IETF Logo Mail Archive

Re: [babel] Some open HMAC issues

David Schinazi <dschinazi@apple.com> Tue, 03 July 2018 00:06 UTC

Return-Path: <dschinazi@apple.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F8F2130FF5 for <babel@ietfa.amsl.com>; Mon, 2 Jul 2018 17:06:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JKGX5zuMff81 for <babel@ietfa.amsl.com>; Mon, 2 Jul 2018 17:06:06 -0700 (PDT)
Received: from mail-in4.apple.com (mail-out4.apple.com [17.151.62.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D89D8130E1D for <babel@ietf.org>; Mon, 2 Jul 2018 17:06:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1530576363; x=2394489963; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=fqMiGsxr7Sg33T6fVY4Uv3WWlNh3/pmRmRdRNfJT/f4=; b=aayZulHsD+XwYmbKQV/OMZfSBKhjGp5BKEOXMyb+1VmbgLX5O19bmcn9S0ztty+y TVtrP0I634WYazNYAFp+SSUz3SxqoA8LsSqJUgi4tqaXzM/JoZlcZnwDyCYKa8P2 S4Lij/0XWZaITuuNTyLErFtCIy3NHMjdbjOW5fau8O6zmYl5dBn6Yb424OPbotCE WDV7azo8P2/y5XnywmxJwT5FdeNnLvYCm/t+yhgq/M8vEFOYJcZG2pBn+Kh0ucQh ArtJ7eSKSVsXxsshhQQgn+EcL9qr6RDv+Eg7IKo5Y2ULllqh3p7/pU/oRJkkLzd6 Ng22gAaGOQ6f8VhjMYIPqA==;
X-AuditID: 11973e12-9e9ff700000010b7-c6-5b3abdebf014
Received: from mr2-mtap-s03.rno.apple.com (mr2-mtap-s03.rno.apple.com [17.179.226.135]) (using TLS with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mail-in4.apple.com (Apple Secure Mail Relay) with SMTP id DA.B4.04279.BEDBA3B5; Mon, 2 Jul 2018 17:06:03 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; CHARSET="US-ASCII"
Received: from nwk-mmpp-sz13.apple.com (nwk-mmpp-sz13.apple.com [17.128.115.216]) by mr2-mtap-s03.rno.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPS id <0PB900K75KA3JQ50@mr2-mtap-s03.rno.apple.com>; Mon, 02 Jul 2018 17:06:03 -0700 (PDT)
Received: from process_viserion-daemon.nwk-mmpp-sz13.apple.com by nwk-mmpp-sz13.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PB900K00K0GEX00@nwk-mmpp-sz13.apple.com>; Mon, 02 Jul 2018 17:06:03 -0700 (PDT)
X-Va-CD: 0
X-Va-ID: e9588a0c-67be-44bf-89e9-de7cbd2c12f3
X-V-A:
X-V-T-CD: 7d6566e1ce32e60bd701207e1252a9a5
X-V-E-CD: 25db9c8def847da5f3c8f83d464a40b5
X-V-R-CD: fbd4a3ecf174248f2009b74dbcdd7cb8
X-V-CD: 0
X-V-ID: c748ea1a-d3a8-412e-8416-d6ff22f3c919
Received: from process_milters-daemon.nwk-mmpp-sz13.apple.com by nwk-mmpp-sz13.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PB900E00JMKU900@nwk-mmpp-sz13.apple.com>; Mon, 02 Jul 2018 17:06:01 -0700 (PDT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-07-02_08:,, signatures=0
X-Proofpoint-Scanner-Instance: nwk-grpmailp-qapp18.corp.apple.com-10000_instance1
Received: from [17.192.155.180] by nwk-mmpp-sz13.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPSA id <0PB900B7IKA1FEA0@nwk-mmpp-sz13.apple.com>; Mon, 02 Jul 2018 17:06:01 -0700 (PDT)
Sender: dschinazi@apple.com
From: David Schinazi <dschinazi@apple.com>
In-reply-to: <87po05p57w.wl-jch@irif.fr>
Date: Mon, 02 Jul 2018 17:06:00 -0700
Cc: babel@ietf.org
Message-id: <7E81074A-F3BB-470A-8197-C4195AE806DC@apple.com>
References: <87sh545st3.wl-jch@irif.fr> <411E2C9F-A910-4899-8DD7-92C0C85EBC54@apple.com> <87sh523xy8.wl-jch@irif.fr> <7E5E0D4C-0049-47D1-ACFA-31EA0F843237@apple.com> <87d0w5ingo.fsf@toke.dk> <375EE128-E5F3-487C-9A9E-89A8C976489F@apple.com> <87po05p57w.wl-jch@irif.fr>
To: Juliusz Chroboczek <jch@irif.fr>
X-Mailer: Apple Mail (2.3445.9.1)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrIIsWRmVeSWpSXmKPExsUiuPlRu+7rvVbRBjv2m1hsWdTNYjG/dRmb A5PHkiU/mTwWb3nLGMAUxWWTkpqTWZZapG+XwJXx4uoz1oK1IhWfp05nbWDsE+hi5OSQEDCR +HL3M2MXIxeHkMABJomvl24ygyR4BQQlfky+x9LFyMHBLCAvcfC8LEiYWUBL4vujVhaI+vVM EucnHWSCcLqYJPp/bGGCmMolsWDraVYIW1fi4fX3UDabxPoTS6BqtCSebn/OCmP3XljAAmO3 //kBFeeUOP9lIjuErSOx+usDsOOEBDqZJDruBEHEsyXWft7ICHKohECwxP63yhD3fGOUuLhi BdgcYQFpia4Ld1lBaoSB5l9YYQVisgGZB9YYgVRwCmhInHjXDXYBi4CqRG//TjaIf4Ukzlyb wQIJEhuJeceuskKMn8gkcWQlxDkiAioSy6c9gzpTUaJ/zSG2CYyys5CCcRYiGGchBeMCRuZV jEK5iZk5upl5JnqJBQU5qXrJ+bmbGEFxPN1OaAfjqVVWhxgFOBiVeHgvKFpFC7EmlhVX5h5i lOZgURLnNUsyjRYSSE8sSc1OTS1ILYovKs1JLT7EyMTBKdXAuHHviauv2Jjyb+044V79f8Kv ybGZC/7ePdUV+1+4JfnfJ/vX0+7tL1o85WIcw6mLxU/+FHi8tJkvsXFCvsIWHbnvETdDS3Zu Od/ZefWLt5y8Q6Bjq+mKRzWJ73/caoowjUwvY0rfKvN38VL59Sp6LHsVb6zNYRDhros7GOa/ 8eKVfA8Gpv63m5VYijMSDbWYi4oTAXexZPTEAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/CNNZEpaPZABgU2UHzrQikK5bs1I>
Subject: Re: [babel] Some open HMAC issues
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jul 2018 00:06:09 -0000

> On Jul 2, 2018, at 16:50, Juliusz Chroboczek <jch@irif.fr> wrote:
> 
>>> But why is it needed? It's just one more thing to configure, which makes
>>> configuration more verbose and prone to errors...
> 
>> Without a KeyID, the receiving complexity is proportional to the number of
>> configured keys. That means that nodes configured with n keys not
>> only spend O(n) times more CPU per received packet,
> 
> Where n is just the number of keys configured, and not something an
> attacker can control (see Sections 1.1 and 4.3 of draft-do-babel-hmac).
> In practice, I expect n to be usually just 1, and at most 2 during key
> rotation.

In homenet there was discussion of pairwise symmetric keys
distributed via HNCP. So n could be quadratic in the number of routers.

> Without an explicit KeyID, the set of keys is just a set -- it can be
> implemented for example as a directory of keys, where adding a new key is
> just an scp to the directory, or it can be implemented as a set of TLVs
> flooded by HNCP, where adding a key consists in flooding a new TLV.

If you have a TLV you use to deploy the key, you can deploy the KeyID as
the first two bytes of that TLV. That way both the KeyID and key are flooded
together.

> If you have an explicit KeyID, then you need to make sure that the KeyID
> is consistent among all of the routers in a given security domain.  You
> can no longer just scp the key,

KeyID does not prevent scp, just put the keyID in the name:
scp my_new_secret.key babel-router42.local:/etc/babeld/keys/foo-12345.key

> you need to pick a KeyID that is currently
> unused.  If you're using an automated distribution protocol, then the
> protocol must be able to choose a KeyID that is currently unused not only
> by nodes that participate in said protocol, but also by nodes that don't.

I don't see why. Having a KeyID conflict just means you'll try both keys.

> Worse is better, David.  It is better to have a protocol that has a slight
> inefficiency but is easy to deploy and to manage, than a protocol that is
> slightly more efficient but that nobody will want to deploy because of the
> very significant complications due to the KeyID.

I'm less worried about efficiency and more about robustness to DoS.

An implementation is free to always send KeyID as 42 and silently drop
any HMAC TLV KeyID that isn't 42 if it can't handle the complexity.

In general I agree with your position that adding unnecessary
complexity is bad. But here I'm not sure I agree with how much complexity
this actually represents.

David

v2.23.0 | Report a Bug | By Email