Re: [homenet] Fwd: I-D Action: draft-lemon-homenet-babel-security-latest-00.txt

Juliusz Chroboczek <jch@irif.fr> Wed, 25 October 2017 19:06 UTC

Return-Path: <jch@irif.fr>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB51B13899A; Wed, 25 Oct 2017 12:06:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 51_dAY0WgTts; Wed, 25 Oct 2017 12:06:42 -0700 (PDT)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6007913836A; Wed, 25 Oct 2017 12:06:42 -0700 (PDT)
Received: from potemkin.univ-paris7.fr (potemkin.univ-paris7.fr [IPv6:2001:660:3301:8000::1:1]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/75695) with ESMTP id v9PJ6bl9025499 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 25 Oct 2017 21:06:37 +0200
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by potemkin.univ-paris7.fr (8.14.4/8.14.4/relay2/75695) with ESMTP id v9PJ6WcZ032309; Wed, 25 Oct 2017 21:06:37 +0200
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 46589F31B8; Wed, 25 Oct 2017 21:06:32 +0200 (CEST)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id uVH_gsRRIzFE; Wed, 25 Oct 2017 21:06:31 +0200 (CEST)
Received: from lanthane.pps.univ-paris-diderot.fr (unknown [172.23.36.54]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 354F5F31B7; Wed, 25 Oct 2017 21:06:28 +0200 (CEST)
Received: from localhost ([::1] helo=lanthane.irif.fr) by lanthane.pps.univ-paris-diderot.fr with esmtp (Exim 4.89) (envelope-from <jch@irif.fr>) id 1e7R0W-0004f4-FG; Wed, 25 Oct 2017 21:06:28 +0200
Date: Wed, 25 Oct 2017 21:06:28 +0200
Message-ID: <7ir2trt5cb.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: Ted Lemon <mellon@fugue.com>
Cc: HOMENET <homenet@ietf.org>, babel@ietf.org
In-Reply-To: <38BC4C7A-3849-4E5D-9459-ABB559FD1D29@fugue.com>
References: <150877479936.24868.15415230941614909127@ietfa.amsl.com> <38BC4C7A-3849-4E5D-9459-ABB559FD1D29@fugue.com>
User-Agent: Wanderlust/2.15.9
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]); Wed, 25 Oct 2017 21:06:40 +0200 (CEST)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (potemkin.univ-paris7.fr [194.254.61.141]); Wed, 25 Oct 2017 21:06:37 +0200 (CEST)
X-Miltered: at korolev with ID 59F0E0BD.001 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-Miltered: at potemkin with ID 59F0E0B8.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 59F0E0BD.001 from potemkin.univ-paris7.fr/potemkin.univ-paris7.fr/null/potemkin.univ-paris7.fr/<jch@irif.fr>
X-j-chkmail-Enveloppe: 59F0E0B8.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 59F0E0BD.001 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Score: MSGID : 59F0E0B8.000 on potemkin.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/_jpoaWl5e7rVkExeL2_k89t4M-o>
Subject: Re: [homenet] Fwd: I-D Action: draft-lemon-homenet-babel-security-latest-00.txt
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Oct 2017 19:06:44 -0000

[Added babel@ietf to CC.]

Thanks, Ted.

> https://datatracker.ietf.org/doc/draft-lemon-homenet-babel-security-latest/

I'm not a security specialist, so just a few comments:

1.  You're using a TLV, which means that the TLV parser runs before auth.
Is this good practice?  What about using the packet trailer ?

2. A number of security mechanisms are being considered for Babel.
There's Denis' RFC 7557, which you're aware of.  The other technique that
we're working on is the use of DTLS.  See point 3.

3. The main improvement of RFC6126bis over 6126 is the ability to run Babel
over unicast with no multicast except for discovery (and no multicast at
all if discovery is done out of band).  This makes it possible to use DTLS
and/or dynamically keyed IPsec to secure Babel.  At least some of the
participants of the Babel WG are in favour of such an approach.

4. It is my understanding that there is consensus in the Babel WG that we
don't adopt before there is an implementation.  That's not to diminish
your input, just the statement of an (IMHO happy) state of affairs.

Dinnertime for me.  Be hearing from you later.

-- Juliusz