Re: [homenet] Fwd: I-D Action: draft-lemon-homenet-babel-security-latest-00.txt

Ted Lemon <mellon@fugue.com> Wed, 25 October 2017 19:12 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E42B413F44C for <homenet@ietfa.amsl.com>; Wed, 25 Oct 2017 12:12:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c4S2UyhHBzWZ for <homenet@ietfa.amsl.com>; Wed, 25 Oct 2017 12:12:11 -0700 (PDT)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 060DC13F44B for <homenet@ietf.org>; Wed, 25 Oct 2017 12:12:10 -0700 (PDT)
Received: by mail-qk0-x22a.google.com with SMTP id l194so1382811qke.13 for <homenet@ietf.org>; Wed, 25 Oct 2017 12:12:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=5Fc8bpNMjIfsNiPq1B/5NWxxaC+WV5/WVHpRyzafdoM=; b=FTJiW+cPzeVuOTGK6y/Mqi4MvxEAF9ErQQhrgecM2WPVBqKC+dy1u4vBqy9F9xO6fD sj8oUxmwcQKNXKJu/mxxZ8bR22I2pSGEbpO3cRq8xevtG1RT2VJa5qBCG4O01B+67DHj aJGRJel1WR8a8esqn9lXzdhEtSEWNBif8bf+0kAqvJeAUHeH/rub2ZQKeHhe82F/YXQo q8qlCmfwI9eXARtAf04gQTZtb1QKcEy2IKr1Yp7zEGxBPb/shiGZEW6bBzwaE1ybf3sN hdticZEs8aLBVWh3qS0l6y5XmxBl1UrXm7LXa8xRJIHtGg++VhOe/99MVJ6DfUQO4N88 /fGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=5Fc8bpNMjIfsNiPq1B/5NWxxaC+WV5/WVHpRyzafdoM=; b=RPoVyZdRvZDIvIlseg4LFXjIFDX3ANPJVOJNoMttbxuYD2sCTahdAvcyDaN2wEWGlV qPSszPiGYczo6tKAa7JMvBMuOaFKgMC9zDP/mF+0zaY17R5G/MsEW16w7ui94jelExsL GG19TeCiIi2twQJQAnpHkKiWwgvJjtKyIKcJ4vWkhqnYoMG36MnbdkbnEGuNOcDfN/yb H21tb+86rwOuKQtjdqVtVHfe5lY/IzU+dNUeeoZW26mrJ2Z50gLF7e3fWEj+g5emJSyN IcIdLwmsTOsS+Zz/9w4dkdBGmuY1jg+/P5l2Htn0lTFUCqVkikah9A4obdIHJd14+EjW dC2Q==
X-Gm-Message-State: AMCzsaVRG38QbiO2mcsLRBvwJwNxFu9NFnxTNX1+YdXV20uNmo+cdKGU x3wAXkhQZLZO3IPT7LRNYvGfIH1/TUs=
X-Google-Smtp-Source: ABhQp+SWJEPtXbqjaxVWrc1Bb5x7iMNS4rTqmOvCd0hct3fcirIMfja1EKCBV7OtyC15jTgFO/02Qg==
X-Received: by 10.55.121.194 with SMTP id u185mr4760287qkc.128.1508958729154; Wed, 25 Oct 2017 12:12:09 -0700 (PDT)
Received: from cavall.lan (c-24-60-163-103.hsd1.ma.comcast.net. [24.60.163.103]) by smtp.gmail.com with ESMTPSA id o27sm2323884qkh.80.2017.10.25.12.12.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Oct 2017 12:12:08 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <04245DC4-A547-4A3C-8D79-AE2A945050CB@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_401A5693-A52F-4547-BEDD-3B366714D2C9"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Wed, 25 Oct 2017 15:12:07 -0400
In-Reply-To: <7ir2trt5cb.wl-jch@irif.fr>
Cc: HOMENET <homenet@ietf.org>, babel@ietf.org
To: Juliusz Chroboczek <jch@irif.fr>
References: <150877479936.24868.15415230941614909127@ietfa.amsl.com> <38BC4C7A-3849-4E5D-9459-ABB559FD1D29@fugue.com> <7ir2trt5cb.wl-jch@irif.fr>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/SQ-b3dNm9nQlkVPHLSDji_PdqI0>
Subject: Re: [homenet] Fwd: I-D Action: draft-lemon-homenet-babel-security-latest-00.txt
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Oct 2017 19:12:13 -0000

On Oct 25, 2017, at 3:06 PM, Juliusz Chroboczek <jch@irif.fr> wrote:
> 1.  You're using a TLV, which means that the TLV parser runs before auth.
> Is this good practice?  What about using the packet trailer ?

If you aren't using a shotgun parser, it shouldn't matter.

> 2. A number of security mechanisms are being considered for Babel.
> There's Denis' RFC 7557, which you're aware of.  The other technique that
> we're working on is the use of DTLS.  See point 3.
> 
> 3. The main improvement of RFC6126bis over 6126 is the ability to run Babel
> over unicast with no multicast except for discovery (and no multicast at
> all if discovery is done out of band).  This makes it possible to use DTLS
> and/or dynamically keyed IPsec to secure Babel.  At least some of the
> participants of the Babel WG are in favour of such an approach.

Yup.   DTLS is just convenient—it means that it's not necessary to re-invent the wheel.

> 4. It is my understanding that there is consensus in the Babel WG that we
> don't adopt before there is an implementation.  That's not to diminish
> your input, just the statement of an (IMHO happy) state of affairs.

That makes perfect sense to me.   I don't think the DTLS implementation would be that hard—is there any chance that anyone would be interested in working on this during the hackathon in Singapore?   I say "anyone" because I don't want to put you on the spot.