Re: [babel] [Babel-users] MAC rekeying in babeld and information model

"STARK, BARBARA H" <bs7652@att.com> Fri, 17 January 2020 15:14 UTC

Return-Path: <bs7652@att.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 235C3120077 for <babel@ietfa.amsl.com>; Fri, 17 Jan 2020 07:14:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t4DLgorhS9JP for <babel@ietfa.amsl.com>; Fri, 17 Jan 2020 07:14:04 -0800 (PST)
Received: from mx0a-00191d01.pphosted.com (mx0a-00191d01.pphosted.com [67.231.149.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AC85120018 for <babel@ietf.org>; Fri, 17 Jan 2020 07:14:04 -0800 (PST)
Received: from pps.filterd (m0049287.ppops.net [127.0.0.1]) by m0049287.ppops.net-00191d01. (8.16.0.42/8.16.0.42) with SMTP id 00HF92Uu012454; Fri, 17 Jan 2020 10:14:04 -0500
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0049287.ppops.net-00191d01. with ESMTP id 2xk0sn5w1g-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 17 Jan 2020 10:14:03 -0500
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 00HFE2kn019840; Fri, 17 Jan 2020 10:14:02 -0500
Received: from zlp30485.vci.att.com (zlp30485.vci.att.com [135.47.91.178]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 00HFDu2W019739 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 17 Jan 2020 10:13:56 -0500
Received: from zlp30485.vci.att.com (zlp30485.vci.att.com [127.0.0.1]) by zlp30485.vci.att.com (Service) with ESMTP id 23C91400AE37; Fri, 17 Jan 2020 15:13:56 +0000 (GMT)
Received: from GAALPA1MSGHUBAG.ITServices.sbc.com (unknown [130.8.218.156]) by zlp30485.vci.att.com (Service) with ESMTPS id 0EF3C400AE36; Fri, 17 Jan 2020 15:13:56 +0000 (GMT)
Received: from GAALPA1MSGUSRBF.ITServices.sbc.com ([169.254.5.85]) by GAALPA1MSGHUBAG.ITServices.sbc.com ([130.8.218.156]) with mapi id 14.03.0468.000; Fri, 17 Jan 2020 10:13:55 -0500
From: "STARK, BARBARA H" <bs7652@att.com>
To: =?iso-8859-1?Q?=27Toke_H=F8iland-J=F8rgensen=27?= <toke@toke.dk>, "'Juliusz Chroboczek'" <jch@irif.fr>, "'babel-users@lists.alioth.debian.org'" <babel-users@lists.alioth.debian.org>
CC: "'babel@ietf.org'" <babel@ietf.org>
Thread-Topic: [Babel-users] MAC rekeying in babeld and information model
Thread-Index: AQHVzJ0q8jDHxzeyx0S6Gir5zXgjYKfvDLIA///hz8CAAAgi8A==
Date: Fri, 17 Jan 2020 15:13:54 +0000
Message-ID: <2D09D61DDFA73D4C884805CC7865E611537542C9@GAALPA1MSGUSRBF.ITServices.sbc.com>
References: <877e1r6y0f.wl-jch@irif.fr> <875zhaqq5v.fsf@toke.dk> <2D09D61DDFA73D4C884805CC7865E61153754234@GAALPA1MSGUSRBF.ITServices.sbc.com>
In-Reply-To: <2D09D61DDFA73D4C884805CC7865E61153754234@GAALPA1MSGUSRBF.ITServices.sbc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.70.107.145]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.572 definitions=2020-01-17_03:2020-01-16, 2020-01-17 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 lowpriorityscore=0 mlxscore=0 malwarescore=0 priorityscore=1501 adultscore=0 mlxlogscore=999 spamscore=0 suspectscore=0 phishscore=0 impostorscore=0 bulkscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-2001170119
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/jGM67fb4T9tW271dUsJZyaGGuOw>
Subject: Re: [babel] [Babel-users] MAC rekeying in babeld and information model
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2020 15:14:06 -0000

BTW, I just looked at the -10 revision of 
https://tools.ietf.org/html/draft-ietf-babel-information-model-10

Since that revision has Boolean (true/false) parameters of babel-key-use-sign and babel-key-use-verify (but not key-use with values of sign/verify/both), I did want to be sure we were talking about the right model revision.
Barbara

> From: STARK, BARBARA H
> 
> > From: Toke Høiland-Jørgensen <toke@toke.dk>
> >
> > Juliusz Chroboczek <jch@irif.fr> writes:
> >
> > > Dear all,
> > >
> > > Antonin and I have spent the afternoon looking at his work on MAC
> > > rekeying in babeld.  His code is available in branch hmac-rekeying
> > > of
> > >
> > > <URL mauled by AT&T mail system>
> > >
> > > Now... we've got an issue with the information model.
> > >
> > > Following the information model, Antonin adds the following
> > > attribute to
> > > keys:
> > >
> > >    key-use sign|verify|both
> > >
> > > I'm a little puzzled by the purpose of this attribute.  What usage
> > > scenarios is it useful in?  In particular, it does not appear to
> > > subsume the sign-only interface attribute, which is useful in
> > > incremental deployment scenarios.
> >
> > Hmm, I think this notion originally comes from Bird's password
> > configuration support?
> > <URL mauled by AT&T mail system>
> > search for 'password'.
> >
> > I guess you could use it for a kind of asymmetrical verification procedure?
> > I.e., a route server could have its own key that it signs with, that
> > all peers with the route server will accept, but each peer has its own
> > key it signs with, that the route server is set up to accept. That way
> > the peers wouldn't peer with each other, but all go through the route
> > server? This would not prevent malicious actors, of course (they could
> > just start signing with the route server's key), but it could prevent
> accidental misconfiguration.
> >
> > Dunno exactly what the original intention with the Bird option is,
> > though.. I can ask on the Bird list?
> >
> > -Toke
> 
> I don't remember precisely and would need to go looking for the emails. I
> think it did come from Toke's comments. But if an implementation doesn't
> support asymmetric signing, it can just hard-code the parameter to "both",
> not allow configuration of the parameter, and be done with it.
> Barbara