Re: [babel] HMAC Key rotation key format (was ripemd)
Mahesh Jethanandani <mjethanandani@gmail.com> Mon, 26 November 2018 19:44 UTC
Return-Path: <mjethanandani@gmail.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C331130E1B for <babel@ietfa.amsl.com>; Mon, 26 Nov 2018 11:44:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ywGaNHcxGQz0 for <babel@ietfa.amsl.com>; Mon, 26 Nov 2018 11:44:26 -0800 (PST)
Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C792130E03 for <babel@ietf.org>; Mon, 26 Nov 2018 11:44:26 -0800 (PST)
Received: by mail-pf1-x429.google.com with SMTP id q1so7094536pfi.5 for <babel@ietf.org>; Mon, 26 Nov 2018 11:44:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=Ct4KMtYbxnvyIT6h4bolhKM1YOgobZ2CiQ0SjyWpd+Q=; b=UwZHPt0ikv5vM283nP8YsrDWGA3hpnQpOehzsrWdbZD5TKKzvB0LtdHTKqotRE2hVP KDFN8o5zTMpbVGYXtjJUrx0l9p4XohkMsrJ10UZzuZmWQ3GQ626IDBKF8AR+d5c9hv8U PjMEVnFtmMCWaw+qENxrrUJink48l5zWtxnXbplTa+feEC7HUArHzXaG7yBbwLJCxMoD EB+dKbrDzko4z2SEfQhsmRq5GgXaDOlZShwVw6y/C0wnuhHj50JhXMvDvjSum7XOPqmL XepMm0iYGWI2QVNWSZE2S5CvyqmeN44eY1q61X+g54oTWYGtjQMTCdGWSFNs6L1xc8Sk O67A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=Ct4KMtYbxnvyIT6h4bolhKM1YOgobZ2CiQ0SjyWpd+Q=; b=PgRsmLV3jnURJsMvRiIi8ZIZfAIGsv6sOUQ9J2we1DwTACmp0xv1OgW+JcVL4n7Jpr 4FhQs7Y/DvWdqW+nBB2WQMyfF5VNC1fmdbGykUFnwK0gOcwl83ofMRQ5VdHmVBnwBrXQ yP/uM+DioaUtO7EO+UnqkApfNzozr7dueiUaHn6VA16a1RLkHFtiYFPWi8l4HpshyNmF eO6LRhjYuk8AePy+W37YeByNKHlNWgdpMS+VzSTiNrhViQLXCjhSqOgCqd6CEyjYO6oh 1Tu/1RqbL2JHwkEvW7cip/gh6XulNt7zAGW5/riL4rzx4hv3JwBvaZ3ld1jF7p8NZqM8 1pVQ==
X-Gm-Message-State: AGRZ1gIwb0jKaf1ZaFxNCvmsY+/DNrgCBsalJ1w/j3O2cBrsZdge2RE7 xQwsd7vcCwhfuYTG0zzVl1s=
X-Google-Smtp-Source: AJdET5cqo3ONOwB21fbqACLItCkOBkk99HWjJYl5vFdA8aGi4Lt57r/lcVbELXwmcL3TcaLQApsdgw==
X-Received: by 2002:a62:e30d:: with SMTP id g13mr29316482pfh.151.1543261465821; Mon, 26 Nov 2018 11:44:25 -0800 (PST)
Received: from [10.33.122.207] ([66.170.99.2]) by smtp.gmail.com with ESMTPSA id w80-v6sm1703140pfk.11.2018.11.26.11.44.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Nov 2018 11:44:24 -0800 (PST)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <D6974BC8-4314-47C0-B3D4-6ED8B4C8A528@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_68885BFD-1A88-4167-90F7-F597C6D16C79"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Mon, 26 Nov 2018 11:44:23 -0800
In-Reply-To: <CAA93jw6268QC1kmHEasJ-FbyXL_mgfQc_C-6cdksHd02ceb2Kw@mail.gmail.com>
Cc: Toke Høiland-Jørgensen <toke@toke.dk>, Babel at IETF <babel@ietf.org>, babel-users <babel-users@lists.alioth.debian.org>, Juliusz Chroboczek <jch@irif.fr>, Brian Weis <bew@cisco.com>, Keyur Patel <keyur@arrcus.com>
To: Dave Taht <dave.taht@gmail.com>
References: <CAA93jw5fHRm21yEJsabiiOF1ZP7Zh3M_gEgRo0imBOpRGhf0qA@mail.gmail.com> <87in0koun6.wl-jch@irif.fr> <87in0kx98o.fsf@toke.dk> <CAA93jw5gaYgyUX-ABX156_TnFX25Sy5SLyuRgd28fMLfRW4UHA@mail.gmail.com> <871s78x7z0.fsf@toke.dk> <CAA93jw6268QC1kmHEasJ-FbyXL_mgfQc_C-6cdksHd02ceb2Kw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/XRozuyhGN1U0rc7bEDLVeTDRzqc>
Subject: Re: [babel] HMAC Key rotation key format (was ripemd)
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Nov 2018 19:44:29 -0000
A draft that proposed pair-wise key management was proposed here <https://tools.ietf.org/html/draft-mahesh-karp-kmprp-00>. It does not address the question of timestamp, but is something that could be exchanged as part of key rollover to allow routers to calculate the delta. Including the original authors of the draft. > On Nov 26, 2018, at 6:21 AM, Dave Taht <dave.taht@gmail.com> wrote: > > To me this leaves the biggest problem remaining is key rotation. Me > being me, and remembering just how hard it was to get dnssec working > on systems lacking reliable time, > I worry about that part. What we settled on for dnsmasq-dnssec was to > write the current time to flash every day (or few hours), boot up > without dnssec enabled long enough to > get an ntp server... and rely on key rollover taking hours or days to > *usually* get a correct result. RTCs with batteries are usually not > included. > > that's still fragile (imagine a power failure lasting days, or a box > being down for several days for repair. It happens). > > In the case of routing... if you don't have the correct time... and > you can't get a route so you can get the correct time from ntp... then > what? Do we make GPSes MTI also? > > Setting that aside for the moment, having a standardized file format > for babel keys would be a boon and boost interoperability between > bird/babel and other possible implementations. > You would merely declare a key name in the main conf for bird or > babel, and reference it in a separate file with a format like this: > > KEY START_DATE END_DATE TYPE VALUE > name\wrfc3339\wrfc3339\wsha256|blake2s\wvalue > > https://tools.ietf.org/html/rfc3339 > > administrators would push out this one standard format file to > routers, strongly suggesting that UTC times be used universally and > that key rollover should be staged over hours or days lest > connectivity be lost. Other sanity checks like ensuring there is some > form of persistent and correct time on routers using authentication > are also needed. > > alternatives might include certs and other stuff that bears drinking about. > > > > > -- > > Dave Täht > CTO, TekLibre, LLC > http://www.teklibre.com > Tel: 1-831-205-9740 > > _______________________________________________ > babel mailing list > babel@ietf.org > https://www.ietf.org/mailman/listinfo/babel Mahesh Jethanandani mjethanandani@gmail.com
- [babel] rather than ripemd160... Dave Taht
- Re: [babel] rather than ripemd160... Juliusz Chroboczek
- Re: [babel] [Babel-users] rather than ripemd160... Toke Høiland-Jørgensen
- [babel] HMAC and MTI [was: rather than ripemd160.… Juliusz Chroboczek
- Re: [babel] [Babel-users] rather than ripemd160... Dave Taht
- Re: [babel] [Babel-users] rather than ripemd160... Toke Høiland-Jørgensen
- Re: [babel] HMAC and MTI [was: rather than ripemd… Markus Stenberg
- Re: [babel] HMAC and MTI [was: rather than ripemd… Toke Høiland-Jørgensen
- [babel] HMAC Key rotation key format (was ripemd) Dave Taht
- Re: [babel] HMAC and MTI [was: rather than ripemd… Juliusz Chroboczek
- Re: [babel] HMAC Key rotation key format (was rip… Mahesh Jethanandani
- Re: [babel] [Babel-users] rather than ripemd160... STARK, BARBARA H
- Re: [babel] [Babel-users] rather than ripemd160... Toke Høiland-Jørgensen
- Re: [babel] HMAC Key rotation key format (was rip… Toke Høiland-Jørgensen
- Re: [babel] HMAC Key rotation key format (was rip… Dave Taht
- Re: [babel] HMAC Key rotation key format (was rip… Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] rather than ripemd160... David Schinazi
- Re: [babel] [Babel-users] HMAC Key rotation key f… David Schinazi
- Re: [babel] [Babel-users] rather than ripemd160... Dave Taht
- Re: [babel] [Babel-users] rather than ripemd160... Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] rather than ripemd160... Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] rather than ripemd160... Juliusz Chroboczek
- Re: [babel] [Babel-users] rather than ripemd160... Dave Taht
- Re: [babel] [Babel-users] rather than ripemd160... David Schinazi
- Re: [babel] [Babel-users] rather than ripemd160... Toke Høiland-Jørgensen
- [babel] DTLS and hmac co-existence Dave Taht
- Re: [babel] [Babel-users] DTLS and hmac co-existe… David Schinazi
- Re: [babel] [Babel-users] rather than ripemd160... Dave Taht
- Re: [babel] [Babel-users] HMAC Key rotation key f… Dave Taht
- Re: [babel] [Babel-users] rather than ripemd160... Dave Taht
- Re: [babel] [Babel-users] DTLS and hmac co-existe… Dave Taht
- Re: [babel] [Babel-users] HMAC Key rotation key f… Ted Lemon
- Re: [babel] [Babel-users] rather than ripemd160... Markus Stenberg
- Re: [babel] [Babel-users] rather than ripemd160... Toke Høiland-Jørgensen
- [babel] Blake2S, blake2B or neither? [was: rather… Juliusz Chroboczek
- Re: [babel] Blake2S, blake2B or neither? [was: ra… Toke Høiland-Jørgensen
- Re: [babel] Blake2S, blake2B or neither? [was: ra… Markus Stenberg
- Re: [babel] Blake2S, blake2B or neither? [was: ra… Juliusz Chroboczek
- Re: [babel] Blake2S, blake2B or neither? [was: ra… Toke Høiland-Jørgensen
- Re: [babel] Blake2S, blake2B or neither? [was: ra… Juliusz Chroboczek
- Re: [babel] [Babel-users] Blake2S, blake2B or nei… Dave Taht
- Re: [babel] [Babel-users] HMAC Key rotation key f… Juliusz Chroboczek
- Re: [babel] HMAC Key rotation key format (was rip… Juliusz Chroboczek
- Re: [babel] HMAC Key rotation key format (was rip… Dave Taht
- Re: [babel] HMAC Key rotation key format (was rip… Markus Stenberg