IETF Logo Mail Archive

Re: [babel] Babel-MAC: Blake2s is 128-bits by default

Gabriel Kerneis <kerneis@google.com> Mon, 16 November 2020 11:52 UTC

Return-Path: <kerneis@google.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6855F3A0D69 for <babel@ietfa.amsl.com>; Mon, 16 Nov 2020 03:52:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qPoIrKr_PYSE for <babel@ietfa.amsl.com>; Mon, 16 Nov 2020 03:52:44 -0800 (PST)
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58AF53A0D65 for <babel@ietf.org>; Mon, 16 Nov 2020 03:52:44 -0800 (PST)
Received: by mail-wr1-x430.google.com with SMTP id m6so1196085wrg.7 for <babel@ietf.org>; Mon, 16 Nov 2020 03:52:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=//gzltKJmWyz7kPz4lzwIi8qh2qAxFFPziKIu5sHSw4=; b=u/eR2TjOjWcPSRoWeuZTc2+1BMSRSvl5S9UeIC5TuNVKkE+S38fKEEUsj1+GZmD6M2 Ay0aoVavkJn8m40YIc4u+zoRjDbybX0v5WVLHObZLthrlmyK0/mP3G+BCzO+J9CG/rQx vPRB/1o6CYNKuqWjAT6aD/6jXkF53jxn95LgnuvCz9YcW4GvWuc1T7/w48DUJT8xBrbu EVpQyYEcA6lAu04d6245V2cP4IyuC3ek/B4i+NpOGkdEFRNpW5GzCp7CZzkxEg15Hp21 lBTVOdFkVL89eUlhMXfvGq4wltdvPp3Dh8zQY7jqKokqEEDfO1eMViVhE8Hgk0ZpL5Zc +VZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=//gzltKJmWyz7kPz4lzwIi8qh2qAxFFPziKIu5sHSw4=; b=OXqUVNjOuSD+Xq7tr31m1zQPFF94HaibaFID/q75pnTsc0uPW6yzUsh8lXfj/ghdTs 3ZcApJrimd95tsR7j99ponCJhIml1DcOXTyCdwd6TzRRSE1g9d5QulTd1eRXkr2cZJCS itNH2SasRmX70s8q6J4cnHAAaKBS5yACU/5sN/C7t/v8+sdn5r73B5DItm8GFRTq5og5 yq+e33JyD1IpIOHpuOi/wTPD9e8LNg1VuSqAJQ6jI9mPZpdFq5PKeYd3oU0P/BwX1hsC sAROmNft9/BMrbipP0P1Z/hU7URoSilVqqPjkELXYJMPnHbXUPYguvqOZzPf2aC3mXVm 6j7Q==
X-Gm-Message-State: AOAM533n4CSsEwMJRnLcvof+UpHBriXdJyVCCu+ZTaa46ikyI18gihF9 wMYjyQi/tsOk8CQKklFQ2D4k2Oe1Bwt2k913C/gnmQ==
X-Google-Smtp-Source: ABdhPJyv5mqhM+tY44coKTdWrBe8KWGYJOqA5o+K9DigzQnvO4oQpPtz+NJ2rKdEsBNTSc25cKL2OC9p1hQ30DqRNMo=
X-Received: by 2002:a5d:448a:: with SMTP id j10mr18054159wrq.33.1605527562407; Mon, 16 Nov 2020 03:52:42 -0800 (PST)
MIME-Version: 1.0
References: <87d00qungk.wl-jch@irif.fr> <87h7q2f6a2.fsf@toke.dk> <87o8jya4jz.wl-jch@irif.fr> <CAF4+nEHHcUsO6x2DPzs2FTzg-PsFfMOfp-8LWRBxLGpPT=hz8A@mail.gmail.com>
In-Reply-To: <CAF4+nEHHcUsO6x2DPzs2FTzg-PsFfMOfp-8LWRBxLGpPT=hz8A@mail.gmail.com>
From: Gabriel Kerneis <kerneis@google.com>
Date: Mon, 16 Nov 2020 12:52:06 +0100
Message-ID: <CAL0WyWydyf1JwYTZVBf+tsW7wawMJmVwM_Fo8oF_sUrX7oTr5A@mail.gmail.com>
To: Donald Eastlake <d3e3e3@gmail.com>
Cc: Juliusz Chroboczek <jch@irif.fr>, Babel at IETF <babel@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000092cf905b4380427"
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/LTheeT-NOEwt2dxFOq10_ddenRc>
Subject: Re: [babel] Babel-MAC: Blake2s is 128-bits by default
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2020 11:52:46 -0000

I'm sorry I didn't reply earlier on this thread. Even before Juliusz'
email, the consensus seemed odd to me, for the reasons he outlined and I
intended to raise this up. Note that I have not taken part in any
implementation Babel, and I am basing my opinion purely on the facts laid
out in this thread. I think blake2s should use 128-bit signatures.

Gabriel Kerneis


On Mon, Nov 16, 2020 at 5:28 AM Donald Eastlake <d3e3e3@gmail.com> wrote:

> H Juliusz,
>
> Speaking as a WG participant, I think your argument make sense and I
> would supporting going in the direction you suggest.
>
> Thanks,
> Donald
> ===============================
>  Donald E. Eastlake 3rd   +1-508-333-2270 <(508)%20333-2270> (cell)
>  2386 Panoramic Circle, Apopka, FL 32703 USA
>  d3e3e3@gmail.com
>
> On Sun, Nov 15, 2020 at 12:55 PM Juliusz Chroboczek <jch@irif.fr> wrote:
> >
> > After reading your replies, and thinking it over carefully, I disagree
> > with the apparent consensus.  I think Blake2s in Babel-MAC should use
> > 128-bit keys, as in the initial implementation.  Please hear me out.
> >
> > Toke and Dave originally suggested adding Blake2s to Babel-HMAC for two
> > reasons:
> >
> >   - it is more computationally lightweight on platforms that don't
> >     implement SHA-256 in hardware;
> >   - it may serve as a fallback if SHA2 is ever broken.
> >
> > While I am still not quite convinced by these arguments, I've agreed to
> > add the SHOULD Blake2s and to implement Blake2s for the following
> reasons:
> >
> >   - it serves as a good example of adding a new algorithm to Babel-MAC;
> >   - with 128-bit signatures, it is useful on low-rate networks, which
> >     Babel is commonly used with.
> >
> > For these reasons, we implemented Blake2s with 128-bit signatures.
> > Unfortunately, some confusion ensued, Toke implemented Blake2s with
> > 256-bit signatures, Antonin changed our implementation to interoperate
> > with Toke's (without discussing the issue with me beforehand), hence the
> > current situation.
> >
> > If Blake2s uses 256-bit signatures, then I see little convincing reason
> to
> > keep it around in addition to SHA-256.  For this reason, I recommend the
> > following course of action:
> >
> >   1. Toke agrees to switch to 128-bit Blake2s signatures;
> >   2. we discard Antonin's branch (which is just a private branch), and do
> >      128-bit Blake2s signatures instead;
> >   3. during AUTH48, I make the clarification that the SHOULD implement
> >      applies to 128-bit signatures.
> >
> > Two more points.  First, under no circumstances will I go against WG
> > consensus on this point -- if the WG strongly believes that the SHOULD
> > applies to 256-bit signatures, I will naturally follow the consensus.
> > Second, Babel-HMAC is an extensible protocol, so even if the RFC ends up
> > recommending n-bit signatures, nothing prevents a given implementation
> > from implementing m-bit signatures in addition to the RFC-recommended
> > n-bit signatures.
> >
> > Sorry again for the confusion.
> >
> > -- Juliusz
> >
> > _______________________________________________
> > babel mailing list
> > babel@ietf.org
> > https://www.ietf.org/mailman/listinfo/babel
>
> _______________________________________________
> babel mailing list
> babel@ietf.org
> https://www.ietf.org/mailman/listinfo/babel
>

v2.23.0 | Report a Bug | By Email