Re: [homenet] Fwd: I-D Action: draft-lemon-homenet-babel-security-latest-00.txt

Ted Lemon <> Wed, 25 October 2017 19:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E42B413F44C for <>; Wed, 25 Oct 2017 12:12:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id c4S2UyhHBzWZ for <>; Wed, 25 Oct 2017 12:12:11 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 060DC13F44B for <>; Wed, 25 Oct 2017 12:12:10 -0700 (PDT)
Received: by with SMTP id l194so1382811qke.13 for <>; Wed, 25 Oct 2017 12:12:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=5Fc8bpNMjIfsNiPq1B/5NWxxaC+WV5/WVHpRyzafdoM=; b=FTJiW+cPzeVuOTGK6y/Mqi4MvxEAF9ErQQhrgecM2WPVBqKC+dy1u4vBqy9F9xO6fD sj8oUxmwcQKNXKJu/mxxZ8bR22I2pSGEbpO3cRq8xevtG1RT2VJa5qBCG4O01B+67DHj aJGRJel1WR8a8esqn9lXzdhEtSEWNBif8bf+0kAqvJeAUHeH/rub2ZQKeHhe82F/YXQo q8qlCmfwI9eXARtAf04gQTZtb1QKcEy2IKr1Yp7zEGxBPb/shiGZEW6bBzwaE1ybf3sN hdticZEs8aLBVWh3qS0l6y5XmxBl1UrXm7LXa8xRJIHtGg++VhOe/99MVJ6DfUQO4N88 /fGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=5Fc8bpNMjIfsNiPq1B/5NWxxaC+WV5/WVHpRyzafdoM=; b=RPoVyZdRvZDIvIlseg4LFXjIFDX3ANPJVOJNoMttbxuYD2sCTahdAvcyDaN2wEWGlV qPSszPiGYczo6tKAa7JMvBMuOaFKgMC9zDP/mF+0zaY17R5G/MsEW16w7ui94jelExsL GG19TeCiIi2twQJQAnpHkKiWwgvJjtKyIKcJ4vWkhqnYoMG36MnbdkbnEGuNOcDfN/yb H21tb+86rwOuKQtjdqVtVHfe5lY/IzU+dNUeeoZW26mrJ2Z50gLF7e3fWEj+g5emJSyN IcIdLwmsTOsS+Zz/9w4dkdBGmuY1jg+/P5l2Htn0lTFUCqVkikah9A4obdIHJd14+EjW dC2Q==
X-Gm-Message-State: AMCzsaVRG38QbiO2mcsLRBvwJwNxFu9NFnxTNX1+YdXV20uNmo+cdKGU x3wAXkhQZLZO3IPT7LRNYvGfIH1/TUs=
X-Google-Smtp-Source: ABhQp+SWJEPtXbqjaxVWrc1Bb5x7iMNS4rTqmOvCd0hct3fcirIMfja1EKCBV7OtyC15jTgFO/02Qg==
X-Received: by with SMTP id u185mr4760287qkc.128.1508958729154; Wed, 25 Oct 2017 12:12:09 -0700 (PDT)
Received: from cavall.lan ( []) by with ESMTPSA id o27sm2323884qkh.80.2017. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Oct 2017 12:12:08 -0700 (PDT)
From: Ted Lemon <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_401A5693-A52F-4547-BEDD-3B366714D2C9"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Wed, 25 Oct 2017 15:12:07 -0400
In-Reply-To: <>
To: Juliusz Chroboczek <>
References: <> <> <>
X-Mailer: Apple Mail (2.3273)
Archived-At: <>
Subject: Re: [homenet] Fwd: I-D Action: draft-lemon-homenet-babel-security-latest-00.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Homenet WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Oct 2017 19:12:13 -0000

On Oct 25, 2017, at 3:06 PM, Juliusz Chroboczek <> wrote:
> 1.  You're using a TLV, which means that the TLV parser runs before auth.
> Is this good practice?  What about using the packet trailer ?

If you aren't using a shotgun parser, it shouldn't matter.

> 2. A number of security mechanisms are being considered for Babel.
> There's Denis' RFC 7557, which you're aware of.  The other technique that
> we're working on is the use of DTLS.  See point 3.
> 3. The main improvement of RFC6126bis over 6126 is the ability to run Babel
> over unicast with no multicast except for discovery (and no multicast at
> all if discovery is done out of band).  This makes it possible to use DTLS
> and/or dynamically keyed IPsec to secure Babel.  At least some of the
> participants of the Babel WG are in favour of such an approach.

Yup.   DTLS is just convenient—it means that it's not necessary to re-invent the wheel.

> 4. It is my understanding that there is consensus in the Babel WG that we
> don't adopt before there is an implementation.  That's not to diminish
> your input, just the statement of an (IMHO happy) state of affairs.

That makes perfect sense to me.   I don't think the DTLS implementation would be that hard—is there any chance that anyone would be interested in working on this during the hackathon in Singapore?   I say "anyone" because I don't want to put you on the spot.