IETF Logo Mail Archive

[babel] Mirja Kühlewind's Discuss on draft-ietf-babel-hmac-08: (with DISCUSS and COMMENT)

Mirja Kühlewind via Datatracker <noreply@ietf.org> Wed, 07 August 2019 12:18 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: babel@ietf.org
Delivered-To: babel@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 9063212001B; Wed, 7 Aug 2019 05:18:00 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Mirja Kühlewind via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-babel-hmac@ietf.org, Donald Eastlake <d3e3e3@gmail.com>, babel-chairs@ietf.org, d3e3e3@gmail.com, babel@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.100.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Mirja Kühlewind <ietf@kuehlewind.net>
Message-ID: <156518028058.8361.10940272410936686016.idtracker@ietfa.amsl.com>
Date: Wed, 07 Aug 2019 05:18:00 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/O7ctl14iGet9qHJfORS4J805XL4>
Subject: [babel] Mirja Kühlewind's Discuss on draft-ietf-babel-hmac-08: (with DISCUSS and COMMENT)
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2019 12:18:01 -0000

Mirja Kühlewind has entered the following ballot position for
draft-ietf-babel-hmac-08: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-babel-hmac/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

I would like to quickly discuss the following approach taken in section 4.3.1.1:
   "Since a challenge may be prompted by a packet replayed by an
   attacker, a node MUST impose a rate limitation to the challenges it
   sends; the limit SHOULD default to one challenge request every 300ms,
   and MAY be configurable."
While it is important to limit challenge messages here, there might be a better
approach than static rate-limiting given this is a request-response mechanism.
Usually the approach is to only allow for one outstanding request (without
reply) and apply some kind of loss detect/termination rule. In your case the
easiest approach would be when the 30 sec timer is expired, or if the RTT is
known (or can be estimated) then a value of e.g. 3xRTT could be appropriate as
well. Please consider this alternative approach. Maybe also see RFC8085 for
further guidance.

Further Appendix A (Incremental deployment and key rotation) contains normative
language and therefore should probably be moved into the body of the document.


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

The shepherd write-up says: "This document updates the rfc6126bis draft as
noted on the title page and in the Abstract." However, that seems not to be the
case...?

This brings me to a separate question I would like to ask: Why is this an
extension in a separate document and not an (optional) part of rfc6126bis?

v2.23.0 | Report a Bug | By Email