IETF Logo Mail Archive

Re: [babel] Some open HMAC issues

Toke Høiland-Jørgensen <toke@toke.dk> Fri, 13 July 2018 16:30 UTC

Return-Path: <toke@toke.dk>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 281F7130E59 for <babel@ietfa.amsl.com>; Fri, 13 Jul 2018 09:30:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=toke.dk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UxRN2O06G0yr for <babel@ietfa.amsl.com>; Fri, 13 Jul 2018 09:30:33 -0700 (PDT)
Received: from mail.toke.dk (mail.toke.dk [52.28.52.200]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56AE1130E01 for <babel@ietf.org>; Fri, 13 Jul 2018 09:30:33 -0700 (PDT)
From: Toke Høiland-Jørgensen <toke@toke.dk>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023; t=1531499431; bh=7WNVVvKCMPGs9gg5+nBCQMIecYxMS7hcQAEOTr1bKmI=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=u47ewNoqhmoRbsDz/1v6r9mGPfsILvmt1Y+CVGvJMjnD4zzgEZele9ksv947301KZ mCtdydtoZysJZrrI+Jp8go2MQYfnXJLnGy0e5n+F7OYxDNF5CT5B5J3Ql8GRoj9Vq0 2heZ62Wo1B6us5K1nQntlxbEiyBdfdtwGgV0AROP8JN57SKEfNbKCN0JlK43aOjmIZ uJxXFtlXOJuo0IJ+gPUffTs9IMjLlcZu5FOR7wWPE+Cj7W/2eAr6ffQbdNsdmO9Rj0 V+vQ0tCZ9TQ8KezVX/a8R6V6aiRqMtf68i4cb2C6cphhLw1zvveQGk9+32IodQOu1p jjIfbUusu0lJg==
To: Juliusz Chroboczek <jch@irif.fr>, babel@ietf.org
Cc: Weronika Kołodziejak <weronika.kolodziejak@gmail.com>, Clara Dô <clarado_perso@yahoo.fr>
In-Reply-To: <87sh545st3.wl-jch@irif.fr>
References: <87sh545st3.wl-jch@irif.fr>
Date: Fri, 13 Jul 2018 18:30:31 +0200
X-Clacks-Overhead: GNU Terry Pratchett
Message-ID: <87bmbb9jyw.fsf@toke.dk>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/NJjQh1phkpJe8OSSdEz4FqqyfVU>
Subject: Re: [babel] Some open HMAC issues
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2018 16:30:36 -0000

Seeing as I have now implemented the draft, I have some more opinions on
this now:

> 2. Should the HMAC cover the packet header?
>
> The Babel packet header has the following format:
>
>      0                   1                   2                   3
>      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
>     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>     |     Magic     |    Version    |        Body length            |
>     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>
> Right now, Version is fixed at 2, but if we ever define Babel version 3,
> we might become susceptible to downgrade attacks.  I don't recall why we
> skipped the header in HMAC computation, but I think it's a bug.
>
> (As far as I can tell, 7298bis hashes the whole packet, including the
> packet trailer.)

Yes, I see now reason not to hash the whole thing.

> 5. Use of the packet trailer
>
> The HMAC TLV is carried in the packet trailer, which makes it clear which
> part of the packet is protected by HMAC and avoids the need to clear parts
> of the packet body before hashing.  (Think about extensibility -- there
> might be other TLVs in the future that must not be protected, and if
> different extensions require clearing different parts of the packet, we're
> going to end up with some pretty enjoyable code obfuscation.)
>
> Does anyone have technical arguments against the use of the packet
> trailer?  For the record, Denis didn't use a packet trailer, and David has
> expressed some mild reservations about its use (he feels that we're
> trading specification simplicity for implementation simplicity and
> extensibility, and while I agree with this, I happen to think it's the
> right tradeoff in this particular case).
>
> If we keep the trailer, well need to add something to 6126bis.  I suggest
> the following RFCese:
>
>   - the packet trailer is a sequence of TLVs, just like the packet body,
>     and the TLV number space is the same;
>   - a TLV that appears in the packet trailer MUST be ignored on reception
>     unless its definition explicitly states that it is allowed in the
>     packet trailer;
>   - the mandatory bit MUST NOT be acted upon when it appears in the packet
>     trailer; as a consequence, an implementation that doesn't grok any
>     TLVs that can appear in the trailer MAY simply ignore the packet
>     trailer without ever parsing it.

I agree that sticking the signatures in the packet trailer is the right
thing to do. The zero out / hash self / rewrite hash dance is way too
annoying. Also, when the signature is in the packet trailer the hash
check can move straight to that and ignore the rest of the packet; and
the regular parser can ignore the packet trailer and just parse the
regular TLVs.

> 8. Index and Nonce size
>
> Indices and Nonces are of variable size (up to the maximum TLV size): our
> implementation selects 80-bit values, but it will handle values of up to
> 251 resp. 255 octets (as much as fits in a TLV).
>
> While having variable-length values slightly complicates the implementation,
> I think it's a good idea:
>
>   - an implementation might want to encode a cookie in the Nonce in order
>     to have stronger DoS protection, thus needing a larger Nonce;
>   - an implementation with a stable clock might want to use a tiny Index
>     (see point 5 above).
>
> I suggest we should limit indices and nonces to 192 octets, indices and
> nonces larger than that MUST NOT be sent.  This gives enough margin to
> carry a nonce or index in a sub-TLV (which we're not currently planning to
> do, but what the heck).

Letting the nonce be of arbitrary size is fine, but doing the same thing
for the index is incredibly annoying. Since the index needs to be stored
with the same lifetime as the neighbour, making it arbitrary size means
there's another blob of dynamically assigned memory to keep track of.
Which may have to be resized later if the peer changes its index size.

If we want to allow really small indexes, that is fine, but then limit
the max size to (say) 10 bytes; that way, a buffer of the maximum size
can be statically assigned in the neighbour struct (251 or even 192
bytes is way too much for static allocation).

Or maybe just forgo the complexity entirely and make the index a fixed
size; you just know that someone is going to pick a way too small value
and make themselves susceptible to replay attacks at some point...

-Toke

v2.23.0 | Report a Bug | By Email