Re: [Homenet-babel-sec] [babel] What's up with HNCP security?

Ted Lemon <mellon@fugue.com> Sun, 28 May 2017 23:14 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: homenet-babel-sec@ietfa.amsl.com
Delivered-To: homenet-babel-sec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AC10126BF7 for <homenet-babel-sec@ietfa.amsl.com>; Sun, 28 May 2017 16:14:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1NcIZD0-o3zy for <homenet-babel-sec@ietfa.amsl.com>; Sun, 28 May 2017 16:14:52 -0700 (PDT)
Received: from mail-qt0-x22c.google.com (mail-qt0-x22c.google.com [IPv6:2607:f8b0:400d:c0d::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32BE6126C3D for <homenet-babel-sec@ietf.org>; Sun, 28 May 2017 16:14:52 -0700 (PDT)
Received: by mail-qt0-x22c.google.com with SMTP id t26so39679576qtg.0 for <homenet-babel-sec@ietf.org>; Sun, 28 May 2017 16:14:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=vmdzlcbPTJHNK3oXNHLPbmNvlO8ZAITB/7eUbx6MrlU=; b=mPsrz3lvX7X22/CIHzN6y7qoKVvbijlh18iDXVjvGX/cj9BL+J7anyxceAM2K9mVqs b964FScx3o5KhIwWCfBAMlHLFQNBu0fqt9JUuYBlQhvU2oF45wqNQF59II+ZZaRUiVrb yiSVmdpih24FbhG44kfAZJtJ7YLMdFNjiiVhoX4rSRPIfSKUdXZlrvJEhS/mK6D51p3Q MDllSLwI3zXbbd562BIEuCRmb6VDo30ioLQwRRhs+pWfQMgAFDQia9Z1bPqYEBJ46FJ+ Y0cnVVy9hmtriuKG75spowNthGCHvgidHNShX8WyVCcf+e8mnXjRVWdEKMrO5S8gGxZq ZdYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=vmdzlcbPTJHNK3oXNHLPbmNvlO8ZAITB/7eUbx6MrlU=; b=Zpd73ISYOuSv487qqOfi2ZuJZOH35PhEUyoqKOFcoh99aS8YPEfaJGN993apT1C0ws pxAYqTEUJ3wr2rRKb51EWJE/O03Qp21BHh7wfD5u3I4fRINvZzpuvtAOmONuK6GrTxDw 2/dEFEjrbW9SQe/yW1xyrHaEg2ycycCKDpTl+iZ19Zf1FQfUk20bA+v7MUZ8PJRwdp+Q kbooU0ND5lx6B3VkHxJhMSqR2mGDC3rwY7zYnBvwLC8T7qY+lCmfyMzXGFC1GC1ujdn3 VOi1eS5VzIslz7LIvq1qGrQi1/yprEfABWTL9OVttsVE8Qmlu5YmGfzZQgSI63p6q2jz ec+w==
X-Gm-Message-State: AODbwcDIMOiHEEAxhDwvw8Dr0MAQRe+QpgnrVWhEH/L8Ys5igns9Zu1q 8DM5V3nt87YvF8S+
X-Received: by 10.200.55.29 with SMTP id o29mr14652555qtb.120.1496013291349; Sun, 28 May 2017 16:14:51 -0700 (PDT)
Received: from [10.0.20.228] (c-73-167-64-188.hsd1.ma.comcast.net. [73.167.64.188]) by smtp.gmail.com with ESMTPSA id n3sm4319058qkd.21.2017.05.28.16.14.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 28 May 2017 16:14:50 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <1F8BA8E0-7518-4288-B679-749906B1B19F@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E69714F6-D9F1-41EF-AC34-9EEF938646DC"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Sun, 28 May 2017 19:14:48 -0400
In-Reply-To: <B67775FF-31CB-42F6-ABDF-BD47BEA1DB56@iki.fi>
Cc: Juliusz Chroboczek <jch@irif.fr>, homenet-babel-sec@ietf.org, babel@ietf.org
To: Markus Stenberg <markus.stenberg@iki.fi>
References: <87d1ask7d9.wl-jch@irif.fr> <B67775FF-31CB-42F6-ABDF-BD47BEA1DB56@iki.fi>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet-babel-sec/RybJcJG4qHWopw8YLNzw20cPBAc>
Subject: Re: [Homenet-babel-sec] [babel] What's up with HNCP security?
X-BeenThere: homenet-babel-sec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Homenet Babel Security <homenet-babel-sec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet-babel-sec>, <mailto:homenet-babel-sec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet-babel-sec/>
List-Post: <mailto:homenet-babel-sec@ietf.org>
List-Help: <mailto:homenet-babel-sec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet-babel-sec>, <mailto:homenet-babel-sec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 May 2017 23:14:54 -0000

On May 28, 2017, at 5:53 PM, Markus Stenberg <markus.stenberg@iki.fi> wrote:
> HNCP supports negotiating network-wide shared keys for arbitrary services (such as RPs). If my hncp_proto.h has valid values, TLV to look for is number 42, ironically enough.
> 
> hnetd the implementation does not implement this yet, as I am not convinced it is a good idea. I welcome merge requests though if someone wants to implement it. (it is one of the few missing parts of the spec from hnetd)

The idea is to have key pairs, not network wide keys (this is why Juiliusz needs unicast hellos in Babel).   Network wide keys are useless.