[babel] Fwd: [PATCH 0/4] Add MAC authentication support to the Babel protocol
Toke Høiland-Jørgensen <toke@toke.dk> Sun, 23 February 2020 23:09 UTC
Return-Path: <toke@toke.dk>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F301A3A11A2 for <babel@ietfa.amsl.com>; Sun, 23 Feb 2020 15:09:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=toke.dk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s0TsnHysbOgv for <babel@ietfa.amsl.com>; Sun, 23 Feb 2020 15:09:19 -0800 (PST)
Received: from mail.toke.dk (mail.toke.dk [45.145.95.4]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B028B3A119F for <babel@ietf.org>; Sun, 23 Feb 2020 15:09:18 -0800 (PST)
From: Toke Høiland-Jørgensen <toke@toke.dk>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023; t=1582499356; bh=NsdVNr5FRSS7KgQVKpy3Hq+Ag5+KJDKVdvCzjktT4Uo=; h=From:To:Subject:References:Date:From; b=WjySUcjralCtdhomQAvAyrUD3w/tzDhg+mCYG/3ycxzFSgj1gZ3XYymF2Fi002lSW rTds5U2y04TctGcB+1ZveW9i8fA6wtAPJSX90WZ+YubZZ2DIYgRUN31w+eibDJp+7C nPI2g+3PMvlB2z4DTJNWG0kYeMs263Xlnj8q1S58LUBxJFCK1Y+RTl4JCF9IpYMKtf YvcT7sih9GCot0MnW5FnvVgo38G2Sn8PiONrIVih5BLkGa14NWwGo6JmvCsOmsHegz ZUW2jcFC1R7rereFkdEeQI1NMFeeXy5RM2/3Zsau0ElGPC9K7KxaGlMdvLVZsUcNMo EU69Mg4KKPSuw==
To: babel@ietf.org, babel-users@alioth-lists.debian.net
References: <158249859363.84431.6477899599086019164.stgit@alrua-x1>
Date: Mon, 24 Feb 2020 00:09:16 +0100
X-Clacks-Overhead: GNU Terry Pratchett
Message-ID: <87ftf03nqb.fsf@toke.dk>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/Erpa3ScOZoTiS25n4b5eJV4eJ2A>
Subject: [babel] Fwd: [PATCH 0/4] Add MAC authentication support to the Babel protocol
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Feb 2020 23:09:24 -0000
Hi everyone Just an FYI: I finally found the time to respin the Bird patches to add MAC support to Babel. I'm forwarding the cover letter to the patch series which describes the state of the implementation. The full series is available here: http://trubka.network.cz/pipermail/bird-users/2020-February/014251.html And a Github repository with the implementation for those wanting to test it: https://github.com/tohojo/bird/tree/babel-mac-01 Cheers, -Toke
--- Begin Message ---This series adds MAC authentication support to the Babel protocol as specified in by the IETF Babel working group in draft-babel-hmac-10: https://tools.ietf.org/html/draft-ietf-babel-hmac-10 An initial RFC patch series was posted here in July 2018[0]. Since then, the protocol specification has progressed through the IETF, to the point where it is now in the IESG publication queue as a proposed standard RFC. This version of the patch series updates the implementation to correspond to the final version of the draft, and also addresses the review comments from the initial RFC patch. The major changes are: Major updates to the specification (for a full list see the draft appendix): - Added Blake2s as a recommended algorithm - Updated terminology to use MAC everywhere instead of HMAC (since Blake is not an HMAC algorithm). - Added expiration of neighbours and rate limiting of challenge replies - Update TLV type numbers after IANA allocation In addition, the following changes have been made to the implementation: - Add wrapper function to bird sysdep code to pick a suitable source of random bytes - Import reference Blake2 implementations into lib/ - Rename function names and data structures to use an auth_ prefix instead of hmac_ - Perform a separate authentication pass before parsing the packet, and move the authentication-related code to its own source file - Enforce key length recommendation from the specification - Add a 'permissive' configuration mode where outgoing packets are signed but incoming packets are accepted even though they fail authentication - Add user documentation for the authentication configuration, and function docstrings to the main authentication functions - Fix a bunch of nits and code style issues I have performed basic interoperability testing between this implementation and the current babeld HMAC implementation[1]. The two implementations were able to successfully exchange authenticated messages with both HMAC-256 and Blake2s keys. Given the above, and the close-to-final state of the specification at the IETF, I believe this series is ready for merging (subject to review, of course). For those wanting to test the code, a version of Bird with this series applied is available on Github[2] for easy consumption. Cheers, -Toke [0] http://trubka.network.cz/pipermail/bird-users/2018-July/012536.html [1] https://github.com/jech/babeld/pull/52 [2] https://github.com/tohojo/bird/tree/babel-mac-01 --- Toke Høiland-Jørgensen (4): sysdep: Add wrapper to get random bytes nest: Add Blake2s and Blake2b hash functions babel: Refactor packet parsing code for reuse in authentication checks babel: Add MAC authentication support aclocal.m4 | 49 ++++ conf/conf.c | 1 configure.ac | 15 + doc/bird.sgml | 38 +++ lib/Makefile | 2 lib/birdlib.h | 2 lib/blake2-impl.h | 160 +++++++++++++ lib/blake2-ref.h | 112 +++++++++ lib/blake2.c | 46 ++++ lib/blake2.h | 67 ++++++ lib/blake2b-ref.c | 270 ++++++++++++++++++++++ lib/blake2s-ref.c | 263 ++++++++++++++++++++++ lib/mac.c | 7 + lib/mac.h | 2 nest/config.Y | 4 proto/babel/Doc | 1 proto/babel/Makefile | 4 proto/babel/auth.c | 593 +++++++++++++++++++++++++++++++++++++++++++++++++ proto/babel/babel.c | 33 ++- proto/babel/babel.h | 54 ++++ proto/babel/config.Y | 38 +++ proto/babel/packets.c | 294 +++++++++++++----------- proto/babel/packets.h | 96 ++++++++ sysdep/unix/random.c | 78 ++++++ 24 files changed, 2068 insertions(+), 161 deletions(-) create mode 100644 lib/blake2-impl.h create mode 100644 lib/blake2-ref.h create mode 100644 lib/blake2.c create mode 100644 lib/blake2.h create mode 100644 lib/blake2b-ref.c create mode 100644 lib/blake2s-ref.c create mode 100644 proto/babel/auth.c create mode 100644 proto/babel/packets.h--- End Message ---
- [babel] Fwd: [PATCH 0/4] Add MAC authentication s… Toke Høiland-Jørgensen