Re: [babel] Some open HMAC issues
Juliusz Chroboczek <jch@irif.fr> Sun, 15 July 2018 00:08 UTC
Return-Path: <jch@irif.fr>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3968130E29 for <babel@ietfa.amsl.com>; Sat, 14 Jul 2018 17:08:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bhF3JknUBibY for <babel@ietfa.amsl.com>; Sat, 14 Jul 2018 17:08:16 -0700 (PDT)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C40C130DDD for <babel@ietf.org>; Sat, 14 Jul 2018 17:08:15 -0700 (PDT)
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/75695) with ESMTP id w6F07WSQ015518; Sun, 15 Jul 2018 02:07:32 +0200
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id D150CEB22D; Sun, 15 Jul 2018 02:08:13 +0200 (CEST)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id UF4EWU-xwpWQ; Sun, 15 Jul 2018 02:08:12 +0200 (CEST)
Received: from trurl.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 978A7EB200; Sun, 15 Jul 2018 02:08:12 +0200 (CEST)
Date: Sun, 15 Jul 2018 02:08:12 +0200
Message-ID: <87sh4luzrn.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: Toke Høiland-Jørgensen <toke@toke.dk>
Cc: babel@ietf.org, Weronika Kołodziejak <weronika.kolodziejak@gmail.com>, Clara Dô <clarado_perso@yahoo.fr>
In-Reply-To: <87bmbb9jyw.fsf@toke.dk>
References: <87sh545st3.wl-jch@irif.fr> <87bmbb9jyw.fsf@toke.dk>
User-Agent: Wanderlust/2.15.9
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Sun, 15 Jul 2018 02:07:32 +0200 (CEST)
X-Miltered: at korolev with ID 5B4A9044.001 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 5B4A9044.001 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 5B4A9044.001 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/V8HZq6b8_Rec_XJvYmO-vKMqQpU>
Subject: Re: [babel] Some open HMAC issues
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jul 2018 00:08:19 -0000
>> 2. Should the HMAC cover the packet header? > Yes, I see now reason not to hash the whole thing. Fully agreed. That's what draft-do-...-00 says, and what we've implemented (not very well, by the way). >> 5. Use of the packet trailer > I agree that sticking the signatures in the packet trailer is the right > thing to do. The zero out / hash self / rewrite hash dance is way too > annoying. Also, when the signature is in the packet trailer the hash > check can move straight to that and ignore the rest of the packet; and > the regular parser can ignore the packet trailer and just parse the > regular TLVs. That's what I think too, but David disagreed last time I asked him. Since you agree with me, I think I'm going to insist on this one. (I assume your implementation correctly drops all non-HMAC TLVs from the packet trailer, including PAD1.) >> 8. Index and Nonce size > Letting the nonce be of arbitrary size is fine, but doing the same thing > for the index is incredibly annoying. Since the index needs to be stored > with the same lifetime as the neighbour, making it arbitrary size means > there's another blob of dynamically assigned memory to keep track of. > Which may have to be resized later if the peer changes its index size. I think we have some time to decide, but here's a few arguments both ways. 1. We really want nonces to be of arbitrary size, so implementations have the space to encode a cookie if they're concerned about DoS. 2. Having nonces of arbitrary size implies dynamic allocation. At any rate, you need dynamic allocation for nonces, since they're short-lived and per-neighbour. 3. You do want to allow tiny indices (unless we adopt Markus' proposal), since some implementations will want to save bytes on the wire by using a real-time clock. 4. I don't see any good reason right now for long indices (more than 16 bytes, say). So right now (likely to change in the future), I'd argue for: - variable size nonces with no size limit; - variable size indices. I haven't made an opinion yet on whether we want a limit to the size of indices. > If we want to allow really small indexes, that is fine, but then limit > the max size to (say) 10 bytes; that way, a buffer of the maximum size > can be statically assigned in the neighbour struct (251 or even 192 > bytes is way too much for static allocation). Agreed. > Or maybe just forgo the complexity entirely and make the index a fixed > size; you just know that someone is going to pick a way too small value > and make themselves susceptible to replay attacks at some point... Disagreed. -- Juliusz
- Re: [babel] Some open HMAC issues Markus Stenberg
- [babel] Some open HMAC issues Juliusz Chroboczek
- Re: [babel] Some open HMAC issues Juliusz Chroboczek
- Re: [babel] Some open HMAC issues David Schinazi
- Re: [babel] Some open HMAC issues Juliusz Chroboczek
- Re: [babel] Some open HMAC issues Toke Høiland-Jørgensen
- Re: [babel] Some open HMAC issues David Schinazi
- Re: [babel] Some open HMAC issues David Schinazi
- Re: [babel] Some open HMAC issues Toke Høiland-Jørgensen
- Re: [babel] Some open HMAC issues David Schinazi
- Re: [babel] Some open HMAC issues Toke Høiland-Jørgensen
- Re: [babel] Some open HMAC issues Dave Taht
- Re: [babel] Some open HMAC issues Toke Høiland-Jørgensen
- Re: [babel] Some open HMAC issues Juliusz Chroboczek
- Re: [babel] Some open HMAC issues Juliusz Chroboczek
- Re: [babel] Some open HMAC issues David Schinazi
- Re: [babel] Some open HMAC issues Toke Høiland-Jørgensen
- Re: [babel] Some open HMAC issues Juliusz Chroboczek
- Re: [babel] Some open HMAC issues Toke Høiland-Jørgensen
- Re: [babel] Some open HMAC issues Juliusz Chroboczek
- Re: [babel] Some open HMAC issues David Schinazi
- [babel] Packet trailer [was: Some open HMAC issue… Juliusz Chroboczek
- Re: [babel] Packet trailer [was: Some open HMAC i… David Schinazi
- Re: [babel] Some open HMAC issues Toke Høiland-Jørgensen
- Re: [babel] Packet trailer [was: Some open HMAC i… Toke Høiland-Jørgensen
- Re: [babel] Some open HMAC issues Juliusz Chroboczek
- Re: [babel] Some open HMAC issues Toke Høiland-Jørgensen