IETF Logo Mail Archive

Re: [babel] Purpose of 'generate from/to' and 'accept from/to' for passwords?

Ondrej Zajicek <santiago@crfreenet.org> Mon, 20 January 2020 19:01 UTC

Return-Path: <santiago@crfreenet.org>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A50DF120019 for <babel@ietfa.amsl.com>; Mon, 20 Jan 2020 11:01:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aQeTj-QQ-aEO for <babel@ietfa.amsl.com>; Mon, 20 Jan 2020 11:01:46 -0800 (PST)
Received: from mail.crfreenet.org (varda.crfreenet.org [81.92.145.160]) by ietfa.amsl.com (Postfix) with ESMTP id 43E7D12001B for <babel@ietf.org>; Mon, 20 Jan 2020 11:01:45 -0800 (PST)
Received: from feanor (feanor-poda.crfreenet.org [164.215.121.182]) by mail.crfreenet.org (Postfix) with ESMTP id DBF825FB80; Mon, 20 Jan 2020 20:01:42 +0100 (CET)
Date: Mon, 20 Jan 2020 20:01:42 +0100
From: Ondrej Zajicek <santiago@crfreenet.org>
To: Toke Høiland-Jørgensen <toke@toke.dk>
Cc: bird-users@network.cz, babel@ietf.org
Message-ID: <20200120190142.GV2475@feanor.crfreenet.org>
References: <87lfq2nle1.fsf@toke.dk>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <87lfq2nle1.fsf@toke.dk>
X-Operating-System: Debian GNU/Linux
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/J0pKhh3sKOJgcF32xgsdiYHQ1Kc>
Subject: Re: [babel] Purpose of 'generate from/to' and 'accept from/to' for passwords?
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jan 2020 19:01:54 -0000

On Mon, Jan 20, 2020 at 05:27:34PM +0100, Toke Høiland-Jørgensen wrote:
> Hi Bird people
> 
> When specifying passwords for protocol authentication in the Bird
> config, it is possible to specify time windows in which the password
> will be used to sign messages (the 'generate from/to' configuration
> options), and a separate time window in which that password will be
> accepted to authenticate a packet (the 'accept from/to' options).
> 
> My question is this: What is the purpose of having these two time
> intervals be separate? I.e., in what deployment scenario is it useful to
> have a password be accepted to authenticate a message, without also
> using that password to sign outgoing messages?

Hi

Well, it is requirement of OSPF spec (RFC 2328). I could assume it could
help for smoother key transitions when clocks are not perfectly synchronized.

Personally, if i had to do key rotation, i would only use 'generate
from'.  As 'generate to' is implicit by presence of newer valid key and
'accept from/to' could be unlimited during transition, while key would be
removed later after transition.

For systems with dynamic key selections (in contrast to BIRD, where keys
are in config file), it would perhaps make sense to merge 'accept to'
with automatic removal of key from keylist.

-- 
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."

v2.23.0 | Report a Bug | By Email