Re: [babel] Early review on draft-ietf-babel-dtls ...
David Schinazi <dschinazi.ietf@gmail.com> Fri, 02 November 2018 03:28 UTC
Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6FDB129BBF for <babel@ietfa.amsl.com>; Thu, 1 Nov 2018 20:28:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qnKtZxah9oGv for <babel@ietfa.amsl.com>; Thu, 1 Nov 2018 20:28:06 -0700 (PDT)
Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 467B8129AB8 for <babel@ietf.org>; Thu, 1 Nov 2018 20:28:06 -0700 (PDT)
Received: by mail-pl1-x62f.google.com with SMTP id b5-v6so328317pla.6 for <babel@ietf.org>; Thu, 01 Nov 2018 20:28:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=LdULo6rj3Iu+8WxHEwsp5cDEV1LcyzH/81NLm+K1MIU=; b=h5NxAWfuJODLjhLGp5+Cp0psaS3e4WOAQ88GJauyrw1/9Kug1drNfJVy8XVojTvWX0 ZTxUmVvJg7dtAGvpiXxJinCf/AP9Ynt0mpGNDta29zQho7EYK+3BB1a69mKbRPCdG2rv kuhZNz7Tetvr0l71bw+d7iD3zPy1WGXouGjRb1Yz/Zc18H/ZHW++++5Sv7L5YoOYSPGk +DfRnZeQEZxgHoonOiqETQkgqPyzlm55Q0WP/awefArsfJMMD9gZ5lwYUt05LKqj/M9J yMhuVjOxYvNfNm/T+wApDXk0+Vf0H1msR5/bwyMsMfVnHioDpJU4kaBVuxZs3gZ1rOdB uFxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=LdULo6rj3Iu+8WxHEwsp5cDEV1LcyzH/81NLm+K1MIU=; b=eljUuNurFp6iMuwBpxKYbzehgIdMfK7AnD6andfoI5LlABjXEI349EATqtwIkWYLwW wxjVsJ0p1lVxYMFOuWW/S2x6wyepazRSC3FdJ4HmBouwjXMZF14bw+wsv4wV1QI/POVB BVm3Frxp+U15DqyG2gua3FzcxTu+6nDtoAGyUYhUaaqT2lPuUi96oxEaGHPakUi0Cu/b KrbC8IPlZl+qk9I706gTTpHc+L1W8n7tDuN5rXsdonaZ+7CTvNp7WgLmoQj00G6pZ3Ke SjL4S5WRDeENoArAX2sX8MF9+5rugiyq9ixn5DR6C/bnnMBlCdNJ/lj/HQYV4nfbqUdC Uysw==
X-Gm-Message-State: AGRZ1gLXjwmmii608+c2nQ16K/CoGfN7HNaObdrfnRfqtIiBvLpU0SVQ dletqkCoNRTlwlJTHXYutcngSs4Wun9WrzhBkCwCAXEX
X-Google-Smtp-Source: AJdET5fwmDiBye+QifOgMUoopMdH397iFOIV1+UQ4jC/I5yv3a/u++wM0YxEJgB32/4jM81bYCDV5B6GJArxYUI/QM0=
X-Received: by 2002:a17:902:a58c:: with SMTP id az12-v6mr10017203plb.266.1541129285533; Thu, 01 Nov 2018 20:28:05 -0700 (PDT)
MIME-Version: 1.0
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Thu, 01 Nov 2018 20:27:54 -0700
Message-ID: <CAPDSy+5OFw0bNyBZagY0abX04RLBKO=VYA9rur_Rgc4EvM7e2Q@mail.gmail.com>
To: babel@ietf.org
Content-Type: multipart/alternative; boundary="0000000000009e04f50579a61f18"
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/UKUL0LD0gbZh1m9-DltPvNWwkuE>
Subject: Re: [babel] Early review on draft-ietf-babel-dtls ...
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Nov 2018 03:28:09 -0000
Hi everyone, Juliusz pointed out that I forgot to mention a change that went into -01: it is now forbidden to send IHU unencrypted. This has the advantage of preventing reverse reachability from being established with an untrusted peer, and makes the security boundary of the protocol much simpler to reason about. One side effect is that the RTT extension now needs to use unicast hellos inside the encryption, which should not be an issue. Please let us know if you have comments on this change. Thanks, David On Oct 08, 2018, at 12:25, David Schinazi <dschinazi@apple.com> wrote: > Thank you for your review, Tony. > The authors have updated the draft to incorporate your comments: > https://tools.ietf.org/html/draft-ietf-babel-dtls-01 > A diff between -00 and -01 is available here: > https://www.ietf.org/rfcdiff?url2=draft-ietf-babel-dtls-01 > (note that the links above may take a few minutes to be functional) > Thanks, > David > On Sep 26, 2018, at 14:37, Antoni Przygienda <prz@juniper.net> wrote: >> I have been selected to do a routing directorate “early” review of this >> draft. >> https://datatracker.ietf.org/doc/draft-ietf-babel-dtls >> >> Document: draft-ietf-babel-dtls >> Reviewer: Tony Przygienda >> Intended Status: STD >> Summary: >> Choose from this list... >> I have some minor concerns about this document that I think should be >> resolved before it is submitted to the IESG. Concerns are not defects but >> basically request for some clarification in document and reconsideration on >> minor issues >> Comments: >> · Draft makes inherent sense, of significance for future work in >> the routing area IMO for other protocols if the security requirements for >> routing keep on tightening >> · I think that the draft will benefit from an explicit >> justification why I solution based on SHA-1 cannot satisfy the security >> profile desired. Reading the draft I assumed that the main requirement was >> confidentiality which was incorrect. Discussions with the authors let to >> quite interesting insights that should be captured in the draft IMO. > > · The section explaining that all the babel frames must be >> unicast with DTLS could benefit from a small rewrite to read easier >> · I recommend the authors to rethink where they want to change >> base spec babel MTU by a hard offset. Even the DTLS can evolve in a >> Backwards compatible manner changing sizes. From experience with tunnels >> and routing protocols it may be better to just keep the original spec and >> imply than an implementation supporting DTLS has to deal with the according >> size overhead >> >> thanks >> >> --- tony > >
- [babel] Early review on draft-ietf-babel-dtls ... Antoni Przygienda
- Re: [babel] Early review on draft-ietf-babel-dtls… David Schinazi
- Re: [babel] Early review on draft-ietf-babel-dtls… David Schinazi