IETF Logo Mail Archive

Re: [babel] hmac info model elements

"STARK, BARBARA H" <bs7652@att.com> Fri, 04 January 2019 19:51 UTC

Return-Path: <bs7652@att.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8080B130E89 for <babel@ietfa.amsl.com>; Fri, 4 Jan 2019 11:51:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mMX4drfOHH_r for <babel@ietfa.amsl.com>; Fri, 4 Jan 2019 11:51:46 -0800 (PST)
Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 994E0130E85 for <babel@ietf.org>; Fri, 4 Jan 2019 11:51:46 -0800 (PST)
Received: from pps.filterd (m0083689.ppops.net [127.0.0.1]) by m0083689.ppops.net-00191d01. (8.16.0.22/8.16.0.22) with SMTP id x04Jmip6005316; Fri, 4 Jan 2019 14:51:45 -0500
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0083689.ppops.net-00191d01. with ESMTP id 2ptcu423n6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 04 Jan 2019 14:51:45 -0500
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id x04Jpi8U022761; Fri, 4 Jan 2019 14:51:44 -0500
Received: from zlp30483.vci.att.com (zlp30483.vci.att.com [135.47.91.189]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id x04Jpe1l022701; Fri, 4 Jan 2019 14:51:40 -0500
Received: from zlp30483.vci.att.com (zlp30483.vci.att.com [127.0.0.1]) by zlp30483.vci.att.com (Service) with ESMTP id CAB8F4014663; Fri, 4 Jan 2019 19:51:40 +0000 (GMT)
Received: from GAALPA1MSGHUBAG.ITServices.sbc.com (unknown [130.8.218.156]) by zlp30483.vci.att.com (Service) with ESMTPS id B6696401468D; Fri, 4 Jan 2019 19:51:40 +0000 (GMT)
Received: from GAALPA1MSGUSRBF.ITServices.sbc.com ([169.254.5.5]) by GAALPA1MSGHUBAG.ITServices.sbc.com ([130.8.218.156]) with mapi id 14.03.0415.000; Fri, 4 Jan 2019 14:51:40 -0500
From: "STARK, BARBARA H" <bs7652@att.com>
To: 'Toke Høiland-Jørgensen' <toke@toke.dk>, Babel at IETF <babel@ietf.org>
Thread-Topic: [babel] hmac info model elements
Thread-Index: AdSi6E9jJwLKz5kXQlCy2NNONpdJZQA6KsCAACSwLUA=
Date: Fri, 04 Jan 2019 19:51:39 +0000
Message-ID: <2D09D61DDFA73D4C884805CC7865E6114DF83500@GAALPA1MSGUSRBF.ITServices.sbc.com>
References: <2D09D61DDFA73D4C884805CC7865E6114DF7EECB@GAALPA1MSGUSRBF.ITServices.sbc.com> <87a7khxxu6.fsf@toke.dk>
In-Reply-To: <87a7khxxu6.fsf@toke.dk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.70.254.227]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-04_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=745 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901040168
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/cFTvTSZbcw3PdDFLGOWpavZgPvs>
Subject: Re: [babel] hmac info model elements
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jan 2019 19:51:49 -0000

> > Appendix A (incremental deployment and key rotation) indicates it should
> be possible to configure a mode where authenticated packets are sent but all
> packets are accepted.
...
> > Proposed HMAC model:
> > add to top level information-obj:
> > babel-hmac-algorithms (enumerated list of supported HMAC computation
> algorithms)
> >
> > security-hmac-obj
> >   security-hmac-enable (boolean: enable / disable this instance)
> >   security-hmac-mode (Boolean: do or don't authenticate received
> > packets)
> 
> How do those two interact?

If an HMAC instance is disabled it's as if this instance doesn't exist. Its keys and hmac-mode values are irrelevant (don't care), and it causes no HMAC to be sent, expected, or checked, and no challenges to be responded to or sent.
If an HMAC instance is enabled (and there is at least one key to use for signing), then authenticated packets are always sent.
The hmac-mode toggles whether or not received packets are checked, for an enabled HMAC instance. 

> >   security-hmac-algorithm (string: one of the supported HMAC algorithms)
> >   security-interfaces (string list of references to interfaces-obj: the
> interfaces this instance applies to; if empty, it applies to all interfaces)
> >   security-add-hmac-key (operation: inputs (reference name, key))
> >      hmac-key-obj
> 
> IMO, we'll need two per-key booleans as well: "use for authentication"
> and "use for signing". They should be set independent of each other.

OK. We could do this either with 2 Booleans or with a single enumeration (sign-only, check-only, sign-and-check, [would an "unused" value also be needed?]). Would people prefer Booleans or an enumeration? I'm fine either way, but find enumerations easier for people to read and understand.
Barbara
 
> -Toke

v2.23.0 | Report a Bug | By Email