Re: [babel] Comments on the MAC authentication for Babel draft
Donald Eastlake <d3e3e3@gmail.com> Wed, 26 August 2020 22:01 UTC
Return-Path: <d3e3e3@gmail.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AD3E3A08F4 for <babel@ietfa.amsl.com>; Wed, 26 Aug 2020 15:01:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T5CK-DJdQa5m for <babel@ietfa.amsl.com>; Wed, 26 Aug 2020 15:01:27 -0700 (PDT)
Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E0D53A08DB for <babel@ietf.org>; Wed, 26 Aug 2020 15:01:27 -0700 (PDT)
Received: by mail-io1-xd2e.google.com with SMTP id v6so3757675iow.11 for <babel@ietf.org>; Wed, 26 Aug 2020 15:01:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=M5fqM2xdSL2hg66jFmSWDqZxrSWYf1Og/IyJuDMQUQY=; b=YNTXwiDBqcDP1WoGu6O9/ehw3TCsYR+zxaiU+/tI0b5IdddX6cu5n7zPXJ6ZikLuvM tIRoW0PGH77UgUed06/r1tRuYCOHopIqhbFefsghdsOLV4kXx6KQZaQDuCVYpUZPbnzY zAZIrKBQFOdeLuUTUzbYi1BRkc8vS40OQycXrprGS7VXfHyGne72C8SGunQnPeWizLjG ziUf6T1agfupYKQAKpsOI7WB7+C22xht/68VKdjkF1Mwt36sLV56vbHrq2KR/ICUamOU yiuTGyfQ5x9uLbfYVHLLSgPDdx2n3/V8j0c2udAMCtUkHaZDTda0pf8N+k05Qcpcau7d rFfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=M5fqM2xdSL2hg66jFmSWDqZxrSWYf1Og/IyJuDMQUQY=; b=CYJ2+k7iaIRpY5twFJaoyaLDxO44HATejBQPbI7uiueYTfA2NSbImNM/8JwDFIJpDk 6hJ4wzDR+SM9fwoBLGhgjDYx3lAdwrwkJaGrqob302meWmQa+r3RCiCSQDO8epoUt+Nt QoKUSOmfjGlc/p0+WQyEpP7ycAL8Ki0aUJmH1v67YPtDfQRbfugLOtpwV3fj9HB5jwlT witYmF2XGQbU5oc6wb3/wOePJux7fbWa4DmMqoDmqVlIWivHDHaBBir//ZjyCZQo7yVg u33Q1gYNVWLXo564/JSMKsOkmzx6Gc3EcYJHjn1u1flN3RIl5FsY27iiYe52DNM4mX/G ZEQQ==
X-Gm-Message-State: AOAM533/RPO1p9RcML066AIXVyLGtzfay3TnzaVbqBYXwUy1fYCdwyqN ad51JPr0GwHwW8ukdkCHTANkuaBdN3DR3OqqRHk=
X-Google-Smtp-Source: ABdhPJznObZfC0errn6SeeSMqHOtlJBxsuGW4/haTFxGqKout0LG/jRoB4zyK+iuiS/T39mgnyuWnvFtubT1SrtcF9M=
X-Received: by 2002:a6b:b513:: with SMTP id e19mr14715102iof.167.1598479286078; Wed, 26 Aug 2020 15:01:26 -0700 (PDT)
MIME-Version: 1.0
References: <CAC=54B+aJAZ3KhSUAjJyXiAujzHarRCDYXcERLx3gkHswJ6Sgg@mail.gmail.com> <87zh6hem9u.wl-jch@irif.fr>
In-Reply-To: <87zh6hem9u.wl-jch@irif.fr>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Wed, 26 Aug 2020 18:01:14 -0400
Message-ID: <CAF4+nEFjYVQeZtAyJsQWXTpgVe6gDPodqHG4YLF8PwjeNq+4Eg@mail.gmail.com>
To: Juliusz Chroboczek <jch@irif.fr>, Antonin Décimo <antonin.decimo@gmail.com>
Cc: Babel at IETF <babel@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000007123305adcef65a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/AkwXVbvnw8a1pKS4hzeZYdeokgA>
Subject: Re: [babel] Comments on the MAC authentication for Babel draft
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2020 22:01:30 -0000
Hi Antonin and Juliusz, I'll just reply where I think I can add to Juliusz responses. On Wed, Aug 26, 2020 at 6:26 AM Juliusz Chroboczek <jch@irif.fr> wrote: > > Dear Antonin, > > ... > > > 1. Key length > > I disagree. Using 64 octets for SHA-256 gives no additional security. > > https://crypto.stackexchange.com/questions/34864/key-size-for-hmac-sha256 > > > 2. Digest length > > > Reading the length of the MAC TLV in order to compute a MAC of this > > length is not compliant with the protocol (§4.3) since MACs are > > computed without looking into the packet. > > No. The digest length is part of the algorithm. The algorithm is carried > out-of-band. > > In other words -- when a key is configured in a router, it is configured > together with the associated algorithm. The algorithm implies a digest > length. For example, SHA-256 truncated to 128 bits is a different > algorithm than SHA-256 with full digests. > > I agree that this could be made clearer, but we're not tweaking this at > this stage. I am opposed to the blanket requirement suggested by Antonin as follows: +The length of the MAC MUST be the maximum MAC length computable by +the MAC algorithm (32 octets for both HMAC-SHA256 and keyed +BLAKE2S). Some MAC algorithms may produce very long MACs whose non-truncated use would squeeze out too much useful data. This is a factor in the engineering tradeoff that is being ignored in this suggested change. Truncated MACs are quite common in IETF protocols, although there is usually a floor size below which you are not permitted to go. And there are even arguments that a modest amount of truncation can strengthen a MAC. (Also, from a different point of view, the proposed requirement is trivially evaded because you could just define a new MAC algorithm with the truncation or other condensation of the MAC value from another MAC algorithm and say that this new MAC algorithm is what you are using.) > > 3. Lazy computation > > This is already legal — your proposed tweak doesn't violate any of the > MUST in this paragraph. I agree that your wording is better, but we're > not making this change at this stage. > > > 4. Accepting Challenges > > > When receiving a challenge reply, a node must check if there was a > > challenge in progress before validating the challenge. > > > However the text does not explicitly describe if there are changes > > to be made to the overall state when the challenge succeeds. > > Right. The obvious implementation strategy is to discard the challenge > state after a challenge has succeeded. Not doing that does not cause any > security issues (it's not required by the proof of correctness). > > I think we should add « SHOULD discard the state » here, but it requires > Donald's permission. I think adding this "SHOULD" would be too much of a change. In principle it doesn't require my permission, it requires Martin Vigoureux's permission since the draft is out of the WG and in the IESG. Since it doesn't affect correct operation, I would suggest just creating a draft-ietf-babel-hmacbis-00 draft and putting it in that. There seems to be enough WG interest in this that I don't see any need for a formal WG adoption call. 6. Timers > > I was confused at first between the "challenge expiry timer", the two > > rate limits, and the neighbour state expiry timer. I suggest, for > > consistency, the following changes: > > Right. Unfortunately, we're no longer allowed to improve the wording. I don't see any problem with typo fixes and clarifications so the changes in point 6 seem fine to me. > > 5. Replying to challenges > > > Section 4.3.1.2. Replying to challenges, the sentence [...] could be moved > > earlier > > Right again. Not worth fighting for, IMHO. > > > 7. TLV names shouldn't be pluralised > > Same. I think the changes in Section 7 would be OK also. 9. Relations with the Information Model > > The MAC draft defines (amongst other) three optionaly tunable parameters: > [...] > > Should they be reflected in the models? > > No. The protocol is robust enough that the exact values are irrelevant to > its security. Prior to writing this message, I reviewed the entire Babel hmac draft and noticed the following: In Section 4.1, the empty box in the IPv4 psuedo-header diagram bothers me. I think it should say the following in that box: Dest address (cont.) for destination address continued. But I'm not sure it is worth fixing these editorial things right now. When the draft is actually processed by the RFC Editor, all the authors will get a message including what editorial problems or ambiguities the RFC Editor thinks they have found along with a request to review the entire draft. At that point any editorial things can be cleared up. Thanks, Donald ============================= Donald E. Eastlake 3rd +1-508-333-2270 (cell) 2386 Panoramic Circle, Apopka, FL 33896 USA d3e3e3@gmail.com > -- Juliusz
- Re: [babel] Comments on the MAC authentication fo… Antonin Décimo
- [babel] Comments on the MAC authentication for Ba… Antonin Décimo
- Re: [babel] Comments on the MAC authentication fo… Juliusz Chroboczek
- Re: [babel] Comments on the MAC authentication fo… David Schinazi
- Re: [babel] Comments on the MAC authentication fo… Donald Eastlake
- Re: [babel] Comments on the MAC authentication fo… Donald Eastlake
- Re: [babel] Comments on the MAC authentication fo… Juliusz Chroboczek
- Re: [babel] Comments on the MAC authentication fo… Donald Eastlake