Re: [babel] [Babel-users] HMAC Key rotation key format (was ripemd)
Ted Lemon <mellon@fugue.com> Thu, 29 November 2018 18:56 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7F2B130E66 for <babel@ietfa.amsl.com>; Thu, 29 Nov 2018 10:56:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.359
X-Spam-Level:
X-Spam-Status: No, score=-3.359 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NgdiD1qlhMSn for <babel@ietfa.amsl.com>; Thu, 29 Nov 2018 10:56:23 -0800 (PST)
Received: from mail-qk1-x744.google.com (mail-qk1-x744.google.com [IPv6:2607:f8b0:4864:20::744]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE595130E64 for <babel@ietf.org>; Thu, 29 Nov 2018 10:56:23 -0800 (PST)
Received: by mail-qk1-x744.google.com with SMTP id y16so1706975qki.7 for <babel@ietf.org>; Thu, 29 Nov 2018 10:56:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aHlTyToNJ1oItMauTeMYUiIg++PjDERaq8axGTG+//E=; b=ZxJ7KOy/lHLMTYDeJek8orbwMiZWs8NdrwWcfrjkNChdmesQ6DNaPuGmWB+xlfTLPA XdgwJddWMtVBc3TlmeK8rLSD0ee3ORRip5FoH7ermEZYEymOrjnf1yVwq1+G5sxFqktW R/dRD1J6W60JWDV+398gAMU0Xgy18hKrrvBXJU28+L74xxjdxILobcAOtUkxyxdU/s9G ka2r7nzjWPtO4xvYHS/URL8dy89ffrGe70h1MsU8SEht2miJ3l1QTgmDYuDm6ECQ65SC r6bx20lyOMEQj1cLgIGsE3HJKrWiWHKiRAgnoSwLkF+F3CABeqEKkRh+jKZ93WByHaFt HuqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aHlTyToNJ1oItMauTeMYUiIg++PjDERaq8axGTG+//E=; b=R6ZyvARrgnZVjmSc24aGs52irfZGx5ErH7TZNeiHzSJX3CzNbmNb6PPi3NnhO/e+hv 4KV7AoJrnxdORbHUIAYMfAyVYI3ut4WSbGxOXbnp0IlaPXSIJusrrFZdaeZx0aN7azli +KX7XDomYDMwfT6MM2wEXxfehoSLPSDjc/dejLCBOBpVSXe5QSvRrn9gMEJDsZQ4Zul+ rWfi9IzcQNqFvlMSqxz203rkahFck/CCwpc/7xJBHPOJKlCV2yjbYyEUocnpYXKBRDL3 ZU4vlXG5aSTNYUggRaxFzHc7gRhBNdomBKYmVokqlFL0iGA7F6XB18zvA7zLvP7+CR1X lojA==
X-Gm-Message-State: AA+aEWaXxaIZgRrLwYleBTHP4mCCVOtAeivONuVhn5Hw3BTAiF/EiuyX 6RmTLP23LMvJ5JdEJx1Ls6BYJ+Gamfn4YpoFokVWqw==
X-Google-Smtp-Source: AFSGD/UPJTMRoW3M+Q3sPUMmZJZlE8vVF7MFGM5Jk86Y9bwq0XX1jWzyLKkpQ90USrW6tjkDajd2LFTFpao+e4PMPO8=
X-Received: by 2002:a37:c12:: with SMTP id 18mr2376835qkm.317.1543517782764; Thu, 29 Nov 2018 10:56:22 -0800 (PST)
MIME-Version: 1.0
References: <CAA93jw5fHRm21yEJsabiiOF1ZP7Zh3M_gEgRo0imBOpRGhf0qA@mail.gmail.com> <87in0koun6.wl-jch@irif.fr> <87in0kx98o.fsf@toke.dk> <CAA93jw5gaYgyUX-ABX156_TnFX25Sy5SLyuRgd28fMLfRW4UHA@mail.gmail.com> <871s78x7z0.fsf@toke.dk> <CAA93jw6268QC1kmHEasJ-FbyXL_mgfQc_C-6cdksHd02ceb2Kw@mail.gmail.com> <D6974BC8-4314-47C0-B3D4-6ED8B4C8A528@gmail.com> <87tvk0xvf4.fsf@taht.net>
In-Reply-To: <87tvk0xvf4.fsf@taht.net>
From: Ted Lemon <mellon@fugue.com>
Date: Thu, 29 Nov 2018 13:55:46 -0500
Message-ID: <CAPt1N1nq=7dDBr9=+FgiVCGPhUbCTkkHGUSUipKBuwBqE-5HRQ@mail.gmail.com>
To: Dave Täht <dave@taht.net>
Cc: Mahesh Jethanandani <mjethanandani@gmail.com>, keyur@arrcus.com, bew@cisco.com, Dave Taht <dave.taht@gmail.com>, Babel at IETF <babel@ietf.org>, babel-users@lists.alioth.debian.org
Content-Type: multipart/alternative; boundary="0000000000002585b7057bd23ddd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/tHQOuH71t2segImegPGeVizPam4>
Subject: Re: [babel] [Babel-users] HMAC Key rotation key format (was ripemd)
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Nov 2018 18:56:26 -0000
On Thu, Nov 29, 2018 at 1:14 AM Dave Taht <dave@taht.net> wrote: > Mahesh Jethanandani <mjethanandani@gmail.com> writes: > > A draft that proposed pair-wise key management was proposed here. It > > does not address the question of timestamp, but is something that > > could be exchanged as part of key rollover to allow routers to > > calculate the delta. Including the original authors of the draft. > > I'm sorry but adding this level of complexity is not in the cards > from my perspective. Layering key exchange over a different out of band > medium, being a slip of paper, a telephone call, ssh or https seems > saner. FWIW, for homenet the thought was to use HNCP to distribute keys amongst routers. This doesn't solve the general problem, but illustrates your point, Dave, that this is something that can be provisioned out of band. (In the HNCP case we're talking about public keys for DTLS, not shared secrets, of course). This seems like a better choice than a complicated pairwise key management strategy for HMAC.
- [babel] rather than ripemd160... Dave Taht
- Re: [babel] rather than ripemd160... Juliusz Chroboczek
- Re: [babel] [Babel-users] rather than ripemd160... Toke Høiland-Jørgensen
- [babel] HMAC and MTI [was: rather than ripemd160.… Juliusz Chroboczek
- Re: [babel] [Babel-users] rather than ripemd160... Dave Taht
- Re: [babel] [Babel-users] rather than ripemd160... Toke Høiland-Jørgensen
- Re: [babel] HMAC and MTI [was: rather than ripemd… Markus Stenberg
- Re: [babel] HMAC and MTI [was: rather than ripemd… Toke Høiland-Jørgensen
- [babel] HMAC Key rotation key format (was ripemd) Dave Taht
- Re: [babel] HMAC and MTI [was: rather than ripemd… Juliusz Chroboczek
- Re: [babel] HMAC Key rotation key format (was rip… Mahesh Jethanandani
- Re: [babel] [Babel-users] rather than ripemd160... STARK, BARBARA H
- Re: [babel] [Babel-users] rather than ripemd160... Toke Høiland-Jørgensen
- Re: [babel] HMAC Key rotation key format (was rip… Toke Høiland-Jørgensen
- Re: [babel] HMAC Key rotation key format (was rip… Dave Taht
- Re: [babel] HMAC Key rotation key format (was rip… Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] rather than ripemd160... David Schinazi
- Re: [babel] [Babel-users] HMAC Key rotation key f… David Schinazi
- Re: [babel] [Babel-users] rather than ripemd160... Dave Taht
- Re: [babel] [Babel-users] rather than ripemd160... Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] rather than ripemd160... Toke Høiland-Jørgensen
- Re: [babel] [Babel-users] rather than ripemd160... Juliusz Chroboczek
- Re: [babel] [Babel-users] rather than ripemd160... Dave Taht
- Re: [babel] [Babel-users] rather than ripemd160... David Schinazi
- Re: [babel] [Babel-users] rather than ripemd160... Toke Høiland-Jørgensen
- [babel] DTLS and hmac co-existence Dave Taht
- Re: [babel] [Babel-users] DTLS and hmac co-existe… David Schinazi
- Re: [babel] [Babel-users] rather than ripemd160... Dave Taht
- Re: [babel] [Babel-users] HMAC Key rotation key f… Dave Taht
- Re: [babel] [Babel-users] rather than ripemd160... Dave Taht
- Re: [babel] [Babel-users] DTLS and hmac co-existe… Dave Taht
- Re: [babel] [Babel-users] HMAC Key rotation key f… Ted Lemon
- Re: [babel] [Babel-users] rather than ripemd160... Markus Stenberg
- Re: [babel] [Babel-users] rather than ripemd160... Toke Høiland-Jørgensen
- [babel] Blake2S, blake2B or neither? [was: rather… Juliusz Chroboczek
- Re: [babel] Blake2S, blake2B or neither? [was: ra… Toke Høiland-Jørgensen
- Re: [babel] Blake2S, blake2B or neither? [was: ra… Markus Stenberg
- Re: [babel] Blake2S, blake2B or neither? [was: ra… Juliusz Chroboczek
- Re: [babel] Blake2S, blake2B or neither? [was: ra… Toke Høiland-Jørgensen
- Re: [babel] Blake2S, blake2B or neither? [was: ra… Juliusz Chroboczek
- Re: [babel] [Babel-users] Blake2S, blake2B or nei… Dave Taht
- Re: [babel] [Babel-users] HMAC Key rotation key f… Juliusz Chroboczek
- Re: [babel] HMAC Key rotation key format (was rip… Juliusz Chroboczek
- Re: [babel] HMAC Key rotation key format (was rip… Dave Taht
- Re: [babel] HMAC Key rotation key format (was rip… Markus Stenberg