Re: [babel] [Babel-users] HMAC Key rotation key format (was ripemd)

Ted Lemon <mellon@fugue.com> Thu, 29 November 2018 18:56 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7F2B130E66 for <babel@ietfa.amsl.com>; Thu, 29 Nov 2018 10:56:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.359
X-Spam-Level:
X-Spam-Status: No, score=-3.359 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NgdiD1qlhMSn for <babel@ietfa.amsl.com>; Thu, 29 Nov 2018 10:56:23 -0800 (PST)
Received: from mail-qk1-x744.google.com (mail-qk1-x744.google.com [IPv6:2607:f8b0:4864:20::744]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE595130E64 for <babel@ietf.org>; Thu, 29 Nov 2018 10:56:23 -0800 (PST)
Received: by mail-qk1-x744.google.com with SMTP id y16so1706975qki.7 for <babel@ietf.org>; Thu, 29 Nov 2018 10:56:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aHlTyToNJ1oItMauTeMYUiIg++PjDERaq8axGTG+//E=; b=ZxJ7KOy/lHLMTYDeJek8orbwMiZWs8NdrwWcfrjkNChdmesQ6DNaPuGmWB+xlfTLPA XdgwJddWMtVBc3TlmeK8rLSD0ee3ORRip5FoH7ermEZYEymOrjnf1yVwq1+G5sxFqktW R/dRD1J6W60JWDV+398gAMU0Xgy18hKrrvBXJU28+L74xxjdxILobcAOtUkxyxdU/s9G ka2r7nzjWPtO4xvYHS/URL8dy89ffrGe70h1MsU8SEht2miJ3l1QTgmDYuDm6ECQ65SC r6bx20lyOMEQj1cLgIGsE3HJKrWiWHKiRAgnoSwLkF+F3CABeqEKkRh+jKZ93WByHaFt HuqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aHlTyToNJ1oItMauTeMYUiIg++PjDERaq8axGTG+//E=; b=R6ZyvARrgnZVjmSc24aGs52irfZGx5ErH7TZNeiHzSJX3CzNbmNb6PPi3NnhO/e+hv 4KV7AoJrnxdORbHUIAYMfAyVYI3ut4WSbGxOXbnp0IlaPXSIJusrrFZdaeZx0aN7azli +KX7XDomYDMwfT6MM2wEXxfehoSLPSDjc/dejLCBOBpVSXe5QSvRrn9gMEJDsZQ4Zul+ rWfi9IzcQNqFvlMSqxz203rkahFck/CCwpc/7xJBHPOJKlCV2yjbYyEUocnpYXKBRDL3 ZU4vlXG5aSTNYUggRaxFzHc7gRhBNdomBKYmVokqlFL0iGA7F6XB18zvA7zLvP7+CR1X lojA==
X-Gm-Message-State: AA+aEWaXxaIZgRrLwYleBTHP4mCCVOtAeivONuVhn5Hw3BTAiF/EiuyX 6RmTLP23LMvJ5JdEJx1Ls6BYJ+Gamfn4YpoFokVWqw==
X-Google-Smtp-Source: AFSGD/UPJTMRoW3M+Q3sPUMmZJZlE8vVF7MFGM5Jk86Y9bwq0XX1jWzyLKkpQ90USrW6tjkDajd2LFTFpao+e4PMPO8=
X-Received: by 2002:a37:c12:: with SMTP id 18mr2376835qkm.317.1543517782764; Thu, 29 Nov 2018 10:56:22 -0800 (PST)
MIME-Version: 1.0
References: <CAA93jw5fHRm21yEJsabiiOF1ZP7Zh3M_gEgRo0imBOpRGhf0qA@mail.gmail.com> <87in0koun6.wl-jch@irif.fr> <87in0kx98o.fsf@toke.dk> <CAA93jw5gaYgyUX-ABX156_TnFX25Sy5SLyuRgd28fMLfRW4UHA@mail.gmail.com> <871s78x7z0.fsf@toke.dk> <CAA93jw6268QC1kmHEasJ-FbyXL_mgfQc_C-6cdksHd02ceb2Kw@mail.gmail.com> <D6974BC8-4314-47C0-B3D4-6ED8B4C8A528@gmail.com> <87tvk0xvf4.fsf@taht.net>
In-Reply-To: <87tvk0xvf4.fsf@taht.net>
From: Ted Lemon <mellon@fugue.com>
Date: Thu, 29 Nov 2018 13:55:46 -0500
Message-ID: <CAPt1N1nq=7dDBr9=+FgiVCGPhUbCTkkHGUSUipKBuwBqE-5HRQ@mail.gmail.com>
To: =?UTF-8?Q?Dave_T=C3=A4ht?= <dave@taht.net>
Cc: Mahesh Jethanandani <mjethanandani@gmail.com>, keyur@arrcus.com, bew@cisco.com, Dave Taht <dave.taht@gmail.com>, Babel at IETF <babel@ietf.org>, babel-users@lists.alioth.debian.org
Content-Type: multipart/alternative; boundary="0000000000002585b7057bd23ddd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/tHQOuH71t2segImegPGeVizPam4>
Subject: Re: [babel] [Babel-users] HMAC Key rotation key format (was ripemd)
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Nov 2018 18:56:26 -0000

On Thu, Nov 29, 2018 at 1:14 AM Dave Taht <dave@taht.net> wrote:

> Mahesh Jethanandani <mjethanandani@gmail.com> writes:
> > A draft that proposed pair-wise key management was proposed here. It
> > does not address the question of timestamp, but is something that
> > could be exchanged as part of key rollover to allow routers to
> > calculate the delta. Including the original authors of the draft.
>
> I'm sorry but adding this level of complexity is not in the cards
> from my perspective. Layering key exchange over a different out of band
> medium, being a slip of paper, a telephone call, ssh or https seems
> saner.


FWIW, for homenet the thought was to use HNCP to distribute keys amongst
routers.   This doesn't solve the general problem, but illustrates your
point, Dave, that this is something that can be provisioned out of band.
(In the HNCP case we're talking about public keys for DTLS, not shared
secrets, of course).   This seems like a better choice than a complicated
pairwise key management strategy for HMAC.