IETF Logo Mail Archive

Re: [babel] Benjamin Kaduk's Discuss on draft-ietf-babel-information-model-11: (with DISCUSS and COMMENT)

"STARK, BARBARA H" <bs7652@att.com> Thu, 11 March 2021 00:01 UTC

Return-Path: <bs7652@att.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8035F3A1078; Wed, 10 Mar 2021 16:01:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=att.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z_5L8xflIksZ; Wed, 10 Mar 2021 16:01:18 -0800 (PST)
Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 404803A1073; Wed, 10 Mar 2021 16:01:18 -0800 (PST)
Received: from pps.filterd (m0049463.ppops.net [127.0.0.1]) by m0049463.ppops.net-00191d01. (8.16.0.43/8.16.0.43) with SMTP id 12ANtJY2036616; Wed, 10 Mar 2021 19:01:17 -0500
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0049463.ppops.net-00191d01. with ESMTP id 376h3bwgqh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 10 Mar 2021 19:01:16 -0500
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 12B01G1l025885; Wed, 10 Mar 2021 19:01:16 -0500
Received: from zlp30488.vci.att.com (zlp30488.vci.att.com [135.47.91.93]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 12B01Cpl025771 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 10 Mar 2021 19:01:12 -0500
Received: from zlp30488.vci.att.com (zlp30488.vci.att.com [127.0.0.1]) by zlp30488.vci.att.com (Service) with ESMTP id 22DB94009E62; Thu, 11 Mar 2021 00:01:12 +0000 (GMT)
Received: from GAALPA1MSGEX1CE.ITServices.sbc.com (unknown [135.50.89.112]) by zlp30488.vci.att.com (Service) with ESMTP id E81D54009E61; Thu, 11 Mar 2021 00:01:11 +0000 (GMT)
Received: from GAALPA1MSGEX1CE.ITServices.sbc.com (135.50.89.112) by GAALPA1MSGEX1CE.ITServices.sbc.com (135.50.89.112) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.2; Wed, 10 Mar 2021 19:01:11 -0500
Received: from GAALPA1MSGETA01.tmg.ad.att.com (144.160.249.126) by GAALPA1MSGEX1CE.ITServices.sbc.com (135.50.89.112) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.2 via Frontend Transport; Wed, 10 Mar 2021 19:01:11 -0500
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.171) by edgeal1.exch.att.com (144.160.249.126) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2176.2; Wed, 10 Mar 2021 19:00:44 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZzHOduaGgGEiS55ountRHQLmsWF/rgdtskMF3aBvx8FFLGqhHzwZtezrhglz8Js3aUbDBZnRUPb+lfZCxxGIIunUH5Jz0U4WlyNKJJ9JP9RL2DY4pb3eUg9YuSsD0dPhJERCNk4Of8jjk8N/ohq9tC7pwjkgjncFGTfgmGdolFfA8wS2PPg3PGgtkCykxgZICCf2imZCzEsPovSRiTbhajFIC50C6oxOUGmxy8BUnOPKPz0N/rWrqzq07tdCa/FqCyU/iqB46E9ldySJap+vwYhueA46+T3i0XWFHkNc9/tRF19rivKRgsQsE5ghAIR1qzfNN5zPQQCtRsmSjTW19g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wNoEwbiMfOS4tI0E+eJyYB0kTAUPJ3kNxK6y+HanC+A=; b=KnrOIjTnM1QmHHR7WBtAZUrkZ1AtDlpiciPeMumVtZgCcx30PnySLxc0meS4bqOOHKBgdrgGS7epeQjjBeJsH0VIWSN0CMpwA+R8j0+5s+c7o07A4I3NzCrbb/BJSTqilQj8cVHcJMli099Hkr2jYtG2kWN6y7QWTQJH7fv4vUxGhXzEKZIN6tYxvt/bNfStdIal+XZKBKqHvVtq2VkXpc0NC1Zf8iaiKUhxeWiz91MbrnyExtAr7r9M3a0+wPDhlWNXsDRdRaZ5Wohi217y19fmWt8BzzaPxnBQoDL+n1L5zU+OQ3CoULLN1mo1yFLOM+mtWja23xW0pzf7PrB8OA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=att.com; dmarc=pass action=none header.from=att.com; dkim=pass header.d=att.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.onmicrosoft.com; s=selector2-att-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wNoEwbiMfOS4tI0E+eJyYB0kTAUPJ3kNxK6y+HanC+A=; b=CB/zKL/zR3bFOpMmreWMLQicyEbiaoZJ5z6ixk6G6yoMHrglFnpKSHpgwAE0o+56ykUQUmPl8iVyWu4agT0oZR6H7+0DB3+3iesobHJh/LVT7lzqyrxuSfxESHSmioKGDo+0dGbB7Ok3V6XMO22FKKDF4m+o8oS2mbwJ8bG4GzA=
Received: from DM6PR02MB6924.namprd02.prod.outlook.com (2603:10b6:5:25f::7) by DM6PR02MB6378.namprd02.prod.outlook.com (2603:10b6:5:1fc::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17; Thu, 11 Mar 2021 00:00:41 +0000
Received: from DM6PR02MB6924.namprd02.prod.outlook.com ([fe80::d9c0:4a62:170b:b925]) by DM6PR02MB6924.namprd02.prod.outlook.com ([fe80::d9c0:4a62:170b:b925%7]) with mapi id 15.20.3890.038; Thu, 11 Mar 2021 00:00:41 +0000
From: "STARK, BARBARA H" <bs7652@att.com>
To: 'Benjamin Kaduk' <kaduk@mit.edu>
CC: "'babel-chairs@ietf.org'" <babel-chairs@ietf.org>, "'d3e3e3@gmail.com'" <d3e3e3@gmail.com>, 'The IESG' <iesg@ietf.org>, "'babel@ietf.org'" <babel@ietf.org>, "'draft-ietf-babel-information-model@ietf.org'" <draft-ietf-babel-information-model@ietf.org>
Thread-Topic: [babel] Benjamin Kaduk's Discuss on draft-ietf-babel-information-model-11: (with DISCUSS and COMMENT)
Thread-Index: AQHWsXWjpHz8bjw21kuCQu2IvFzP6am4p/pggI6+9zCACT03AIABlDYwgBlk4oCAEXGNEIABjMOAgAATegA=
Date: Thu, 11 Mar 2021 00:00:41 +0000
Message-ID: <DM6PR02MB69247B75FC36A097F86FFDB7C3909@DM6PR02MB6924.namprd02.prod.outlook.com>
References: <160436211925.31069.7931310164710901437@ietfa.amsl.com> <SN6PR02MB4512CEC73FF751E20D7A64F1C3CC0@SN6PR02MB4512.namprd02.prod.outlook.com> <DM6PR02MB6924227133396A388EECD9D0C3B49@DM6PR02MB6924.namprd02.prod.outlook.com> <20210209164932.GU21@kduck.mit.edu> <BY5PR02MB691424143621B8AC6D1B2DF3C3819@BY5PR02MB6914.namprd02.prod.outlook.com> <20210226204349.GA21@kduck.mit.edu> <DM6PR02MB69248597F0A5306203F104C6C3919@DM6PR02MB6924.namprd02.prod.outlook.com> <20210310224643.GG56617@kduck.mit.edu>
In-Reply-To: <20210310224643.GG56617@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=none action=none header.from=att.com;
x-originating-ip: [45.18.123.63]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c1209f51-5460-4899-d851-08d8e420b624
x-ms-traffictypediagnostic: DM6PR02MB6378:
x-microsoft-antispam-prvs: <DM6PR02MB6378E4088993F3B8808C51A0C3909@DM6PR02MB6378.namprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: PHL28kyfolCAfnGPsxPC8xrnh23mRsexEKBnat1xLjXozWnC5jvcjXEQg/tlna3oUN96YGM5eBlyilQT30Ua0TctuQkYl+VtxLH1suQQ2XxICX2WguQ++ttovrd3cGdwZXaY9UowqcFkIuB9evN+AudW0tvJSjyqn/FWiHtPGrbf5Oq51kc5meqn9sYFF4PtYFkBcMSss0JdCi+0349lfBcagBYNuLL0zw0eKTCzhexUUQDZlS+lMeYjXWWEPYN2t+nyT8jwB6VAOeTFHjABdH3Ai7fTteYaoRuYc3pM7M47PiS8Amh3Q+z/y5k2eW2XjkmPcWghikzDpOu593rylVgjd8rRSNZJpSjMe8WyI9iDAi5NYdt/nsSbn/KyGLaHhQVKKJaI8nKkEckY1jblpIj4SkOxksACfZ3ZCKmpNjarTxHlOZvk9ZD5aEFaErBszi4XTMigWaNfSHE7LMzfbmGZ1E5+zBaI8sBoEkVjUBqmjvH7D7HKf9xGgH+4ThgrSm+MRKgqa2QbS2NErGD/pturYzvhd3G3Ac/oHRkwQRxR8pI0yDzlX95JDtRyh7KDsHdSBcWqZncxJbEYmUZVyxtPUDP1goh/kjkv6ytpBpI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR02MB6924.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(346002)(39860400002)(396003)(366004)(136003)(52536014)(6506007)(8936002)(76116006)(26005)(2906002)(5660300002)(83380400001)(55016002)(9686003)(6916009)(966005)(7696005)(186003)(86362001)(71200400001)(66574015)(33656002)(478600001)(82202003)(66446008)(8676002)(66556008)(4326008)(66476007)(54906003)(30864003)(66946007)(316002)(64756008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 3uu+pDrgwD0e1EVxKx/AgVFEwnWpSi9YQKlKLhsPasV1haDXn/khQmzmKwI8e1gr6la4xJGpj1OWR5BpN6L0jyMb24wOSARc7qzWJIbmS7tvmZ0/GckKkFRmRKbeK8+khlpq8fr9PdNZf2TNYXbiwvndWXct7fYNpYvrbg+zDeHpBGph/nRWz2KazFYPPhpHC6weNUFkDsPxCE5K4l8Iwv8KtX/Cla+WX37u61Y/SAiPew1Dizs/rinGDlu3e2P3JHlWKDITtosq5uiPrlr6tamVs5j9s6gAT0853l5XC/brEqAJ65VrWXispOER1w35DnEsxj9B29LcBAF8/igT2X5CiBnnIz2BtypbH9JUXaRlZqPRT5wIJUbCHVJgscmPQW3KjwjahO8uyYbR/IIfzCgiucDBI4ei/W7pRMLPLkU7+90T4YPWm//OfniB0k9XBDLz/MmMKkBqG90WJGoGXmkAFSTdU3anSUFapHljIS/jBL0npCTSwWZqYXfu46F+C7OUeFcN4YI/fI+dUEicGDo1HwyrnXa6CGUSheqReqvbHnJy8Xp1GvjqOmdpNr5r8LebJLyOPRSlcompAupsM337kjwkPGVgw1a6DtlNc/ueAYQqtB7Lcgh4N8opnhJsOOlYo2sYB+iDkWo/aMS/oTdC5D6XYpdgaf50rGY3K9sdI5xBv6EK9FygXg+hOuPjJlvd1GzcTGaH4wU+YNCj4WAe38smxu7hVwdDWnlJQtLccr4VOItKOemH1O/Tgb8XPUnvFe7e5wgYfSetSCguAY5Wnzmr/X2Zotn4WtnSn+xKcRUMS55LCEIYb7xnFz96IqsRjaNaS1QhWVFqmus8tZkm5PItA6e45ZzoM5CGrbOEDOoX4nczpEZO5oJZsRADZUhWTmH+sQODB+EaeYnd54bsKHHZG3EVBqHwHYnmOCeDxPoslEPccfnKatkasdVGqDBZGt45FUPLMPXyzPKxnAFnosprppFUziqBniLobcO96aRIusVMnAxqz5O4rivNvAMO4ZIz3PxdzJex9/XicoTv1ot+g/eyV6BgAtP5RIdSvYSt3Sl2re4jDwn2+vL9GkJrSU5y3sCKNNVoqLakoVKRWXa0dZjGOW3TQVKRTglvrgatcLxn1/QrImHBfNAqbaWGdQz8gT1Vfo6uTgmB4oKdTRPpdzCG0NA0egYWbzS3o2r6NvKlxc87p0ERozyNcNYs6GlUQwjXXuXmI/QnZq449n6G4SSmnyia9sHLvUqziE0TfUsYav8dJ1JHn2g1uTRNzKKICNP6cDcTvCnIu5Egr3EcNmEEc8+JRwkc7boYwatgvcobeGTbLxG/+mw9
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR02MB6924.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c1209f51-5460-4899-d851-08d8e420b624
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Mar 2021 00:00:41.6689 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e741d71c-c6b6-47b0-803c-0f3b32b07556
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 4uiBa8rUx8HpoF7D3H0T1KtTDwYdkK8nXhY7xffONkm+Y6aTGKPkuXYpT7rM56fh
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR02MB6378
X-OriginatorOrg: att.com
X-TM-SNTS-SMTP: 6D5CE4288677B92983110CD72213D91F83B2B883C705551A210FC184AFDF02032
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-10_13:2021-03-10, 2021-03-10 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 adultscore=0 mlxlogscore=999 lowpriorityscore=0 bulkscore=0 mlxscore=0 clxscore=1015 suspectscore=0 phishscore=0 impostorscore=0 priorityscore=1501 malwarescore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2103100116
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/rYcmd1s-LSnzudyXq2slMbv6Nn8>
Subject: Re: [babel] Benjamin Kaduk's Discuss on draft-ietf-babel-information-model-11: (with DISCUSS and COMMENT)
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Mar 2021 00:01:22 -0000

Hi Ben,
Thx. Reply below...
Barbara

> Hi Barbara,
> 
> Thanks for following up.  I feel a little bad that I forgot this topic was
> still open, and didn't even look at the babel agenda while deciding what
> session to attend for that timeslot... (inline)
> 
> On Wed, Mar 10, 2021 at 10:12:20PM +0000, STARK, BARBARA H wrote:
> > Hi Ben,
> > I'm cutting to just the one open issue. The WG discussed this today during its
> meeting, and we've exchanged some emails. It turns out some things have
> changed in the past year (and some haven't). My comment / suggested text is at
> the bottom of this email. Thx,
> > Barbara
> >
> > > > > I think the -12 addresses most of my concerns, but we may need to talk a
> > > > > bit more about the HMAC key length topic -- I'm having a hard time
> matching
> > > > > the stated justification with my understanding of the facts.
> > > > >
> > > > > > >
> > > > > > > > ----------------------------------------------------------------------
> > > > > > > > DISCUSS:
> > > > > > > > ----------------------------------------------------------------------
> > > > > > > >
> > > > > > > > Section 2 says that the "DTLS certificate values" are required to
> return
> > > > > > > > no value when read, but this property seems to be intended for
> private
> > > > > > > > data such as DTLS private key values, not the certificates
> themselves
> > > > > > > > (which are public).
> > > > > > >
> > > > > > > Thanks. I agree and suggest in Section 2, changing "DTLS certificate
> > > values"
> > > > > to
> > > > > > > "DTLS private keys" (which are required to return no value when
> read).
> > > > > > >
> > > > > > > > While I appreciate that IPv6 is the current version of the internet
> > > > > > > > protocol, I do see that 6126bis allows for Babel to run over both
> IPv6
> > > > > > > > and IPv4, yet this document in multiple places implicitly assumes
> that
> > > > > > > > Babel runs over IPv6, to the exclusion of IPv4.  Such a restriction
> from
> > > > > > > > the core protocol spec should only be undertaken by an information
> > > model
> > > > > > > > with clear reasoning and loud disclaimer.
> > > > > > >
> > > > > > > The WG did discuss this and expressed the view that they were only
> > > > > interested
> > > > > > > in defining configuration for Babel over IPv6. Note that use of Babel
> to
> > > > > > > configure
> > > > > > > IPv4 routing tables can be done over IPv6.
> > > > > > >
> > > > > > > Perhaps if we added to the Abstract <Juliusz: please look at this and
> > > provide
> > > > > > > suggested changes>:
> > > > > > > "This information model only includes parameters and parameter
> values
> > > > > > > useful for managing Babel over IPv6.
> > > > > > > This model has no parameters or values specific to operating Babel
> > > > > > > over IPv4, although Babel can be operated over IPv4.
> > > > > > > Note that Babel over IPv6 can be used for configuration of both
> > > > > > > IPv4 and IPv6 routes."
> > > > > > >
> > > > > > > and then expand on this in the Introduction with
> > > > > > > "This information model only includes parameters and parameter
> values
> > > > > > > useful for managing Babel over IPv6.
> > > > > > > This model has no parameters or values specific to operating Babel
> > > > > > > over IPv4, even though [ID.ietf-babel-rfc6126bis] does define a
> multicast
> > > > > > > group for sending and listening to multicast announcements on IPv4.
> > > > > > > There is less likelihood of breakage due to
> > > > > > > inconsistent configuration and increased implementation simplicity
> > > > > > > if Babel is operated always and only over IPv6. Running Babel over
> IPv6
> > > > > > > requires IPv6 at the link layer and does not need advertised prefixes,
> > > router
> > > > > > > advertisements or DHCPv6 to be present in the network. Link-local
> IPv6 is
> > > > > widely
> > > > > > > supported among devices where Babel is expected to be used.
> > > > > > > Note that Babel over IPv6 can be used for configuration of both
> > > > > > > IPv4 and IPv6 routes."
> > > > > > >
> > > > > > > > Similarly (as Roman notes), we are putting requirements on the key
> > > > > > > > length for MAC keys (relative to the block size of the underlying
> hash
> > > > > > > > function) that have were once present in draft-ietf-babel-hmac but
> > > have
> > > > > > > > been removed as of draft-ietf-babel-hmac-10.  I assume that the
> intent
> > > > > > > > is not to impose additional restrictions compared to the protocol
> spec,
> > > > > > > > thus we need to catch up to those changes.
> > > > > > >
> > > > > > > How humans interact with configuration parameters presented
> through
> > > > > > > a data model instantiation of this information model is a concern.
> Having
> > > > > > > experienced the horrors of the days of configuring WEP keys (which
> were
> > > > > > > either ASCII or hex and caused most people not to use WEP with Wi-
> Fi)
> > > > > > > and witnessed (and been party to) the discussions in
> > > > > > > Babel where we wanted to ensure that whatever string was inputted
> for
> > > > > > > the key would yield consistent MAC computation across all
> > > implementations
> > > > > > > (i.e.,
> > > > > > > would yield consistent "actual key"), I believe
> > > > > > > it is imperative for the information model to constrain the input. As I
> > > > > explained
> > > > > > > in my response to Roman and Valery, we saw considerable variability
> in
> > > > > > > how existing libraries for allowing users to supply a key value treated
> > > > > > > values that could not be directly used as what RFC 2104 calls "the
> actual
> > > > > key".
> > > > > > > To ensure human users are successful in supplying the same "actual
> key"
> > > > > value
> > > > > > > to various
> > > > > > > implementations, it's necessary for user interfaces to restrict what is
> > > > > > > supplied to be "the actual key" so no extraneous hashing and
> processing
> > > > > > > is needed to generate "the actual key" (other than adding zeroes if
> the
> > > input
> > > > > > > key is shorter than an "actual key").
> > > > >
> > > > > These are all important considerations, and I am glad that you are
> keeping
> > > > > them in mind (while simultaneously being sad that they are necessary).
> > > > > But they seem to mostly be concers with the translation layer between
> the
> > > > > input layer and the cryptographic API, and the restrictions that I am
> > > > > concerned about are ones that relate to processing done within the
> > > > > cryptographic API boundary.
> > > >
> > > > I find this statement a little confusing, since the info model is placing no
> > > restrictions on processing done within a cryptographic API boundary. It's only
> > > placing restrictions on the length and datatype of a parameter (supplied via a
> > > management protocol or user interface) that is then provided to a Babel
> > > implementation. What the Babel implementation does to or with this
> parameter
> > > is not something the info model cares about.
> > >
> > > Well, my reasoning is basically that the information model is imposing a
> > > limitation on the inputs to the cryptographic API that is more stringent
> > > then the documented requirements for that API.  The only vaguely plausible
> > > reason that I know of that one might want to impose this specific
> > > requirement is to affect the internal processing of that API (to avoid the
> > > extra "hash the key input" step).  So, picking this specific limit on the
> > > input to the cryptographic API comes across as attempting to force a
> > > specific behavior path within the cryptographic API.
> > >
> > > IMO, if you are going to use HMAC, use the HMAC interface as documented
> and
> > > let HMAC determine which of its internal paths to take.  If you need to
> > > impose some restriction on the inputs, do so for reasons related to
> > > processing at the application layer (including, potentially, existing
> > > implementations that do the wrong thing) and document it as such.
> > >
> > > > > > > The restrictions provided for the length of an input key are consistent
> > > with
> > > > > > > what the HMAC and BLAKE RFCs indicate for "actual key" length.
> > > > > > >
> > > > > > > This allows implementations of draft-ietf-babel-hmac to use existing
> > > HMAC
> > > > > > > and BLAKE2s libraries without worrying about what inconsistent
> > > > > manipulations
> > > > > > > the libraries or associated libraries for inputting keys do to strings that
> > > are
> > > > > > > too long to be directly used as "actual keys".
> > > > >
> > > > > In particular, the procedures for using an HMAC key longer than the block
> > > > > length of the underlying hash function (hash the key first) are
> > > > > longstanding and well-implemented.  Are you saying that you have
> > > > > experiences with buggy HMAC implementations that don't do this?  (If so,
> > > > > that would be a great tidbit to mention in the document as motivation.)
> > > >
> > > > The Bird (language) implementation of Babel used existing code for OSPF.
> That
> > > code was designed according to RFC 5709, which will hash any
> "Authentication
> > > Key" (K) longer than the length of the hash (L) to create a cryptographic key
> (Ko)
> > > that is exactly L octets long.
> > > >
> > > > What RFC 5709 describes is different than what RFC 2104 (HMAC)
> describes.
> > > RFC 2104 says to create a hash of the authentication key (K) if it is longer
> than
> > > the block size of the hashing algorithm (B). For SHA-256, B != L. Therefore,
> using
> > > RFC 5709 will get a different value for the cryptographic key than RFC 2104,
> for
> > > authentication key length between L and B. This difference was noted in
> > > RFC5709 errata. RFC 7166 updated RFC 6506 wrt this. But RFC 7166 didn't
> > > update RFC 5709.  RFC 7474 updated RFC 5709 and kept the L boundary. We
> > > looked at the Bird library code which does indeed do the calculation
> according
> > > to RFC 5709. Fortunately, there is great consistency among the various RFCs
> > > around zero-padding short authentication keys.
> > > >
> > > > Furthermore, the Bird implementation allowed the key to be provided via a
> > > GUI that treated the input sequence of characters as ASCII. This was, again,
> > > from code that already existed for OSPF. But note there is no requirement in
> any
> > > RFC for support of an authentication key entered in ASCII format.
> > >
> > > Thanks; this is really helpful information to know (and pretty unfortunate
> > > about the OSPF situation).
> > > But if issues with how an existing Babel implementation handles input keys
> > > longer than the output length of the hash are what motivate the key length
> > > restrictions, shouldn't the length restrictions reflect the hash output
> > > length rather than the hash block size?
> > >
> > > > The C implementation of Babel was designed with the expectation that a
> > > centralized system would push the key out to all the routers. It assumed the
> > > supplied key was in binary format. Preferably, the centralized system would
> > > randomly generate the binary value. But if there were a user entering an
> ASCII
> > > string at the centralized system, the centralized system would be able to do
> > > whatever desired manipulation and push a suitable binary out to all routers.
> The
> > > C implementation does not accept ASCII input.
> > >
> > > (I assume that "does not accept ASCII input" just means "does not do
> > > processing on input to take a human-presentable ASCII representation of a
> > > binary key and convert it into the underlying binary key", as opposed to
> > > "checks for the condition where all octets of the input are in the ASCII
> > > printable range and rejects that input".)
> > >
> > > > The WG discussed all of this extensively in January of 2019. And then re-
> hashed
> > > it (haha) in August of 2019. There was discussion of imposing either RFC 5709
> or
> > > RFC 2104 calculation for long "authentication keys" on the Babel
> > > implementations (in the babel-mac draft). There was discussion of requiring
> the
> > > key supplied to an implementation to be exactly the cryptographic key (so all
> > > manipulation was done external to Babel). And other ideas (I can point to the
> > > emails in the archive, if you like; there were many emails). The August 2019
> > > decision was for the babel-mac draft not to impose additional restrictions on
> the
> > > format of provided keys (other than restrictions imposed by SHA-256 and
> > > BLAKE2s RFCs on keys) and not to choose between RFC 5709 or RFC 2104. So
> > > the Bird and C implementations did not need to change what they were
> doing.
> > > But the info model would restrict the length and datatype of "authentication
> > > key" values it supplied so the cryptographic keys the implementations ended
> up
> > > calculating from the input binary authentication key would always be the
> same.
> > > The values supplied by the info model will simply never invoke code that
> would
> > > result in inconsistent cryptographic key values.
> > >
> > > Thank you very much for the summary of the prior WG discussions; I cannot
> > > hope to try to repeat the depth of consideration that was already given.
> > > As above, though, my reading of the -13 is that it does allow hitting the
> > > code that would result in inconsistent key values, since the stated limit
> > > for HMAC-SHA256 is 64 bytes, not 32.
> > >
> > > > > The situation for Blake2s-128 (which is being used directly and not via
> > > > > HMAC) is not quite so clear to me since it's a more recent innovation, and
> > > > > RFC 7693 seems rather unclear about what to do if the input key is larger
> > > > > than 64 bytes (it talks only of padding the key and setting as d[0], where
> > > > > d[0] is a 16-word block, and for Blake2s words are 32 bits).  So while
> > > > > limiting the length of the Blake2s key may be justified in fact, (1) that
> > > > > justification should probably be in the document, and (2) I don't see a
> > > > > factual basis for limiting HMAC keys to the block length.
> > > >
> > > > And we also could find nothing that described what to do for long keys in
> > > BLAKE2s. So the datatype and length restriction would again ensure
> consistent
> > > cryptographic key calculation.
> > >
> > > I would strongly encourage adding some discussion of the motivation for the
> > > length limits into the draft itself.
> > >
> > > > > (For what it's worth I did do a bit of math, and even if the "actual key"
> > > > > is limited to uppercase letters plus digits, a 64-character string can
> > > > > still contain some 330 bits of entropy, which is stronger than a 32-byte
> > > > > random string.  You'd have to be really limited in what characters can be
> > > > > used, e.g., to only digits, in order to have the maximum theoretical
> > > > > entropy of the 64-character string fall below 256 bits.)
> > >
> > > If the limit is actually going to be 32 characters, the numbers go down
> > > accordingly, but 165 bits is not shabby, and adding in lowercase letters
> > > gets you up to 190 bits, and the full 95 ASCII printables cap out at 210
> > > bits.
> >
> > Here's what I'm thinking as a proposal for the key value parameter description:
> 
> (I assume the "The value of the MAC key" is going to stay, before this.)
> 
> > This value is of a length suitable for the associated babel-mac-key-algorithm.
> If the algorithm is based on the HMAC construction [RFC2104], the length MUST
> be between 0 and an upper limit that is at least the size of the output length
> (where "HMAC-SHA256" output length is 32 octets as described in [RFC4868]).
> Longer lengths MAY be supported but are not necessary if the management
> system has the ability to generate a suitably random value (e.g., by randomly
> generating a value or by using a key derivation technique as recommended in
> [RFC8967] Security Considerations). If the algorithm is "BLAKE2s-128", the
> length MUST be between 0 and 32 bytes inclusive as specified by [RFC7693].
> 
> Just to check my understanding: the "upper limit" is something set by an
> implementation (and presumably, documented), subject to the requirement
> that it is at least as large as the HMAC output length?

Yes -- set by an implementation of the information model. 
 
> > In the Security Considerations I propose adding, after the sentence "See the
> Security Considerations section of [RFC8967] for additional considerations
> related to MAC keys.":
> >
> > The fifth paragraph of that security Considerations section makes some
> specific key value recommendations that should be noted. It says that if it is
> necessary to derive keys from a human-readable passphrase, "only the derived
> keys should be communicated to the routers" and "the original passphrase itself
> should be kept on the host used to perform the key generation" (which would be
> the management system in the case of a remote management protocol). It also
> recommends that keys "should have a length of 32 octets (both for HMAC-
> SHA256 and BLAKE2s), and be chosen randomly".
> 
> This looks good to me.

Cool. Great!
 
> Thanks again,
> 
> Ben
> 
> _______________________________________________
> babel mailing list
> babel@ietf.org
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/babel__;!!
> BhdT!xlHCqJqacb_fuDLeZqvtD56PDONmR485Le0l1QBmYkg1UK8OXSVNGFl2ovf
> NIg$

v2.23.0 | Report a Bug | By Email