[babel] Implicit indices (Stenberg) variant of the HMAC protocol
Juliusz Chroboczek <jch@irif.fr> Sun, 01 July 2018 13:04 UTC
Return-Path: <jch@irif.fr>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEBC4130EAA for <babel@ietfa.amsl.com>; Sun, 1 Jul 2018 06:04:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CzMGJIIaB8fP for <babel@ietfa.amsl.com>; Sun, 1 Jul 2018 06:03:59 -0700 (PDT)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AFB8130E79 for <babel@ietf.org>; Sun, 1 Jul 2018 06:03:58 -0700 (PDT)
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/75695) with ESMTP id w61D3FBi022385 for <babel@ietf.org>; Sun, 1 Jul 2018 15:03:15 +0200
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id B03BAEB22D for <babel@ietf.org>; Sun, 1 Jul 2018 15:03:56 +0200 (CEST)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id HqgD0__94T6T for <babel@ietf.org>; Sun, 1 Jul 2018 15:03:55 +0200 (CEST)
Received: from trurl.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id A57CAEB200 for <babel@ietf.org>; Sun, 1 Jul 2018 15:03:55 +0200 (CEST)
Date: Sun, 01 Jul 2018 15:03:55 +0200
Message-ID: <87k1qfyuo4.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: babel@ietf.org
User-Agent: Wanderlust/2.15.9
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Sun, 01 Jul 2018 15:03:15 +0200 (CEST)
X-Miltered: at korolev with ID 5B38D113.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 5B38D113.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 5B38D113.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/rqeZehLBlDlzGEG9KEmNQCLqLog>
Subject: [babel] Implicit indices (Stenberg) variant of the HMAC protocol
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Jul 2018 13:04:02 -0000
Appendix A. Implicit indices [This appendix describes the "implicit indices" variant of the protocol, which is different and incompatible to the "explicit indices" variant described in the body of this document. This section should either be integrated into the body of the document or be removed before publication of this document an RFC, depending on which protocol variant is finally chosen.] The protocol described in the body of this document explicitly sends indices as in each packet as part of the Cryptographic Seqno TLV. Observe that, except when a challenge is required, the index sent on the wire is identical to the index stored in the Neighbour Table, and therefore doesn't need to be sent explicitly except during challenges -- it is enough for it to participate in HMAC computation in order to protect against replay. The "implicit indices" variant of the protocol, due to Markus Stenberg and described in this appendix, uses this information to avoid sending indices explicitly and thus shave off 8 to 10 octets from almost every packet. The changes to the protocol are as follows. The pseudo-header includes the Index, and therefore has the following format: TBD The Cryptographic Seqno TLV no longer contains an Index, and therefore has the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | PC +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ This TLV is now self-terminating, and therefore allows sub-TLVs. Packets containing the Challenge Reply and Challenge Request TLVs must contain an explicit index. Two encodings are possible: one uses Challenge Replies and Requests with an extra field for the sender's index, which complicates the encoding somewhat but makes these two TLVs self-terminating, the other one uses a new TLV that is used for carrying an Index, which uses up a new TLV number but makes it possible to reuse these two TLV with other protocols that require a nonce-based challenge. Packet transmission is modified as follows. If a packet contains a Challenge or a Challenge Reply, then the node inserts its index into the packet body. In any case, it uses its current index to generate the pseudo-header that will be used to compute the HMAC and shipping out the packet. (This implies that a packet must be parsed in its entirety before HMAC validation, which requires a robust parser.) Packet reception is modified as follows. Before checking the HMAC of a packet, the receiver checks whether the packet contains an explicit index. If this is the case, it uses the index contained in the packet in order to generate the pseudo header; if this is not the case, it uses the index contained in its neighbours table. If there is no index available for that neighbour (either because the table doesn't contain in an entry for this neighbour, or the entry doesn't contain an index), HMAC validation fails. The index and cryptographic seqno contained in the neighbours table are only updated after HMAC validation has succeeded. Since it is now impossible to differenciate between a failed HMAC and an index change, a node must send a challenge whenever HMAC validation fails. This implies that spoofed packets cause a spurious challenge, but that doesn't change the security properties of the protocol much, given that in any case replayed packets can be used to cause a spurious challenge.
- [babel] Implicit indices (Stenberg) variant of th… Juliusz Chroboczek