IETF Logo Mail Archive

[babel] Comments on the MAC authentication for Babel draft

Antonin Décimo <antonin.decimo@gmail.com> Wed, 26 August 2020 09:46 UTC

Return-Path: <antonin.decimo@gmail.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE8F23A1148 for <babel@ietfa.amsl.com>; Wed, 26 Aug 2020 02:46:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sDdr3skWBE8O for <babel@ietfa.amsl.com>; Wed, 26 Aug 2020 02:46:34 -0700 (PDT)
Received: from mail-oo1-xc32.google.com (mail-oo1-xc32.google.com [IPv6:2607:f8b0:4864:20::c32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0B7A3A1147 for <babel@ietf.org>; Wed, 26 Aug 2020 02:46:34 -0700 (PDT)
Received: by mail-oo1-xc32.google.com with SMTP id y30so305450ooj.3 for <babel@ietf.org>; Wed, 26 Aug 2020 02:46:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=eQ5oYafWE2yTI5cgKVfHNdPWiIfj3L5rn3UPj0Kf1lQ=; b=EB9J47a/1oTHeZz4W3NT0oCtL0ZEGYypadLl18uqXLx8RKbgrEQY1ECYSJqDUaYajQ JI1IRZVCd7TnrguH8MsuxQHSzoUdSgC/vhGo3QBWFT+dq79E02jZsgf7FudowlQr8H7u /wh86dr3ZEfNw2q5wlqaYW8ZDJwpNBJu5TNlb4w1JPEr4gvmOxSlqskiGfV/hhmwV4yI Y3Jc1E+GvVeprSWZQzbP0Yjlkue1WFXGWs/heVPvddIvDO/HbKjHOi5uizJK/7YvWBoh L2UV1X9na5nLRI8NFiMSo25tX7P3ewNHcK1/wMQXmbdiu9kTxao93k/Q4+zPnNWdhjXg lJTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=eQ5oYafWE2yTI5cgKVfHNdPWiIfj3L5rn3UPj0Kf1lQ=; b=NXQVyVDrYDFFp6Ij7+8QHJBFzsxJ/gVLuFKv6EKo2v0B/AKIS8q+E+zdpUpMofdeXs daytvqNw3htP+oHJL9RAU/k/fnXk9PcN3/+pcOXxlT3mf1u/6L+2/uS6HsYY5gDyBIq8 x5HKUSd3bFv1kCmj4sjwsXXyf9sMa3xWK1ZtLP2nzVYZectHT/BcC8QoKjSZn5H6cIWt pqil/ETfv0VJhBcOi0Nvh1YGw3n7WgC+PojLO8oj5NZeRvySHmlXLILzvniCvjBMwiSp dDvoowK5m4SI544UaK58jenkjiXH1llp0Ymd8DHf17IJdynCVQ3rFpAaFMMQi42qh38j m9JA==
X-Gm-Message-State: AOAM531C8xPyZRNsJhkdJPRw6pSD67jDbYcSagIE/dIFPOa4taV+rDa0 13FGECyl2Ao3HCKgXZ2GQxywDpza56oPT64gZL45R0ItfmY=
X-Google-Smtp-Source: ABdhPJx5/UotIdfbD5n3Oql/bQOSo5z2pTIsgcp0YHPG1rjOtPy0mLxgkIpisO72TC+/QoEOxHcf9EDANqcWHVV2ZTM=
X-Received: by 2002:a4a:3312:: with SMTP id q18mr91449ooq.20.1598435193548; Wed, 26 Aug 2020 02:46:33 -0700 (PDT)
MIME-Version: 1.0
From: Antonin Décimo <antonin.decimo@gmail.com>
Date: Wed, 26 Aug 2020 11:51:13 +0200
Message-ID: <CAC=54B+aJAZ3KhSUAjJyXiAujzHarRCDYXcERLx3gkHswJ6Sgg@mail.gmail.com>
To: Babel at IETF <babel@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e8752205adc4b161"
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/ZfKZkJ6ejwlOFoXv9C1r7qcQJoE>
Subject: [babel] Comments on the MAC authentication for Babel draft
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2020 09:46:37 -0000

Hello all,

I have some comments on the MAC authentication for Babel draft.
The first three date from 2020-12-28, the others are new.


1. Key length

This is the change I'm proposing in §7:

 Keys must be chosen in a manner that makes them difficult to guess.
-Ideally, they should have a length of 32 octets (both for HMAC-SHA256
-and Blake2s), and be chosen randomly.
+Ideally, they should be chosen randomly, and have the maximum key
+length supported by the MAC algorithm (32 octets for keyed BLAKE2S)
+or no less than the block size of the MAC algorithm (64 octets for
+HMAC-SHA256).


2. Digest length

Reading the length of the MAC TLV in order to compute a MAC of this
length is not compliant with the protocol (§4.3) since MACs are
computed without looking into the packet.

> Then, for each key configured on the receiving interface, the
> receiver computes the MAC of the packet. It then compares every
> generated MAC against every MAC included in the packet;

Still, it was an error I was almost going to make. I propose the
following change to ensure that we're always using the maximum digest
length of the MAC algorithm.

This is the change I'm proposing in §4.1:

 implementation MUST implement HMAC-SHA256 as defined in
 <xref target="RFC6234"/> and Section 2 of <xref target="RFC2104"/>,
 SHOULD implement keyed BLAKE2s <xref target="RFC7693"/>, and MAY implement
 other MAC algorithms.
+The length of the MAC MUST be the maximum MAC length computable by
+the MAC algorithm (32 octets for both HMAC-SHA256 and keyed
+BLAKE2S).


3. Lazy computation

With the idea that computing a MAC is more costly than comparing MACs,
and that there's a very limited amount of MACs to check, I propose we
lazily compute MACs. Instead of computing the MAC for every key on
packet reception, we compute the MAC with the first key, then check it
against the MACs carried by the packet. If there's a match, the packet
is immediately accepted. If there's no match, we the proceed to the
next key until all keys are exhausted, and the packet is rejected.

This is the change I'm proposing in §4.3:

-Then, for each key configured on the receiving interface, the
-receiver computes the MAC of the packet.  It then compares every
-generated MAC against every MAC included in the packet; if there is
-at least one match, the packet passes the MAC test; if there is none,
-the packet MUST be silently dropped and processing stops at this
-point.
+Then, for each key configured on the receiving interface, the
+receiver computes the MAC of the packet and compares it against every
+MAC included in the packet; if there is at least one match, the
+packet passes the MAC test; if there is none, the receiver proceeds
+with the next key.  If none of the MAC matched, the packet MUST be
+silently dropped and processing stops at this point.


4. Accepting Challenges

When receiving a challenge reply, a node must check if there was a
challenge in progress before validating the challenge.

§ 3.2 Neighbour table
> The Nonce and expiry timer are initially undefined

§ 4.3.1.3. Receiving challenge replies
> If no challenge is in progress, i.e., if there is no Nonce stored in
> the Neighbour Table entry or the Challenge timer has expired, the
> Challenge Reply MUST be silently ignored and the challenge has
> failed.

However the text does not explicitly describe if there are changes
to be made to the overall state when the challenge succeeds.

> Otherwise, the node compares the Nonce contained in the Challenge
> Reply with the Nonce contained in the Neighbour Table entry. If the
> two are equal (they have the same length and content), then the
> challenge has succeeded; otherwise, the challenge has failed.

As it is not possible to have a running or expired timer and an
uninitialised Nonce field, I think that the timer should be
initialised in the "expired" state. The "challenge is in progress"
test can be simplified to "is the timer expired?", and then if the
challenge succeeds, the timer should be set into the "expired" state,
so that duplicated or incorrect challenge replies are rejected.


5. Replying to challenges

Section 4.3.1.2. Replying to challenges, the sentence

> A challenge sent to a multicast address MUST be silently ignored.

could be moved earlier, as it describes a case where the challenge
request should be ignored, but it is after the text indicating how to
construct and send a challenge reply.


6. Timers

I was confused at first between the "challenge expiry timer", the two
rate limits, and the neighbour state expiry timer. I suggest, for
consistency, the following changes:

section 3.2:
- The Nonce and expiry timer are initially undefined
+ The Nonce and challenge expiry timer are initially undefined

section 4.3.1.3
- the Challenge timer has expired
+ the challenge timer has expired


7. TLV names shouldn't be pluralised

Section 4.3
- ignored except PC TLVs, Challenge Requests and Challenge Replies.
+ ignored except PC, Challenge Request, and Challenge Reply TLVs.

- 4.3.1.  Challenge Requests and Replies
+ 4.3.1.  Challenge requests and replies


8. Consistency

Section 6.2
replace "4 octet" with "4-octet" (single dash)

Section 7
- nonces included in challenge requests and responses can
+ nonces included in challenge requests and replies can


9. Relations with the Information Model

The MAC draft defines (amongst other) three optionaly tunable parameters:
- the rate limit for sending Challenge Replies;
- the rate limit for sending Challenge Requests;
- various strategies for expiring neighbour state, with their own
  tunable parameters.
Should they be reflected in the models?


All the best,

-- Antonin

v2.23.0 | Report a Bug | By Email