IETF Logo Mail Archive

Re: [babel] Shepherd's review of draft-ietf-babel-hmac-02

Juliusz Chroboczek <jch@irif.fr> Wed, 26 December 2018 22:17 UTC

Return-Path: <jch@irif.fr>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8BB713135C; Wed, 26 Dec 2018 14:17:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wuK3CqAUyoq9; Wed, 26 Dec 2018 14:17:22 -0800 (PST)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DBE2130E1A; Wed, 26 Dec 2018 14:17:22 -0800 (PST)
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id wBQMHDU5021736; Wed, 26 Dec 2018 23:17:13 +0100
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id B41F88C3EC; Wed, 26 Dec 2018 23:17:19 +0100 (CET)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id iVt3doC-nMQb; Wed, 26 Dec 2018 23:17:17 +0100 (CET)
Received: from pirx.irif.fr (user-46-112-163-217.play-internet.pl [46.112.163.217]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 49FBE8C3EA; Wed, 26 Dec 2018 23:17:16 +0100 (CET)
Date: Wed, 26 Dec 2018 23:17:14 +0100
Message-ID: <87a7ks9bmd.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: Dave Taht <dave.taht@gmail.com>
Cc: Donald Eastlake <d3e3e3@gmail.com>, babel-chairs <babel-chairs@ietf.org>, Babel at IETF <babel@ietf.org>, draft-ietf-babel-hmac@ietf.org
In-Reply-To: <CAA93jw6bkCe2JNO+5b4mdFaTSs7MC-C1DvruA3U4rwp9VkWhRg@mail.gmail.com>
References: <CAF4+nEGhxKF0ChmLyJzYy9QimhitCvjGGiw7U3stXP3uDkyd=Q@mail.gmail.com> <87ftuk9klr.wl-jch@irif.fr> <CAA93jw6bkCe2JNO+5b4mdFaTSs7MC-C1DvruA3U4rwp9VkWhRg@mail.gmail.com>
User-Agent: Wanderlust/2.15.9
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Wed, 26 Dec 2018 23:17:13 +0100 (CET)
X-Miltered: at korolev with ID 5C23FDE9.001 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 5C23FDE9.001 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 5C23FDE9.001 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/qicsuz_oHs41D0m7KiqYDdE5wFc>
Subject: Re: [babel] Shepherd's review of draft-ietf-babel-hmac-02
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Dec 2018 22:17:25 -0000

>> I disagree.  The only property that the index needs to satisfy is that it
>> is never reused for a different PC sequence for a given (key, sender)
>> pair.  In particular, if a node never loses state (e.g. it has reliable
>> persistent storage), then it never needs to change indices -- and in that
>> case, a 0-octet index is suitable.

> Well, say that in the draft. It's come up as a gut objection in
> everybody thus far.

From Section 6:

   Second, it assumes that indices and nonces are generated uniquely
   over the lifetime of a key used for HMAC computation (more precisely,
   indices must be unique for a given (key, source) pair, and nonces
   must be unique for a given (key, source, destination) triple).  This
   property can be satisfied either by using a cryptographically secure
   random number generator to generate indices and nonces that contain
   enough entropy (64-bit values are believed to be large enough for all
   practical applications), or by using a reliably monotonic hardware
   clock.  If unicity cannot be guaranteed (e.g., because a hardware
   clock has been reset), then rekeying is necessary.

> I'm still working out how to go about attacking things. One way is to
> force the daemon to crash (malformed packet, a ping of death, some
> other vulnerability in another daemon that can send a kill -9 to this
> process), on restart, which resets the pc, and forces choosing a new
> index. With a zero length index, well...

You detect that you've suffered a crash, and you refuse to run until you
detect a key rotation.  Or you detect that you've suffered a crash, and
switch to 64-bit indices until the next key rotation.

I'm not saying that that's the right way to implement this protocol (it's
too complex and fragile for my taste), but if someone is intent on saving
every extra bit on the wire, the protocol allows that.

-- Juliusz

v2.23.0 | Report a Bug | By Email