IETF Logo Mail Archive

Re: [Rift] Initial implementation of security in RIFT-Python is complete

Bruno Rijsman <brunorijsman@gmail.com> Wed, 01 May 2019 20:29 UTC

Return-Path: <brunorijsman@gmail.com>
X-Original-To: rift@ietfa.amsl.com
Delivered-To: rift@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 888DD120094 for <rift@ietfa.amsl.com>; Wed, 1 May 2019 13:29:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aCJOkGmSzR3Q for <rift@ietfa.amsl.com>; Wed, 1 May 2019 13:29:35 -0700 (PDT)
Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09E7312004F for <rift@ietf.org>; Wed, 1 May 2019 13:29:35 -0700 (PDT)
Received: by mail-qt1-x830.google.com with SMTP id p20so42939qtc.9 for <rift@ietf.org>; Wed, 01 May 2019 13:29:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=2MpmD+i83JweT1KWljWnbyLdfAcmHGesey7A59dL+ZQ=; b=hXjkyeu/uwXBJTZ6NcvcO/iFvRqvJuM+n4bedYxYygbtmEJisZ2mn+Ecaocv1r5Yam wOW3yRj7p6S7+uRHYdMZLzrUVRyW20/3lxR99Y3MbQ4LM9mT8mP+o9EelqKT/cUwsllL HVAB+C31BUqBmLw8bd8NdF3HcMwc6d9yDYs66hX2iuyiuqdDzm4hafefxNZhHw2Sw/x9 2meF/0hmw20I/kx7tvoNVOYroWUE0kyndk0t5Y7vjQYwSnYYaT/0wgC+k1TwRytc8+iq Rz1D+SRV9rNu7Bs1xNp23m2lb9tqPJuNhAzpuRb9nfvT48JvkdQpJyakX94cNPAQhGkm cEtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=2MpmD+i83JweT1KWljWnbyLdfAcmHGesey7A59dL+ZQ=; b=PIb9LvDTQw7kNtRECY7dgIh0OujReV/6d2ul+2Jd2An6s2C/iHAT05wxkYM12NKFL8 8dYywM1rtyyP9m07Y5LGiQIprjtmYh7VkGjhZFybSOwgh5kl8abURSPmV3H21uH2efSA MtFenyiMRQLSJnoj5ESGHb9AnvWduTH+9L4irvvpQV6WW68RnKkXpvn5SH/fZ6vC1mpn TbaMi0N3H6h66VutBHWeiL4V2IleRFNRm8U4frRb36L0LVVTcyZFiZIjjeFnW7n9Qsgi c+TJ3Zt+/NvEYi6fwAsV8TPwYaRxaZGRA0GpecibOgQCO72zGSEVb0wid2p9poAI7PbP I4Zw==
X-Gm-Message-State: APjAAAUM2yq6iBB1zANavZ7aMou5aiaRrfgmR/CXc56e+ECpT8HGr/Cw 7emfHqtPWc09XYczHnDYHCY=
X-Google-Smtp-Source: APXvYqw0wvsJta4eCEGRv9FsStu/ej0qfgcoHRBm0uZ+68Qc+exWmeaiQzD8iDsU9oY5ZqLy2LlDCA==
X-Received: by 2002:a0c:898e:: with SMTP id 14mr158262qvr.11.1556742573804; Wed, 01 May 2019 13:29:33 -0700 (PDT)
Received: from [192.168.43.236] ([191.125.168.255]) by smtp.gmail.com with ESMTPSA id w58sm22421056qtw.93.2019.05.01.13.29.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 May 2019 13:29:33 -0700 (PDT)
From: Bruno Rijsman <brunorijsman@gmail.com>
Message-Id: <C37C9C1F-A18A-44C2-874D-F2C7F55FEA3D@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_EB6B2296-60E0-4142-B294-C18B6725CD5D"
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
Date: Wed, 01 May 2019 16:29:26 -0400
In-Reply-To: <CA+wi2hNJ=fGWjySnO-qwo5dj0ajgkTiFQn+HEs-MWnPCDHKGzA@mail.gmail.com>
Cc: Antoni Przygienda <prz=40juniper.net@dmarc.ietf.org>, "rift@ietf.org" <rift@ietf.org>
To: Tony Przygienda <tonysietf@gmail.com>
References: <B2545DF8-1C4C-4B97-8CEE-4D5EDCF2EB8D@gmail.com> <MWHPR05MB3279AB3BE295959AD2AF1BADAC3C0@MWHPR05MB3279.namprd05.prod.outlook.com> <CA+wi2hNJ=fGWjySnO-qwo5dj0ajgkTiFQn+HEs-MWnPCDHKGzA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.100.39)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rift/Q9Pls06iZmDZiT6x7w03NkxB4V4>
Subject: Re: [Rift] Initial implementation of security in RIFT-Python is complete
X-BeenThere: rift@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Routing in Fat Trees <rift.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rift>, <mailto:rift-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rift/>
List-Post: <mailto:rift@ietf.org>
List-Help: <mailto:rift-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rift>, <mailto:rift-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 May 2019 20:29:38 -0000

Looks good, will do the same or similar for RIFT-Python.

(The interop test no longer requires that the YAML schemas are the same.)

What is the difference between “permissive”, “loose”, and “strict”?

— Bruno

> On Apr 25, 2019, at 11:15 PM, Tony Przygienda <tonysietf@gmail.com> wrote:
> 
> Ok, I looked over the stuff in more detail again and I see that the yaml schema is only a limited security model and would hence like to extend it a bit. Let me know what you think
> 
> At the top I'd like to add private-secret to support private/public key and not only shared 
> 
> {?} keys:                              
>     {+} - id: <24-bit key number>
>     {1}   algorithm: [hmac-sha-256]
>     {1}   secret: <string>   
>     {?}   private-secret: <string>     
> 
> under -name (i.e. per node) it would be good to have 
> {?}      tie_validation: [none|permissive|loose|strict]  
> 
> 
> to support testing of the common models of processing of signatures 
> 
> Then under interface we'd need 
> 
> {?}           active_key: <8-bit key number> 
> {?}           accept_keys: <set of 8-bit key number>
> {?}           lie_validation: [none|permissive|loose|strict]  (6) 
> 
> so we can test mix of interfaces using different keys and not using them ta all (we can share the global keys for that purpose since it's simpler but can only use the 8-bit IDs) 
> 
> --- tony
> 
> On Wed, Apr 24, 2019 at 10:47 AM Antoni Przygienda <prz=40juniper.net@dmarc.ietf.org <mailto:40juniper.net@dmarc.ietf.org>> wrote:
> read your guide in detail. makes all perfect sense. will extend schema to what you suggest so inter'op ... 
> 
> thanks
> 
> --- tony 
> 
> From: Bruno Rijsman <brunorijsman@gmail.com <mailto:brunorijsman@gmail.com>>
> Sent: Monday, April 22, 2019 4:16 PM
> To: rift@ietf.org <mailto:rift@ietf.org>
> Subject: Initial implementation of security in RIFT-Python is complete
>  
> I have finished the initial implementation of security in RIFT-Python (security envelope, keys, fingerprints, nonces, packet-nr, etc. etc.)
> 
> See http://bit.ly/rift-python-security-feature-guide <https://urldefense.proofpoint.com/v2/url?u=http-3A__bit.ly_rift-2Dpython-2Dsecurity-2Dfeature-2Dguide&d=DwMCAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=maKXfKzgRTpiLitqHnJiww&m=htkOLD_Mz6ekfr_iYDTC5Q7xzPbroaycphOlQuwgDAg&s=t-P4E1fGgdJ6fiTwi2uXPbhcMxKse2r47pppAq8EO_I&e=> for a detailed feature guide.
> 
> While implementing the code, I gathered a number of comments on the security section of the draft -05. I will report these in a follow-up e-mail.
> 
> -- Bruno
> _______________________________________________
> RIFT mailing list
> RIFT@ietf.org <mailto:RIFT@ietf.org>
> https://www.ietf.org/mailman/listinfo/rift <https://www.ietf.org/mailman/listinfo/rift>

v2.23.0 | Report a Bug | By Email