IETF Logo Mail Archive

Re: [babel] Some open HMAC issues

David Schinazi <dschinazi@apple.com> Mon, 02 July 2018 17:05 UTC

Return-Path: <dschinazi@apple.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B774130F47 for <babel@ietfa.amsl.com>; Mon, 2 Jul 2018 10:05:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kkTF5dmlGm2g for <babel@ietfa.amsl.com>; Mon, 2 Jul 2018 10:05:56 -0700 (PDT)
Received: from mail-in2.apple.com (mail-out2.apple.com [17.151.62.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 051A8130F1E for <babel@ietf.org>; Mon, 2 Jul 2018 10:05:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1530551155; x=2394464755; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=CdrUjWaJQmjmjJ4dQ21BP4tftZ/BFwqff95foH7kjj0=; b=jaAWyYvrWzldaIVH/1PVQMUZikE9pix9VPU9uBEQctI/9mdOTGP4AsaYvy4AKJYu 5empfI5QUcwxeRK3oNack21OegAd00HA3Iy1nld00+trSvYXuV5PnrDmnsukFN1Q 0WNnuYT+2Pk2V0hBq6FeNcsvNOgq4t3hh6kvaVHxXeRkNYkKuLZTRkoLK1AQf6gZ ZFIq/sOciC8UQnO5PPHeLY0cZNBQeg1Vha//uV16O2EIxZR/UC4qQFBUMb5Wac9A GX6tNRL+2W7c79RHqTuQghKEOdY/kPygA1gLy2stSls4c8j+oGBDaoM8zV2x0Bpv 3Sy0eIRF44xp8Hl6zuwwRA==;
X-AuditID: 11973e11-a14739e000005b22-19-5b3a5b7239ab
Received: from ma1-mtap-s02.corp.apple.com (ma1-mtap-s02.corp.apple.com [17.40.76.6]) (using TLS with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mail-in2.apple.com (Apple Secure Mail Relay) with SMTP id D6.A4.23330.27B5A3B5; Mon, 2 Jul 2018 10:05:55 -0700 (PDT)
MIME-version: 1.0
Content-type: text/plain; charset="utf-8"
Received: from nwk-mmpp-sz13.apple.com (nwk-mmpp-sz13.apple.com [17.128.115.216]) by ma1-mtap-s02.corp.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPS id <0PB900A490TKYMB0@ma1-mtap-s02.corp.apple.com>; Mon, 02 Jul 2018 10:05:45 -0700 (PDT)
Received: from process_viserion-daemon.nwk-mmpp-sz13.apple.com by nwk-mmpp-sz13.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PB900C00075TZ00@nwk-mmpp-sz13.apple.com>; Mon, 02 Jul 2018 10:05:44 -0700 (PDT)
X-Va-CD: 0
X-Va-ID: eddd1ece-aebd-4f66-b283-a7046282f1dd
X-V-A:
X-V-T-CD: 319a1c775657bc6582695a36a4aadeb6
X-V-E-CD: 25db9c8def847da5f3c8f83d464a40b5
X-V-R-CD: fbd4a3ecf174248f2009b74dbcdd7cb8
X-V-CD: 0
X-V-ID: 1f407799-3296-48c9-93bd-2c18d6aabad1
Received: from process_milters-daemon.nwk-mmpp-sz13.apple.com by nwk-mmpp-sz13.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PB900L000TGDX00@nwk-mmpp-sz13.apple.com>; Mon, 02 Jul 2018 10:05:42 -0700 (PDT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-07-02_05:,, signatures=0
X-Proofpoint-Scanner-Instance: nwk-grpmailp-qapp14.corp.apple.com-10000_instance1
Received: from [17.234.91.176] by nwk-mmpp-sz13.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPSA id <0PB900FQJ0SECH10@nwk-mmpp-sz13.apple.com>; Mon, 02 Jul 2018 10:05:04 -0700 (PDT)
Sender: dschinazi@apple.com
From: David Schinazi <dschinazi@apple.com>
In-reply-to: <87d0w5ingo.fsf@toke.dk>
Date: Mon, 02 Jul 2018 10:05:01 -0700
Cc: Juliusz Chroboczek <jch@irif.fr>, Weronika Kołodziejak <weronika.kolodziejak@gmail.com>, Clara Dô <clarado_perso@yahoo.fr>, babel@ietf.org
Content-transfer-encoding: quoted-printable
Message-id: <375EE128-E5F3-487C-9A9E-89A8C976489F@apple.com>
References: <87sh545st3.wl-jch@irif.fr> <411E2C9F-A910-4899-8DD7-92C0C85EBC54@apple.com> <87sh523xy8.wl-jch@irif.fr> <7E5E0D4C-0049-47D1-ACFA-31EA0F843237@apple.com> <87d0w5ingo.fsf@toke.dk>
To: Toke Høiland-Jørgensen <toke@toke.dk>
X-Mailer: Apple Mail (2.3445.9.1)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrAIsWRmVeSWpSXmKPExsUiqOHDplscbRVt0L+G2WLLom4Wiw2X1zFb zG9dxmax9f0KdosPn+6wOrB67Jx1l91jyZKfTB6Lt7xl9Nhy6CKbx6vpD9kDWKO4bFJSczLL Uov07RK4MhZeWctUsJCt4lnrQqYGxmbWLkZODgkBE4ljDxaxdTFycQgJ7GOSeN19gx0kwSsg KPFj8j2WLkYODmYBdYkpU3IhajYySdzp/8QM4XQxSfy9/5kdYhKXxIKtp6Gm6krsn/aYDcJm k1h/YgkTyCAJAS2JhbcNIcJaEr0XFrDA2O1/fkC1ckqc/zKRHaJcR2LuWXGIVZ1MEl/u/WSG qMmW6J8zGcoOlji5rpEdougro0TrkyNg9wgLSEt0XbjLCjJIGGjBhRVWICYbkHlgjRFIBaeA qsTzzsNgY1iA7PddX8DhwCywmVHiz/RmsASzgLbEk3cXWCFhYiPR0HyYCWLXIUaJTwsegD0g ImAv0fj1AtQzihL9aw6xTWCUnYUUjrMQ4TgLydgFjMyrGIVyEzNzdDPzjPQSCwpyUvWS83M3 MYKSwHQ7wR2Mx1dZHWIU4GBU4uG9oGgVLcSaWFZcmXuIUZqDRUmc1yzJNFpIID2xJDU7NbUg tSi+qDQntfgQIxMHp1QD44e3r9i3B86zX7ZgjZqYLafpbnb2yBq7dMn33+4GLdq8q9z2r0+V /7o3ui53Vz1cGbpjyooFsb+mJzNl6GZkWgW8M/z4/gnDnUeWfpxbN0e8WHzq8jztWY5HZykd vrd3l+F5bu0Zkdn/z3V+32j08OLbezkOQm/W7xM6kjhdh8P7jWPrBM2YvSeUWIozEg21mIuK EwE0THKa4wIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/CKcsvM7CW_4BHeqAdTpCxMKDU8k>
Subject: Re: [babel] Some open HMAC issues
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jul 2018 17:05:57 -0000

> On Jul 2, 2018, at 09:58, Toke Høiland-Jørgensen <toke@toke.dk> wrote:
> 
> But why is it needed? It's just one more thing to configure, which makes
> configuration more verbose and prone to errors...

Without a KeyID, the receiving complexity is proportional to the number of
configured keys. That means that nodes configured with n keys not
only spend O(n) times more CPU per received packet, they are also n times
more vulnerable to DoS attacks. This becomes a tradeoff between
- better performance, slightly better security
OR
- slightly easier configuration, two bytes saved on the wire

I'm not advocating that this is absolutely necessary, but I'd like to
discuss the pros and cons in case people think of other ways this
is better or worse.

David

v2.23.0 | Report a Bug | By Email