IETF Logo Mail Archive

Re: [babel] babel-dtls: verifying "authentication"

"STARK, BARBARA H" <bs7652@att.com> Wed, 16 January 2019 13:59 UTC

Return-Path: <bs7652@att.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 483D1130ED1 for <babel@ietfa.amsl.com>; Wed, 16 Jan 2019 05:59:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.39
X-Spam-Level: *
X-Spam-Status: No, score=1.39 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, KHOP_DYNAMIC=2, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Qs7wygSxiEO for <babel@ietfa.amsl.com>; Wed, 16 Jan 2019 05:59:02 -0800 (PST)
Received: from mx0a-00191d01.pphosted.com (mx0a-00191d01.pphosted.com [67.231.149.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA1B0130E5F for <babel@ietf.org>; Wed, 16 Jan 2019 05:59:02 -0800 (PST)
Received: from pps.filterd (m0049287.ppops.net [127.0.0.1]) by m0049287.ppops.net-00191d01. (8.16.0.22/8.16.0.22) with SMTP id x0GDuUDB045027; Wed, 16 Jan 2019 08:59:01 -0500
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0049287.ppops.net-00191d01. with ESMTP id 2q25vs03sg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 16 Jan 2019 08:59:01 -0500
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id x0GDwxxK024992; Wed, 16 Jan 2019 08:59:00 -0500
Received: from zlp30484.vci.att.com (zlp30484.vci.att.com [135.47.91.179]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id x0GDwtkn024913; Wed, 16 Jan 2019 08:58:55 -0500
Received: from zlp30484.vci.att.com (zlp30484.vci.att.com [127.0.0.1]) by zlp30484.vci.att.com (Service) with ESMTP id 89D0440006FD; Wed, 16 Jan 2019 13:58:55 +0000 (GMT)
Received: from GAALPA1MSGHUBAA.ITServices.sbc.com (unknown [130.8.218.150]) by zlp30484.vci.att.com (Service) with ESMTPS id 74E314013D3D; Wed, 16 Jan 2019 13:58:55 +0000 (GMT)
Received: from GAALPA1MSGUSRBF.ITServices.sbc.com ([169.254.5.203]) by GAALPA1MSGHUBAA.ITServices.sbc.com ([130.8.218.150]) with mapi id 14.03.0415.000; Wed, 16 Jan 2019 08:58:54 -0500
From: "STARK, BARBARA H" <bs7652@att.com>
To: 'David Schinazi' <dschinazi.ietf@gmail.com>, Juliusz Chroboczek <jch@irif.fr>
CC: Babel at IETF <babel@ietf.org>
Thread-Topic: [babel] babel-dtls: verifying "authentication"
Thread-Index: AdSoVYQo0/ay4EhYQw+N2cLNVC6kSAAO/2EAAAFCPHAAgAlFgABc58dwAB3iEgAAKXudgAAe5RQA
Date: Wed, 16 Jan 2019 13:58:54 +0000
Message-ID: <2D09D61DDFA73D4C884805CC7865E6114DF9F064@GAALPA1MSGUSRBF.ITServices.sbc.com>
References: <2D09D61DDFA73D4C884805CC7865E6114DF8A154@GAALPA1MSGUSRBF.ITServices.sbc.com> <CAPDSy+6cuAJ1m1-DJAHVNjmsQHP6SOJoFSZx6bF6x8o48xs71Q@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E6114DF8A9A3@GAALPA1MSGUSRBF.ITServices.sbc.com> <875zuuw0yo.wl-jch@irif.fr> <2D09D61DDFA73D4C884805CC7865E6114DF9C5D7@GAALPA1MSGUSRBF.ITServices.sbc.com> <87bm4ig9nf.wl-jch@irif.fr> <CAPDSy+6VchLO__2SD-gnP-=d1NY_TKgb7vHPk6GGOifAuDT0Uw@mail.gmail.com>
In-Reply-To: <CAPDSy+6VchLO__2SD-gnP-=d1NY_TKgb7vHPk6GGOifAuDT0Uw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.70.220.117]
Content-Type: multipart/alternative; boundary="_000_2D09D61DDFA73D4C884805CC7865E6114DF9F064GAALPA1MSGUSRBF_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-16_05:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901160116
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/HJ-5QY8RLI_wdchYg6axf6yZNLg>
Subject: Re: [babel] babel-dtls: verifying "authentication"
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jan 2019 13:59:05 -0000

I’ve read the proposed text. It resolves my comments.
I have no other comments and support publication of the draft.
Barbara

From: David Schinazi <dschinazi.ietf@gmail.com>
Sent: Tuesday, January 15, 2019 1:12 PM
To: Juliusz Chroboczek <jch@irif.fr>
Cc: STARK, BARBARA H <bs7652@att.com>; Babel at IETF <babel@ietf.org>
Subject: Re: [babel] babel-dtls: verifying "authentication"

I just had a quick phone call with Barbara and we clarified our differences in terminology.
I have slightly tweaked the authentication text to hopefully address these:
https://github.com/jech/babel-drafts/commit/0d1fbc98e5a8a0b86e6cbe6d6757c1fbe7d6fc2d<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jech_babel-2Ddrafts_commit_0d1fbc98e5a8a0b86e6cbe6d6757c1fbe7d6fc2d&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=LoGzhC-8sc8SY8Tq4vrfog&m=QOMuCseQ_LpPPqW6uYIq8TTVOwfgYRcrWz0nmJ1xbVM&s=kUhH8wpDHCyASUxwyGQFaty4MZEXSzl6-VT1hVimhHU&e=>

Barbara, thanks for taking the time, and please let us know if you like the new text.

Thanks!
David

On Mon, Jan 14, 2019 at 2:24 PM Juliusz Chroboczek <jch@irif.fr<mailto:jch@irif.fr>> wrote:
> MUST authenticate received credentials against an internal store of
> credentials.

Sounds good to me.  Say that a router is configured with a number of
credentials, and that what authentication means depends on the exact kind
of the credential.  Give three examples -- public key, CA, pre-shared
symmetric key.  Be very clear that this list is not exhaustive, and
implementations MAY use other strategies.

> SHOULD associate router-id with credentials

No, that's too restrictive.  While 6126bis associates a router-id with
a router, router-ids are only carried by routes, so a router that doesn't
redistribute any routes does not need to carry a router-id.  Furthermore,
router-ids need not be persistent -- a router can pick a new router-id
whenever it reboots.

> MAY ensure same IP address is used to send a particular cert, after
> first use of cert

That won't work -- Babel supports having multiple interfaces on the same
link (and that actually happens quite often in radio networks, either due
to misconfiguration or for increased reliability).  IPs identify
interfaces, not routers.

> MAY support validation by certificate authority (CA) credentials
> (requires an internal store of CA credentials) used to sign received
> credentials.

Yep.  That's the second example in my list above.

> MAY support trust-on-first-use for first time an IP address is seen

That would work -- as long as we allow the same cert to be originated by
multiple IPs.

-- Juliusz

v2.23.0 | Report a Bug | By Email