Re: [babel] [Last-Call] Secdir last call review of draft-ietf-babel-mac-relaxed-04
Christian Huitema <huitema@huitema.net> Sun, 09 April 2023 20:25 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62023C15170B for <babel@ietfa.amsl.com>; Sun, 9 Apr 2023 13:25:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PX4L-a6Doyol for <babel@ietfa.amsl.com>; Sun, 9 Apr 2023 13:25:15 -0700 (PDT)
Received: from mx36-out21.antispamcloud.com (mx36-out21.antispamcloud.com [209.126.121.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A89BC151707 for <babel@ietf.org>; Sun, 9 Apr 2023 13:25:14 -0700 (PDT)
Received: from xse395.mail2web.com ([66.113.197.141] helo=xse.mail2web.com) by mx196.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1plbb4-000ITc-Jw for babel@ietf.org; Sun, 09 Apr 2023 22:25:13 +0200
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4Pvk9W0jqFz9d3 for <babel@ietf.org>; Sun, 9 Apr 2023 13:24:47 -0700 (PDT)
Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1plbag-00071w-Uz for babel@ietf.org; Sun, 09 Apr 2023 13:24:46 -0700
Received: (qmail 26831 invoked from network); 9 Apr 2023 20:24:46 -0000
Received: from unknown (HELO [192.168.1.104]) (Authenticated-user:_huitema@huitema.net@[172.58.43.249]) (envelope-sender <huitema@huitema.net>) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for <jch@irif.fr>; 9 Apr 2023 20:24:46 -0000
Message-ID: <db054e84-809e-989b-3ae1-aa0d308de3ce@huitema.net>
Date: Sun, 09 Apr 2023 13:24:45 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.9.1
Content-Language: en-US
To: Juliusz Chroboczek <jch@irif.fr>
Cc: secdir@ietf.org, babel@ietf.org, draft-ietf-babel-mac-relaxed.all@ietf.org, last-call@ietf.org
References: <168099657635.12409.14929217899829415993@ietfa.amsl.com> <87ttxpw9xm.wl-jch@irif.fr>
From: Christian Huitema <huitema@huitema.net>
In-Reply-To: <87ttxpw9xm.wl-jch@irif.fr>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: 66.113.197.141
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.08)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9q9ZsBPRndi5ZT6mZQ2uBuPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5xw/yRWoatbX3i6rx9qwHuPfYzfQXcfqmra3dmoHS4ygpyH HaHH0sXfIpOxNtqIDdBWuRWrkPihq53YqAd1ENNqBHtNXu1E6L4+KyOXc4QYanQOD0r6/AaHZiEt dTMtMlia0Lmg/jgHfCNZd+W+PXf6Hh5qS/Y2oeo4Zr4Ns+QX8iue9TLOhN8AYRsvkjfngQAP/qxk sBag8X89IidmLeayzDkBvlIN1pUDU5DU5DggD98cjIN3reG9z0FKKQ5m2Qpw7sOVVcM1Xk+Tdz6g /UMvfWqyN3veeFIMJz/vumcqAwMU9kjfE7EFo+kP5riIEUmxU01QhuxnshSbl6nxbLZ35/xY0uvo WBEOfzq3RG28wI7w4vcwqZanLHsZM8r4s5ZjlHoGly8aneNxj+pRyx6DFxVLaXQjMXzVZeSmCuLu +pFVgpT1b21uZVckGp0ccOZtuBWXiK6eoWgQZnNLL6SbpUc7peFeo3eDQNYbhOKhzzgqmaDn5SlD Y9mmtv6e91aWBLor1oCWetcUjeG94V2XHK7WNoNDjcHtudPS5qD2tY0gstn48clUoarsDb1J0LPt vTgbk8WhvniSkDD1MDziEnFzsC48bTEFY06/YbB87Ww8G0LoS8V3Mt1pta8qAcLtCB3G1CwpaI3Z 4ESkMWDVJEenxBoIht3V0nekAoxXAmDNkZEsiQDqcTZ7E1uMoFeyuLfHqAnAj7rgKH7+eCmmHZdD +P3JuXwzoHqIBpDON1ShcA6Xvva2QAVEjpqzANbJ1UfXmet2cbFKoyT/OdZLvTpSHkOzT/ND2YFT BwLBqW0AuXq0T17woJo3avKeADIsy647Mn0zwmGzAi3Zn+YdthRNgs7Ig4l/XErpYn3glZTKFuaT l19W3ISq9+1KiLsESGU+y+fjdgjudZxiTPi+MG1QP35nsYfP84c+RFK3KiZuZ5OAUoGBziSYFLZu u6zX3xxsmqT8l9ARlsTalAaf
X-Report-Abuse-To: spam@quarantine14.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/eW983nV91ltlu3hMUBFClxnBwfY>
Subject: Re: [babel] [Last-Call] Secdir last call review of draft-ietf-babel-mac-relaxed-04
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Apr 2023 20:25:17 -0000
On 4/9/2023 4:51 AM, Juliusz Chroboczek wrote: > Thank you for your review. I must, however, most respectfully disagree > with your conclusions: the protocol is not vulnerable to the attacks that > you describe. > >> In order to relax the packet counter checks used to detect duplicate messages, >> the draft recommends doing separate checks for packets received in unicast and >> multicast mode. However, the two modes use the same packet counter. Attackers >> can replay in multicast mode packets send in unicast mode, and bypass the >> proposed check. > No, they cannot. If a packet originally sent to a unicast address is > resent to a multicast address, this will be reflected in the pseudo-header > (RFC 8967 Section 4.1). Since the pseudo-header participates in HMAC > computation, this will cause the HMAC test to fail (RFC 8967 Section 4.3, > first bullet point). You are correct. I have revised my review. -- Christian Huitema
- [babel] Secdir last call review of draft-ietf-bab… Christian Huitema via Datatracker
- Re: [babel] Secdir last call review of draft-ietf… Juliusz Chroboczek
- Re: [babel] [Last-Call] Secdir last call review o… Christian Huitema
- Re: [babel] [Last-Call] Secdir last call review o… Juliusz Chroboczek