Re: [babel] [Babel-users] MAC auth. for Babel in babeld
Toke Høiland-Jørgensen <toke@toke.dk> Mon, 28 September 2020 15:45 UTC
Return-Path: <toke@toke.dk>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EB473A1275 for <babel@ietfa.amsl.com>; Mon, 28 Sep 2020 08:45:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=toke.dk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w8mno_vkrYj0 for <babel@ietfa.amsl.com>; Mon, 28 Sep 2020 08:45:48 -0700 (PDT)
Received: from mail.toke.dk (mail.toke.dk [IPv6:2a0c:4d80:42:2001::664]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E9A53A0FB0 for <babel@ietf.org>; Mon, 28 Sep 2020 08:45:48 -0700 (PDT)
From: Toke Høiland-Jørgensen <toke@toke.dk>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023; t=1601307945; bh=RnZEg3UH1vyjyFhhksFeevLtqHJg0LeZ8HsRdLTJHZo=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=ZeLZ/Ckn6jZRuHNdbNd/Y26SW/UBQZushlcFLnLIZg8BKMnrXm/LovE4Al48yGNVM MKWpFK0cfufy4OnledO0oRDLIYSzyVu593yl5/CSwuGfIkxlK2SjGydwpB7Il4QYqN jwV8i84Ro5zUrp701H/Su6QJj/sMKWwjFRvZFbpt/NofakyvvG1E9iqQF4fPcSo4tj tTaBNf02BJe+KfoFS1TpGVN3jZE3otx0lFX5LJjMRHE9YzlWVMKHtkGjqv+ob94qXb hxOVJjgzoqU7LGs7EUtkY8KlejmVv4gCClEq0Q7UJ/4KSqKRjvhxmi1zr9h3EWgY5p RCSsU5wLPJl0g==
To: Juliusz Chroboczek <jch@irif.fr>
Cc: Antonin Décimo <antonin.decimo@gmail.com>, Babel at IETF <babel@ietf.org>, babel-users <babel-users@lists.alioth.debian.org>
In-Reply-To: <87d025vryk.wl-jch@irif.fr>
References: <C5Z1FPOCNQW3.2QYFDONBPHNF9@kobain> <87h7ri3r17.fsf@toke.dk> <87d025vryk.wl-jch@irif.fr>
Date: Mon, 28 Sep 2020 17:45:45 +0200
X-Clacks-Overhead: GNU Terry Pratchett
Message-ID: <87363152hi.fsf@toke.dk>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/VNtu33opaGnviM4RPm7FybqhT-8>
Subject: Re: [babel] [Babel-users] MAC auth. for Babel in babeld
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Sep 2020 15:45:51 -0000
Juliusz Chroboczek <jch@irif.fr> writes: >> You could simply reject 'mac true' if no key is configured (i.e., reject >> interface bring-up or reconfig, as appropriate depending on context). > > Suppose you were running Babel together with a keying daemon. Say, one > that periodically performs an authenticated supersingular isogeny > Diffie-Helman exchange and then feeds the resulting key to the Babel > daemon. > > You could of course delay starting the Babel daemon until you got yourself > a non-empty set of keys, but wouldn't it be more robust to start Babel in > authenticated mode with no keys (which would cause it to drop packets) and > then incrementally feed it keys as they are learned? Hmm, not sure I have any opinion about which would be more robust off the top of my head. But I can see your point that someone might implement it that way; and I suppose I could be convinced that such a configuration could be allowed, as long as it fails safe, of course. I think that at least emitting a clear warning on startup would help users avoid the most common configuration errors, though... -Toke
- [babel] MAC auth. for Babel in babeld Antonin Décimo
- Re: [babel] MAC auth. for Babel in babeld Juliusz Chroboczek
- Re: [babel] MAC auth. for Babel in babeld Juliusz Chroboczek
- Re: [babel] MAC auth. for Babel in babeld Antonin Décimo
- Re: [babel] [Babel-users] MAC auth. for Babel in … Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] MAC auth. for Babel in … Antonin Décimo
- Re: [babel] [Babel-users] MAC auth. for Babel in … Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] MAC auth. for Babel in … Juliusz Chroboczek
- Re: [babel] [Babel-users] MAC auth. for Babel in … Antonin Décimo
- Re: [babel] [Babel-users] MAC auth. for Babel in … Antonin Décimo
- Re: [babel] [Babel-users] MAC auth. for Babel in … Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] MAC auth. for Babel in … Juliusz Chroboczek
- Re: [babel] [Babel-users] MAC auth. for Babel in … Juliusz Chroboczek
- Re: [babel] [Babel-users] MAC auth. for Babel in … Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] MAC auth. for Babel in … Toke Høiland-Jørgensen