[babel] Implicit indices (Stenberg) variant of the HMAC protocol
Juliusz Chroboczek <jch@irif.fr> Sun, 01 July 2018 13:04 UTC
Return-Path: <jch@irif.fr>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEBC4130EAA for <babel@ietfa.amsl.com>; Sun, 1 Jul 2018 06:04:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CzMGJIIaB8fP for <babel@ietfa.amsl.com>; Sun, 1 Jul 2018 06:03:59 -0700 (PDT)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AFB8130E79 for <babel@ietf.org>; Sun, 1 Jul 2018 06:03:58 -0700 (PDT)
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/75695) with ESMTP id w61D3FBi022385 for <babel@ietf.org>; Sun, 1 Jul 2018 15:03:15 +0200
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id B03BAEB22D for <babel@ietf.org>; Sun, 1 Jul 2018 15:03:56 +0200 (CEST)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id HqgD0__94T6T for <babel@ietf.org>; Sun, 1 Jul 2018 15:03:55 +0200 (CEST)
Received: from trurl.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id A57CAEB200 for <babel@ietf.org>; Sun, 1 Jul 2018 15:03:55 +0200 (CEST)
Date: Sun, 01 Jul 2018 15:03:55 +0200
Message-ID: <87k1qfyuo4.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: babel@ietf.org
User-Agent: Wanderlust/2.15.9
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Sun, 01 Jul 2018 15:03:15 +0200 (CEST)
X-Miltered: at korolev with ID 5B38D113.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 5B38D113.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 5B38D113.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/rqeZehLBlDlzGEG9KEmNQCLqLog>
Subject: [babel] Implicit indices (Stenberg) variant of the HMAC protocol
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Jul 2018 13:04:02 -0000
Appendix A. Implicit indices
[This appendix describes the "implicit indices" variant of the
protocol, which is different and incompatible to the "explicit
indices" variant described in the body of this document. This
section should either be integrated into the body of the document or
be removed before publication of this document an RFC, depending on
which protocol variant is finally chosen.]
The protocol described in the body of this document explicitly sends
indices as in each packet as part of the Cryptographic Seqno TLV.
Observe that, except when a challenge is required, the index sent on
the wire is identical to the index stored in the Neighbour Table, and
therefore doesn't need to be sent explicitly except during challenges
-- it is enough for it to participate in HMAC computation in order to
protect against replay. The "implicit indices" variant of the
protocol, due to Markus Stenberg and described in this appendix, uses
this information to avoid sending indices explicitly and thus shave
off 8 to 10 octets from almost every packet.
The changes to the protocol are as follows. The pseudo-header
includes the Index, and therefore has the following format:
TBD
The Cryptographic Seqno TLV no longer contains an Index, and
therefore has the following format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | PC
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
This TLV is now self-terminating, and therefore allows sub-TLVs.
Packets containing the Challenge Reply and Challenge Request TLVs
must contain an explicit index. Two encodings are possible: one uses
Challenge Replies and Requests with an extra field for the sender's
index, which complicates the encoding somewhat but makes these two
TLVs self-terminating, the other one uses a new TLV that is used for
carrying an Index, which uses up a new TLV number but makes it
possible to reuse these two TLV with other protocols that require a
nonce-based challenge.
Packet transmission is modified as follows. If a packet contains a
Challenge or a Challenge Reply, then the node inserts its index into
the packet body. In any case, it uses its current index to generate
the pseudo-header that will be used to compute the HMAC and shipping
out the packet. (This implies that a packet must be parsed in its
entirety before HMAC validation, which requires a robust parser.)
Packet reception is modified as follows. Before checking the HMAC of
a packet, the receiver checks whether the packet contains an explicit
index. If this is the case, it uses the index contained in the
packet in order to generate the pseudo header; if this is not the
case, it uses the index contained in its neighbours table. If there
is no index available for that neighbour (either because the table
doesn't contain in an entry for this neighbour, or the entry doesn't
contain an index), HMAC validation fails.
The index and cryptographic seqno contained in the neighbours table
are only updated after HMAC validation has succeeded.
Since it is now impossible to differenciate between a failed HMAC and
an index change, a node must send a challenge whenever HMAC
validation fails. This implies that spoofed packets cause a spurious
challenge, but that doesn't change the security properties of the
protocol much, given that in any case replayed packets can be used to
cause a spurious challenge.
- [babel] Implicit indices (Stenberg) variant of th… Juliusz Chroboczek