IETF Logo Mail Archive

Re: [babel] [Babel-users] Babel MAC auth fails due to packet reordering

Juliusz Chroboczek <jch@irif.fr> Sat, 07 May 2022 13:09 UTC

Return-Path: <jch@irif.fr>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7A03C157B4B; Sat, 7 May 2022 06:09:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iLU0GOolQkQz; Sat, 7 May 2022 06:09:16 -0700 (PDT)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4211C14F739; Sat, 7 May 2022 06:09:14 -0700 (PDT)
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id 247D96Bs031085; Sat, 7 May 2022 15:09:06 +0200
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id B413EEFD11; Sat, 7 May 2022 15:09:06 +0200 (CEST)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id xL9vQhNaf4hF; Sat, 7 May 2022 15:09:05 +0200 (CEST)
Received: from pirx.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 2305DEFD0F; Sat, 7 May 2022 15:09:03 +0200 (CEST)
Date: Sat, 07 May 2022 15:09:03 +0200
Message-ID: <87v8uhqykw.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: Toke Høiland-Jørgensen <toke=40toke.dk@dmarc.ietf.org>
Cc: babel-users@alioth-lists.debian.net, babel@ietf.org, Daniel Gröber <dxld@darkboxed.org>
In-Reply-To: <87sfpl1t9g.fsf@toke.dk>
References: <20220505085059.mxbt3ssvryxw4doh@House> <87ilqj52bz.fsf@toke.dk> <20220506034354.kpj3rwkyw7rj2oe3@House> <874k233pwi.fsf@toke.dk> <87mtfufmet.wl-jch@irif.fr> <87wney1aw7.fsf@toke.dk> <87czgqfb6m.wl-jch@irif.fr> <87sfpl1t9g.fsf@toke.dk>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.1 Mule/6.0
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Sat, 07 May 2022 15:09:06 +0200 (CEST)
X-Miltered: at korolev with ID 62766F72.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 62766F72.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 62766F72.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/g9v3f0HcVYZyvlwXzL_1zN3cpxs>
Subject: Re: [babel] [Babel-users] Babel MAC auth fails due to packet reordering
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 May 2022 13:09:19 -0000

> Ah, I see! Okay, that makes sense. Also, it occurred to me that the
> window-based approach likely isn't enough when there are multiple
> neighbours and you do unicast updates, as then another neighbour can eat
> up a whole chunk of PC number space that you never see.

Exactly.  The sender maintains just one (index, PC) state per interface,
not one state per destination.  (In constrained environments, you could in
principle have just one state for all interfaces, although that's not
allowed by the RFC as it is currently written.)

> However, what about other sources of reordering? Should we still do
> window-based verification to deal with this?

We might add it as an option to the document you suggest.  I'm not
currently planning to add it to babeld, but I might change my mind if new
evidence that it is needed surfaces.  Ok?

> Also, I guess this could all be described in a "relaxed PC verification
> to deal with reordering" document that could be optional to implement
> (i.e., you could still be compliant with RFC 8967 if you don't implement
> it)?

I tend to agree, but I'd rather we did the implementation first, to see
how it goes.

>> Expect on the order of 60 routes per packet. 64 packets gives you on
>> the order of 3800 routes.

> Right. Which is a lot for a local mesh network, but not a lot for the
> internet.

OTOH, you should be spreading the updates over the whole length of the
update interval to avoid sending bursts of packets.  It's been on my todo
list for babeld for a long time, but I never got around to implementing it.

> Do you have any insights into typical sizes of real-world babel
> deployments in terms of the number of routes?

Nexedi have around 1000 routers.  I don't know how many routes they're
advertising in total.

-- Juliusz

v2.23.0 | Report a Bug | By Email