Re: [Rift] Security interop testing between RIFT-Juniper and RIFT-Python successfully completed
Tony Przygienda <tonysietf@gmail.com> Fri, 19 July 2019 13:02 UTC
Return-Path: <tonysietf@gmail.com>
X-Original-To: rift@ietfa.amsl.com
Delivered-To: rift@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD49E12012A for <rift@ietfa.amsl.com>; Fri, 19 Jul 2019 06:02:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q7Le1r0kRbp1 for <rift@ietfa.amsl.com>; Fri, 19 Jul 2019 06:02:00 -0700 (PDT)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9543C120052 for <rift@ietf.org>; Fri, 19 Jul 2019 06:01:59 -0700 (PDT)
Received: by mail-ed1-x52e.google.com with SMTP id k21so34454472edq.3 for <rift@ietf.org>; Fri, 19 Jul 2019 06:01:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=axpGXxAqT7uG1NxDYEiPB47f7OnC5n9VFU3wr4OL2f4=; b=sFvaaKN7U2XNYU/4hrFlf88TEopgKUDQtIO07+Sxa8yaXMO2dLso7CWiG0doJeCJwI D1ABVhmiz79ntQMx46WiPkFj/G3xHAhMWsojQmxp4TxiDLfhdu13Thc5UKZI3NdnKZI0 OX7ep+5JEIx01ddF8M1EPgTo5iUIt/mJNdGDiLe1DwuFVt5d77TqhR7dtbX5E+lZKalN AT945xNP159vrpizyy+wwC+ZN7BHKt0pVSTsyIPs2mDhyHuTw+xJedCRJfTPTShOZRjY lOWnMB+4zmi0uZlu+YsCu4FtmhqbmqYf81iqdspUohEE5fqdgGOFS6ULx1vhaUiLobri Uktg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=axpGXxAqT7uG1NxDYEiPB47f7OnC5n9VFU3wr4OL2f4=; b=Gmw4UOGe3hN/q9QqsC032CscPwk6TcP4FOocGAuvqy37+htwRMdndoKq06KwhCRPow 1ljFNN1p8uvasV7tyf5X6Y11Y4lYhiMAHthvDKa+vcaog1WH3PMLoMp5CiKhHhXvIGOO L/OEjtwoL1mL0Wbf04Lu7Y1VYyGYwJcFX63tSG1CRytM5AL7WA+OsGht1axocbaRB4xQ ginjq4Os++JJ31UFrdDL+z3P54MLYMxBMm1TxBli4N+XBfx0+B7C0xQrV0hryJ4co1dn PWa/HdL0so70CYgB/32inSJKX270SLCSYIeicWzRKVgMn3oIeOV4QCKDCo/oZjD9hIiS RwJA==
X-Gm-Message-State: APjAAAUsrrvIpXyDyvEb2yw1vIYioeWL/VT5nVLguq67hoRGxiBRi836 9KkK90ipPMs/wCnfVrVrdL0hRetJ0VLCs3Fi48U=
X-Google-Smtp-Source: APXvYqxPWSG7c0fkQGuQc+4ZKexTYDuAomUro03Zhwugw23dFigosgw3TZ/EU86hU3+VJMtO86l1co6ZupMxE020EBI=
X-Received: by 2002:a50:b13b:: with SMTP id k56mr47628667edd.192.1563541318184; Fri, 19 Jul 2019 06:01:58 -0700 (PDT)
MIME-Version: 1.0
References: <0DEC8C31-BFEE-42B9-B8D2-9F0A7ED88756@gmail.com> <0DB7371D-EF03-4DEB-9A26-0193AD4D57FE@gmail.com>
In-Reply-To: <0DB7371D-EF03-4DEB-9A26-0193AD4D57FE@gmail.com>
From: Tony Przygienda <tonysietf@gmail.com>
Date: Fri, 19 Jul 2019 09:01:22 -0400
Message-ID: <CA+wi2hOREpe6BF6A=r6gpshRK51JwGB11vcXTZQpqH9ThHS8RA@mail.gmail.com>
To: Bruno Rijsman <brunorijsman@gmail.com>
Cc: rift@ietf.org
Content-Type: multipart/alternative; boundary="000000000000dcb1f2058e0854d4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rift/8v1x9SeX4xCKLp0mshw70ZiblV4>
Subject: Re: [Rift] Security interop testing between RIFT-Juniper and RIFT-Python successfully completed
X-BeenThere: rift@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Routing in Fat Trees <rift.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rift>, <mailto:rift-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rift/>
List-Post: <mailto:rift@ietf.org>
List-Help: <mailto:rift-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rift>, <mailto:rift-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jul 2019 13:02:03 -0000
Bruno, <thumbs direction="up"/> and as usual thanks for the work. If you manage some material, great, otherwise I strip 2 viewgraphs when giving update to the group with that we have 2 working interop'ed implementation of the spec BTW, the juniper binary is not on the free download yet (0.10.* is without sec envelope) but I'll be prep'ing 0.11 download Bruno was using in the next 2 weeks here (as I mentioned previously, with much more material around it included than previously given we're pretty much done with the spec and schemas) ... thanks, see you all in CA -- tony On Fri, Jul 19, 2019 at 6:52 AM Bruno Rijsman <brunorijsman@gmail.com> wrote: > I am happy to report that I have successfully completed interop testing of > RIFT security between RIFT-Juniper and RIFT-Python [1]. > > In my earlier e-mail I had already reported that interoperability was > achieved for the outer security envelope. > > Now, interoperability for origin security envelope is also working. As > before, interop testing included both positive and negative test cases. > This completes the interop testing of RIFT security. > > We did not find any issues that require changes in the draft. (There was > only one very minor implementation issue which was quickly fixed.) > > For an updated feature guide of security in RIFT-Python see [2] (many > enhancements were added during interop testing). > > Much has changed since I wrote the "RIFT Security Review" document [3] > and, as a result, it is now out of date. I will update it to reflect the > changes in the draft since May and the recent experiences from interop > testing. I hope to post the updated version before the RIFT meeting at the > IETF-105 in Montreal. > > [1] https://github.com/brunorijsman/rift-python > > [2] http://bit.ly/rift-python-security-feature-guide > > [3] http://bit.ly/rift-security-review > > — Bruno > > PS: The interoperability tests are fully automated using the “interop.py” > script in the RIFT-Python repository. The results can easily be reproduced > by anyone with access to the RIFT-Python code (which is publicly available > in GitHub), the RIFT-Juniper executable, and an AWS instance or physical > Ubuntu server. > > > On Jul 17, 2019, at 2:41 PM, Bruno Rijsman <brunorijsman@gmail.com> wrote: > > Status update on security interop testing between RIFT-Juniper and > RIFT-Python: > > The outer keys are now interoperating fine. > > (A) As expected, the adjacency between RIFT-Juniper and RIFT-Python comes > up to state 3way, when > > (A1) authentication is disabled or > > (A2) authentication is enabled with the same active keys or > > (A3) authentication is enabled with different active keys and > corresponding accept keys. > > (B) As expected, the adjacency between RIFT-Juniper and RIFT-Python does > not come up to state 3way, when > > (B1) Authentication is enabled on one side but not the other side > > (B2) Authentication is enabled with different active keys and without > corresponding accept keys > > Challenges along the way: > > (C1) Juniper uses SHA-256(key + payload) whereas RIFT-Python uses > HMAC-SHA-256(key, payload). Solution: add support for SHA-256(key + > payload) to RIFT-Python (in addition to HMAC-SHA-256). > > (C2) RIFT-Juniper used different YAML configuration keywords than > RIFT-Python. Solution: change RIFT-Python to use the same configuration > keywords. > > (C3) RIFT-Juniper only support configuration of outer keys on a > per-interface basis, whereas RIFT-Python support configuring the outer keys > on a per-node and per-interface basis with an inheritance rule. Solution: > for interop testing, only use per-interface configuration. > > (C4) RIFT-Juniper only supports SHA-256, whereas RIFT-Python also > supports other key lengths (e.g. SHA-224, SHA-384, and more). Solution: > limit interop testing to SHA-256. > > All four of these issues are implementation issues, and none of these > issues require any changes to the draft. > > Next step: finish interop testing for the origin keys. (I plan to do this > Thursday morning, Netherlands time) > > — Bruno > > >
- [Rift] Status update on security interop testing … Bruno Rijsman
- Re: [Rift] Status update on security interop test… Tony Przygienda
- [Rift] Security interop testing between RIFT-Juni… Bruno Rijsman
- Re: [Rift] Security interop testing between RIFT-… Tony Przygienda
- Re: [Rift] Security interop testing between RIFT-… Bruno Rijsman