Re: [babel] [Babel-users] MAC rekeying in babeld and information model
Toke Høiland-Jørgensen <toke@toke.dk> Fri, 17 January 2020 11:27 UTC
Return-Path: <toke@toke.dk>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1ED1412001E for <babel@ietfa.amsl.com>; Fri, 17 Jan 2020 03:27:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=toke.dk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6RsTQd-1xIH4 for <babel@ietfa.amsl.com>; Fri, 17 Jan 2020 03:27:12 -0800 (PST)
Received: from mail.toke.dk (mail.toke.dk [45.145.95.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F258C12001B for <babel@ietf.org>; Fri, 17 Jan 2020 03:27:11 -0800 (PST)
From: Toke Høiland-Jørgensen <toke@toke.dk>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023; t=1579260429; bh=0FBznWqTkmbH9n1+yN5YJhLieR3Nd0/IbFLNfSUOvJI=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=ZtYaRn4/B4GAAgJhPlZQcCQiQORw1dfphQRLo+T1iVDZCmkdAMS3PgMWXdkLKcjGL V/x6uWAKoBz1XCzSxB8Dk8aJh7MIAGazM1oqMo2xjQsHnP/PBn88zKyrOMrW791mmh QlpRSDryXJjuUj/M6XZJdVZKHPDWeMXfgbCiD0qrPDw0dttfKrlfpcwPiNoWdyo2ei /9moBjxxVI0572xbdjC6Kr66jHcw4ZGojd4hTpN5B/5Gnnriq90j6Furz4dg+Jej9M MVjnPJF/3R+WmAgVMFBgzq8O+1BYYXRlzj9/NELdtEMKwc0HgssHXCT8rWbC55qplU PHlh28Poj9ItA==
To: Juliusz Chroboczek <jch@irif.fr>, babel-users@lists.alioth.debian.org
Cc: Barbara Stark <bs7652@att.com>, babel@ietf.org
In-Reply-To: <877e1r6y0f.wl-jch@irif.fr>
References: <877e1r6y0f.wl-jch@irif.fr>
Date: Fri, 17 Jan 2020 12:27:08 +0100
X-Clacks-Overhead: GNU Terry Pratchett
Message-ID: <875zhaqq5v.fsf@toke.dk>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/XOahz4fuXXs-nHO4NMGdBwU8AZo>
Subject: Re: [babel] [Babel-users] MAC rekeying in babeld and information model
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2020 11:27:17 -0000
Juliusz Chroboczek <jch@irif.fr> writes: > Dear all, > > Antonin and I have spent the afternoon looking at his work on MAC rekeying > in babeld. His code is available in branch hmac-rekeying of > > https://github.com/MisterDA/babeld > > Now... we've got an issue with the information model. > > Following the information model, Antonin adds the following attribute to > keys: > > key-use sign|verify|both > > I'm a little puzzled by the purpose of this attribute. What usage > scenarios is it useful in? In particular, it does not appear to subsume > the sign-only interface attribute, which is useful in incremental > deployment scenarios. Hmm, I think this notion originally comes from Bird's password configuration support? https://bird.network.cz/?get_doc&v=20&f=bird-3.html - search for 'password'. I guess you could use it for a kind of asymmetrical verification procedure? I.e., a route server could have its own key that it signs with, that all peers with the route server will accept, but each peer has its own key it signs with, that the route server is set up to accept. That way the peers wouldn't peer with each other, but all go through the route server? This would not prevent malicious actors, of course (they could just start signing with the route server's key), but it could prevent accidental misconfiguration. Dunno exactly what the original intention with the Bird option is, though. I can ask on the Bird list? -Toke
- [babel] MAC rekeying in babeld and information mo… Juliusz Chroboczek
- Re: [babel] [Babel-users] MAC rekeying in babeld … Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] MAC rekeying in babeld … STARK, BARBARA H
- Re: [babel] [Babel-users] MAC rekeying in babeld … STARK, BARBARA H
- Re: [babel] [Babel-users] MAC rekeying in babeld … Juliusz Chroboczek
- Re: [babel] [Babel-users] MAC rekeying in babeld … STARK, BARBARA H
- Re: [babel] [Babel-users] MAC rekeying in babeld … Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] MAC rekeying in babeld … Juliusz Chroboczek
- Re: [babel] [Babel-users] MAC rekeying in babeld … Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] MAC rekeying in babeld … Juliusz Chroboczek
- Re: [babel] [Babel-users] MAC rekeying in babeld … STARK, BARBARA H