[babel] Roman Danyliw's Discuss on draft-ietf-babel-hmac-08: (with DISCUSS and COMMENT)
Roman Danyliw via Datatracker <noreply@ietf.org> Wed, 07 August 2019 19:35 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: babel@ietf.org
Delivered-To: babel@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id CD41E120693; Wed, 7 Aug 2019 12:35:06 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-babel-hmac@ietf.org, Donald Eastlake <d3e3e3@gmail.com>, babel-chairs@ietf.org, d3e3e3@gmail.com, babel@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.100.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <156520650683.8432.7109781814790904901.idtracker@ietfa.amsl.com>
Date: Wed, 07 Aug 2019 12:35:06 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/ytHAV1dI6_cIggycRrVGIZhbV54>
Subject: [babel] Roman Danyliw's Discuss on draft-ietf-babel-hmac-08: (with DISCUSS and COMMENT)
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2019 19:35:07 -0000
Roman Danyliw has entered the following ballot position for draft-ietf-babel-hmac-08: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-babel-hmac/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- A few minor clarifications needed for implementation/precision in the security claims: (1) Section 1.2. Per “any packet accepted as authentic is the exactly copy of a packet originally sent”, this text can be read two ways – packet as Babel packet or as an IP packet. I think mean the former. Recommend making this clearer as s/any packet/any Babel packet/ (2) Section 2, Per the paragraph, “By itself, this mechanism is safe against replay …”, please reiterate that for the attack by C to work: A and B must have both lost state; that C is replaying packets with PC previously sent by B (e.g., n+2). (3) Section 4.1. Per “The node takes the concatenation of the pseudo-header and the packet including the packet header but excluding the packet trailer (from octet 0 inclusive up to (Body Length + 4) exclusive)”, as input for the HMAC. “packet” is used to sometimes mean IP packet and sometimes a Babel packet carried in an IP packet. As such, the above sentence could be interpretation as: Option #1: HMAC(pseudo-header + the IP header + Babel packet header + Babel packet body) Option #2: HMAC(pseudo-header + Babel packet header + Babel packet body) I believe it is option #2. Please be very clear in this text. Other items: (4) Section 2. This section suggests that “one or more HMACs can be appended to the packet”. Under what conditions would it be more than one? What happens if only some of the HMACs are valid? Is use of the same key assumed? (5) Section 4.1. The hash algorithm appears to be negotiated/set out of band (rather than negotiated). The text should explicitly state that somewhere. (6) Section 6. Per “In particular, reception of a packet with no correct HMAC creates no local state whatsoever (Section 4.3)”, unless this HMAC verification is happening on the NIC, this doesn’t seem sufficiently precise. The “no local state” claim is likely true only as it relates to the tables data structures describes in Section 3. However, the IP and DTLS stack certainly have to account for the packet. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- (7) Section 1 enumerates a series of attacks. These are different than the ones listed in Section 6 of draft-ietf-babel-rfc6126bis and Section 1 of draft-ietf-babel-dtls. As HMAC and DTLS are mitigations for attacks in draft-ietf-babel-rfc6126bis, they really should be harmonized. (8) Section 1. Per the “spoof of a malformed packet”, how would an HMAC address this? Even assuming that a node discards the message without processing if the HMAC is bad, this would still be a problem from a malicious peer. (9) Editorial nits: -- Section 1. “seqno” is commonly used in Babel text but it needs to be cited of explained here on for used -- s/seqno/sequence number/ -- Section 1.2. Editorial. s/serious effort/effort/ -- Section 3.1. Typo. s/authentified/authenticated/ -- Section 5.3. Typo. s/minumum/minimum/
- [babel] Roman Danyliw's Discuss on draft-ietf-bab… Roman Danyliw via Datatracker
- Re: [babel] Roman Danyliw's Discuss on draft-ietf… Juliusz Chroboczek
- Re: [babel] Roman Danyliw's Discuss on draft-ietf… Roman Danyliw
- Re: [babel] Roman Danyliw's Discuss on draft-ietf… Juliusz Chroboczek
- Re: [babel] Roman Danyliw's Discuss on draft-ietf… Roman Danyliw
- Re: [babel] Roman Danyliw's Discuss on draft-ietf… Donald Eastlake