[babel] hmac info model elements
"STARK, BARBARA H" <bs7652@att.com> Thu, 03 January 2019 14:41 UTC
Return-Path: <bs7652@att.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8B9112F1A6 for <babel@ietfa.amsl.com>; Thu, 3 Jan 2019 06:41:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7MpkkHhMhmKp for <babel@ietfa.amsl.com>; Thu, 3 Jan 2019 06:41:15 -0800 (PST)
Received: from mx0a-00191d01.pphosted.com (mx0a-00191d01.pphosted.com [67.231.149.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E732512F1A5 for <babel@ietf.org>; Thu, 3 Jan 2019 06:41:15 -0800 (PST)
Received: from pps.filterd (m0049297.ppops.net [127.0.0.1]) by m0049297.ppops.net-00191d01. (8.16.0.22/8.16.0.22) with SMTP id x03EZbHT026703 for <babel@ietf.org>; Thu, 3 Jan 2019 09:41:15 -0500
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0049297.ppops.net-00191d01. with ESMTP id 2psm6v89k2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <babel@ietf.org>; Thu, 03 Jan 2019 09:41:15 -0500
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id x03EfEqg019458 for <babel@ietf.org>; Thu, 3 Jan 2019 09:41:14 -0500
Received: from zlp30487.vci.att.com (zlp30487.vci.att.com [135.47.91.176]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id x03Ef9gW019374 for <babel@ietf.org>; Thu, 3 Jan 2019 09:41:09 -0500
Received: from zlp30487.vci.att.com (zlp30487.vci.att.com [127.0.0.1]) by zlp30487.vci.att.com (Service) with ESMTP id BAD3E4014066 for <babel@ietf.org>; Thu, 3 Jan 2019 14:41:09 +0000 (GMT)
Received: from GAALPA1MSGHUBAF.ITServices.sbc.com (unknown [130.8.218.155]) by zlp30487.vci.att.com (Service) with ESMTPS id A8CE34014055 for <babel@ietf.org>; Thu, 3 Jan 2019 14:41:09 +0000 (GMT)
Received: from GAALPA1MSGUSRBF.ITServices.sbc.com ([169.254.5.5]) by GAALPA1MSGHUBAF.ITServices.sbc.com ([130.8.218.155]) with mapi id 14.03.0415.000; Thu, 3 Jan 2019 09:41:09 -0500
From: "STARK, BARBARA H" <bs7652@att.com>
To: Babel at IETF <babel@ietf.org>
Thread-Topic: hmac info model elements
Thread-Index: AdSi6E9jJwLKz5kXQlCy2NNONpdJZQ==
Date: Thu, 03 Jan 2019 14:41:09 +0000
Message-ID: <2D09D61DDFA73D4C884805CC7865E6114DF7EECB@GAALPA1MSGUSRBF.ITServices.sbc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.61.166.241]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-03_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901030129
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/qVcEBIn97RJ-o29LDx4RNELon7g>
Subject: [babel] hmac info model elements
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jan 2019 14:41:18 -0000
I'm looking at what's needed in the info model for HMAC.
I don't think the Index and PC of the Interface and Neighbor tables need to (or should) be exposed in the info model.
We had discussed previously that keys should not be readable -- only add and delete keys. In this case, it's good for a non-readable parameter to have a "nickname" or index to reference it with. And it can be useful to know when the key was added. In my experience, these sorts of shared keys are modeled as strings.
Appendix A (incremental deployment and key rotation) indicates it should be possible to configure a mode where authenticated packets are sent but all packets are accepted.
Multiple HMAC algorithms are possible. The draft doesn't say how the nodes know which algorithm is being used (if multiple are implemented). The draft does say that only one HMAC is calculated per key. Is it assumed the algorithm choice is configured?
Should the challenge expiry timer be configurable?
I've decided to have completely separate HMAC and DTLS objects, because they're very different now that I have detailed designs to work with.
I'm adding an "operation" datatype to support key and cert manipulation. This is intended to be consistent with YANG "action" datatype.
Proposed HMAC model:
add to top level information-obj:
babel-hmac-algorithms (enumerated list of supported HMAC computation algorithms)
security-hmac-obj
security-hmac-enable (boolean: enable / disable this instance)
security-hmac-mode (Boolean: do or don't authenticate received packets)
security-hmac-algorithm (string: one of the supported HMAC algorithms)
security-interfaces (string list of references to interfaces-obj: the interfaces this instance applies to; if empty, it applies to all interfaces)
security-add-hmac-key (operation: inputs (reference name, key))
hmac-key-obj
key-name (string: reference name)
key-date (datetime: timestamp when key was added)
delete-key (operation)
check-key (operation: inputs (string, HMAC of string)) ; the node does its own HMAC computation of the input string and compares this to the input HMAC of string; if the computed and input HMAC are the same the operation succeeds.
Thoughts?
Barbara
- [babel] hmac info model elements STARK, BARBARA H
- Re: [babel] hmac info model elements Juliusz Chroboczek
- Re: [babel] hmac info model elements Toke Høiland-Jørgensen
- Re: [babel] hmac info model elements Mahesh Jethanandani
- Re: [babel] hmac info model elements STARK, BARBARA H
- Re: [babel] hmac info model elements STARK, BARBARA H
- Re: [babel] hmac info model elements STARK, BARBARA H
- Re: [babel] hmac info model elements Dave Taht
- Re: [babel] hmac info model elements Toke Høiland-Jørgensen
- Re: [babel] hmac info model elements Toke Høiland-Jørgensen
- Re: [babel] hmac info model elements Juliusz Chroboczek
- Re: [babel] hmac info model elements Mahesh Jethanandani
- Re: [babel] hmac info model elements Mahesh Jethanandani
- Re: [babel] hmac info model elements STARK, BARBARA H
- Re: [babel] hmac info model elements Toke Høiland-Jørgensen
- Re: [babel] hmac info model elements Dave Taht
- Re: [babel] hmac info model elements Toke Høiland-Jørgensen
- Re: [babel] hmac info model elements STARK, BARBARA H
- Re: [babel] hmac info model elements Toke Høiland-Jørgensen