IETF Logo Mail Archive

Re: [babel] rtgdir Last Call Review requested: draft-ietf-babel-dtls

Juliusz Chroboczek <jch@irif.fr> Sun, 07 July 2019 12:15 UTC

Return-Path: <jch@irif.fr>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FADF12007C for <babel@ietfa.amsl.com>; Sun, 7 Jul 2019 05:15:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ShFL1gbLCVZ7 for <babel@ietfa.amsl.com>; Sun, 7 Jul 2019 05:15:42 -0700 (PDT)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30A5012009C for <babel@ietf.org>; Sun, 7 Jul 2019 05:15:41 -0700 (PDT)
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id x67CFSbm031600; Sun, 7 Jul 2019 14:15:28 +0200
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 5E6B66F54D; Sun, 7 Jul 2019 14:15:31 +0200 (CEST)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id xnAJdcTTLSuZ; Sun, 7 Jul 2019 14:15:30 +0200 (CEST)
Received: from pirx.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 3A4896F54B; Sun, 7 Jul 2019 14:15:29 +0200 (CEST)
Date: Sun, 07 Jul 2019 14:15:29 +0200
Message-ID: <87bly6vy5a.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: David Schinazi <dschinazi.ietf@gmail.com>
Cc: Henning Rogge <hrogge@gmail.com>, "Yemin (Amy)" <amy.yemin@huawei.com>, Antonin Décimo <antonin.decimo@gmail.com>, Martin Vigoureux <martin.vigoureux@nokia.com>, LucAndré Burdet <laburdet.ietf@gmail.com>, Babel at IETF <babel@ietf.org>
In-Reply-To: <CAPDSy+5c+xFqi3C_9xXW9Dvwmg_x8bkg-4y_zsC+p17R40dY8w@mail.gmail.com>
References: <156105440578.3118.4917846383408119793.idtracker@ietfa.amsl.com> <9C5FD3EFA72E1740A3D41BADDE0B461FCFC76069@DGGEMM528-MBX.china.huawei.com> <CAGnRvup1FvMU85N4psgG52tZBZwA-qhwCKuBdA7RxvcNLMpNmA@mail.gmail.com> <CAPDSy+5c+xFqi3C_9xXW9Dvwmg_x8bkg-4y_zsC+p17R40dY8w@mail.gmail.com>
User-Agent: Wanderlust/2.15.9
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Sun, 07 Jul 2019 14:15:29 +0200 (CEST)
X-Miltered: at korolev with ID 5D21E260.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 5D21E260.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 5D21E260.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/wZOOhPjOBK1xF6EsuxLTCdctcQE>
Subject: Re: [babel] rtgdir Last Call Review requested: draft-ietf-babel-dtls
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Jul 2019 12:15:44 -0000

>     I wonder if using DTLS protected unicast Hellos should be mandatory...
>     using unprotected multicast to determine bidirectional reachability
>     looks like a good way to do a cheap denial of service attack.

> In Babel, bidirectional reachability is established using both Hellos and IHUs.
> We explicitly require DTLS protection for IHUs to prevent an attacker
> from tricking you into thinking you have bidirectional reachability.
> This reduces the protocol's attack surface by limiting what an attacker can do.

I think David's answer is clear, but I'll insist some more, since this is
an important point (and we got it wrong in an earlier draft).

In Babel, the equivalent of an OSPF Hello is a pair of Hello (establishes
reverse reachability) and IHU (establishes direct reachability).
Bidirectional reachability is only established after a successful
Hello/IHU exchange.

In cleartext Babel, both Hellos and IHUs can be sent over either multicast
or unicast.  In DTLS-protected Babel, Hellos can be sent over either
(unprotected) multicast or (protected) unicast, while IHUs can only be
sent over (protected) unicast and are silently ignored if sent over multicast.

Hence, bidirectional reachability requires a protected IHU to be received.

-- Juliusz

v2.23.0 | Report a Bug | By Email