewhere.  (In no case do we condone the use of physical violence.)

MAC security is implemented in babeld master since 2021-05-31 and BIRD
master since 2021-06-06.


1. Generate a key
=================

Babel-MAC is vulnerable to brute-force attacks, so you should use a strong
key.  The best way is to generate a random key:

    dd if=/dev/random bs=32 count=1 | xxd -ps -c32

The security of Babel-MAC relies on this key only being shared with people
authorised to announce Babel routes.


2. Install the key on your routers
==================================

Babeld
------

On each router running babeld, add the following to the configuration file:

    key id k1 type hmac-sha256 value fe3c...
    default key k1

replacing fec3... with your secret key.  This will enable MAC protection
on all interfaces (you will still need to enable the interfaces, either
from the config file or from the command line).

Alternatively, you may enable MAC protection on just some interfaces:

    key id k1 type hmac-sha256 value fe3c...
    interface eth0
    interface wlan0 key k1

Note that babeld supports using multiple configuration files (specify the
'-c' option multiple times), but will not reload the files automatically
(you'll need to restart babeld whenever you change the keys).


BIRD
----

On each router running Bird, add "authentication mac" and "key" options to
your interface definitions:

    protocol babel {
       interface "eth0" {
           authentication mac;
           key fe3c... {
               algorithm hmac sha256;
           };
       };
    }


3. Restart your network
=======================

Restart all of your Babel routers.  Your routers should associate as
previously.  If you run tcpdump, you should now see that all Babel packets
carry a PC and a MAC:

     $ sudo tcpdump -n -i wlan0 udp
     [...]
     babel 2 (86) hello router-id update/prefix nh update pc | mac


4. Optional: Incremental deployment
===================================

If you need to keep your network running, you may deploy MAC protection
incrementally by temporarily running your routers in a mode in which they
sign packets but don't verify signatures.  In a first step, install your
keys but tell your routers to accept unsigned packets.  In babeld, say

    accept-bad-signatures true

and in Bird

    authentication mac permissive;

After you're satisfied that all routers have the key installed, you may
incrementally start restarting your routers with the permissive option
switched off.


5. Unimplemented: key rotation
==============================

The protocol supports a mode of operation where two keys are used on each
interface, and packets are signed by both.  This is intended to support
key rotation: the new key is added to all routers, then, once this is
done, the old key is removed.

The current code in babeld doesn't support key rotation, since we haven't
been able to find a user interface that's simple and powerful enough to
handle all cases (Antonin's code did have support, but the user interface
was confusing).  The current plan is to gain more experience with MAC
protection before we design a user interface for key rotation.


6. Acknowledgments
==================

The first MAC algorithm for Babel was designed and implemented by Denis
Ovsienko.  The current algorithm was designed and initially implemented by
Clara Dô, Weronika Kołodziejak, and myself.  The code was then extensively
massaged by Antonin Décimo.  The Bird implementation is due to Toke
Høiland-Jørgensen.  Also thanks to Étienne Marais and to Julien Muchembled
(the latter employed by Nexedi, who are good guys).

-- Juliusz

_______________________________________________
Babel-users mailing list
Babel-users@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users
--- End Message ---