IETF Logo Mail Archive

Re: [babel] Minor clarification to HMAC

Markus Stenberg <markus.stenberg@iki.fi> Sat, 29 June 2019 09:53 UTC

Return-Path: <fingon@kapsi.fi>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 736C51200B7 for <babel@ietfa.amsl.com>; Sat, 29 Jun 2019 02:53:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.35
X-Spam-Level:
X-Spam-Status: No, score=-2.35 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kapsi.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YqsnhWvrejSt for <babel@ietfa.amsl.com>; Sat, 29 Jun 2019 02:53:19 -0700 (PDT)
Received: from mail.kapsi.fi (mail.kapsi.fi [IPv6:2001:67c:1be8::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3A96120033 for <babel@ietf.org>; Sat, 29 Jun 2019 02:53:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kapsi.fi; s=20161220; h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date: In-Reply-To:From:Subject:Mime-Version:Content-Type:Sender:Reply-To:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=lhca9ZcPcSv1QJtD6SwuAzzFoa4UdmlX93c5tGQ2Qqo=; b=IzpvuCL9REr5uWGMFEWp7ctU5b ETtjUshDccL+Lzkk/j93R9Gomc8UJayV3DtWG116XGHO/PF44E/ivMFmOfi5CO2BjGnkPYi3ljti/ zBd48vD56Z2UyoUi7tZB0sYAKvzVHmgyy9HOhvQXwJov9mG8OHlXEcAOKJvgZiRWawHao/KYU3q78 hgDKHSQeIlBAUcHKcyEUvxz/qSWjDay5Iey3y0wF1QutS90M0L3a3gxDvqOrPcIDOi6KxZCWzu/Yu RrAL0/JBcI1Ho3iIyAoblZe4RpgwNBc6GVSVB9fviuBVIFYh1A3NdbJVbl5Gar5PoIYMXbykQc1Zb Hd13QfIQ==;
Received: from 91-155-69-60.elisa-laajakaista.fi ([91.155.69.60] helo=[192.168.42.210]) by mail.kapsi.fi with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <markus.stenberg@iki.fi>) id 1hhA2l-0003DP-Pm; Sat, 29 Jun 2019 12:53:15 +0300
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Markus Stenberg <markus.stenberg@iki.fi>
In-Reply-To: <87ef3c20fh.wl-jch@irif.fr>
Date: Sat, 29 Jun 2019 12:53:15 +0300
Cc: babel@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <3CFB1069-5307-40F2-89DD-CA82CE2976A1@iki.fi>
References: <874l49j158.wl-jch@irif.fr> <6C3AA518-8EF8-493A-835D-DE096E75D07B@iki.fi> <87ef3c20fh.wl-jch@irif.fr>
To: Juliusz Chroboczek <jch@irif.fr>
X-Mailer: Apple Mail (2.3445.104.11)
X-SA-Exim-Connect-IP: 91.155.69.60
X-SA-Exim-Mail-From: markus.stenberg@iki.fi
X-SA-Exim-Scanned: No (on mail.kapsi.fi); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/rQrdZDQE9rm3gcoVsiIdroU1rfU>
Subject: Re: [babel] Minor clarification to HMAC
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jun 2019 09:53:21 -0000

> On 29 Jun 2019, at 12.41, Juliusz Chroboczek <jch@irif.fr> wrote:
>> In terms of security properties, notably resource exhaustion/contention,
>> I am bit leery of creating entry before validity of remote party is
>> actually verified (= challenge response received). I prefer the old
>> text.
> I initially thought like you, but Sawssen and Étienne convinced me that
> creating the entry late does not add any security.
> 
> Suppose that the packet passes HMAC.  Then one of the possible cases is
> possible:
> 
>  - the neighbour entry already exists;
>  - the neighbour entry doesn't exist, and we're going to send a challenge.
> 
> In the first case, the point is moot.  In the second case, we're going to
> create a neighbour entry anyway, so we might as well create it immediately.
> 
> (Note that the data structures of the protocol are conceptual, not
> prescriptive -- an implementation is allowed e.g. to use an "incomplete
> neighbour" data structure that is smaller than a full neighbour structure
> for holding uncompleted challenges, as long as the effect is identical to
> what is described in the protocol.

Is there some mechanism in place that prevents replay of historic packets? As the HMAC key itself does not change over time, storing (large amounts of) historic payloads with valid HMAC  is not hard.

Tthe value is bit questionable GIVEN router ID is stable, but if it is not, there is actually potential attack vector here.. RFC6126bis suggests even random router ids as valid strategy and does not mandate their storage.
(Also given large domain, it might be possible to gather more routers’ sent packets than there is space in neighbor table in limited implementations.)

Still -1.

Cheers,

-Markus

v2.23.0 | Report a Bug | By Email