[Rift] Status update on security interop testing between RIFT-Juniper and RIFT-Python

Bruno Rijsman <brunorijsman@gmail.com> Wed, 17 July 2019 12:41 UTC

Return-Path: <brunorijsman@gmail.com>
X-Original-To: rift@ietfa.amsl.com
Delivered-To: rift@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 089A21200DE for <rift@ietfa.amsl.com>; Wed, 17 Jul 2019 05:41:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sNCNG5sM8wzz for <rift@ietfa.amsl.com>; Wed, 17 Jul 2019 05:41:17 -0700 (PDT)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 340C21200C3 for <rift@ietf.org>; Wed, 17 Jul 2019 05:41:17 -0700 (PDT)
Received: by mail-ed1-x530.google.com with SMTP id e3so25423897edr.10 for <rift@ietf.org>; Wed, 17 Jul 2019 05:41:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:content-transfer-encoding:mime-version:date:subject:cc:to :message-id; bh=NEFbLSbRZVzaLnyr4udnG4DzSCfFtz+TJwv5Tcr3ny8=; b=nBI9YaGnkcSDU/6mafflYU4ypLJKDPcf7zJHl7S/MznrYUBFVQjPqaqQoY0spR7JB3 SBims5iB/kEntNxEdyYME9ihQUVtr78KxlmJYz1WO0l8Ym6vePyfMmwBTKQji8O0Rkcv WbEW4RUPGRJeN+cKgC7IFL34h9Exp2tVUB349jRXb9utnwDO+8xN00dUejzsbRG062Nw M8AJcgnUUQfmRPsDbZweAAhC5+c2iGHEh0XlJ13qeSNZERS24j0ZsuB1hTFrWHIjHJEh q4rcd2oPxPlN263s2X0hDrOerFWIHYh8TXaET0Ea+ppwPNG6i5Z1FEv1uWfYx7QbJgMd Cpug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version:date :subject:cc:to:message-id; bh=NEFbLSbRZVzaLnyr4udnG4DzSCfFtz+TJwv5Tcr3ny8=; b=Ie7GLxvhQt6Q4gPSEvut1LYXI6tMsFnfHsjiVzYZRpDtSd1McO/u9qyRGy2CGabkVE 4La8iBcJOU9rowL5Iii2GsGrZ2p4r6WpujCk8B2OKXLHIO2Pjcy5Ax2hHnhc2eYaajaF HwnNMx0rV3y3f80lcOZOCcRsJRCoj5fv1DWBfqL2uz6zLHI7GNvojVFGp5rA2oHsw8uK GRIcKiAwIbFMG1TBQU5Qsz1oUSYTOSrWmCD5aGG7knWeoFfCsN4io43QwWpFE/7ricyg k/q4k5G9HkHW6EhCyHzklnBr6su5bwqhMoIgbfzOo7TKnRG9HP5Gt28DKHsJ2XEyvoFm IIjw==
X-Gm-Message-State: APjAAAXXbxlvkmyxkmGZ5JjXiyUyR+7prL21y2SlaNqvVl8ZsPGXN3qQ TYw55UWr6Nwa/sG60/BpNv4=
X-Google-Smtp-Source: APXvYqxTDpk73R1hweNKRAnj6rJEdbPBQwoETZSXvJyFP5l5APoqyX4M0n8tYhn93AjvYfFvBk6B1A==
X-Received: by 2002:aa7:cd17:: with SMTP id b23mr34887922edw.278.1563367275642; Wed, 17 Jul 2019 05:41:15 -0700 (PDT)
Received: from [192.168.178.122] (ip-213-127-47-155.ip.prioritytelecom.net. [213.127.47.155]) by smtp.gmail.com with ESMTPSA id rv16sm4950699ejb.79.2019.07.17.05.41.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 17 Jul 2019 05:41:14 -0700 (PDT)
From: Bruno Rijsman <brunorijsman@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 17 Jul 2019 14:41:11 +0200
Cc: rift@ietf.org
To: Tony Przygienda <tonysietf@gmail.com>
Message-Id: <0DEC8C31-BFEE-42B9-B8D2-9F0A7ED88756@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rift/VuDBMgntiWS1EFJUkGsntoW7rEw>
Subject: [Rift] Status update on security interop testing between RIFT-Juniper and RIFT-Python
X-BeenThere: rift@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Routing in Fat Trees <rift.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rift>, <mailto:rift-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rift/>
List-Post: <mailto:rift@ietf.org>
List-Help: <mailto:rift-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rift>, <mailto:rift-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2019 12:41:19 -0000

Status update on security interop testing between RIFT-Juniper and RIFT-Python:

The outer keys are now interoperating fine.

(A) As expected, the adjacency between RIFT-Juniper and RIFT-Python comes up to state 3way, when 

  (A1) authentication is disabled or

  (A2) authentication is enabled with the same active keys or 

  (A3) authentication is enabled with different active keys and corresponding accept keys.

(B) As expected, the adjacency between RIFT-Juniper and RIFT-Python does not come up to state 3way, when 

  (B1) Authentication is enabled on one side but not the other side

  (B2) Authentication is enabled with different active keys and without corresponding accept keys

Challenges along the way:

  (C1) Juniper uses SHA-256(key + payload) whereas RIFT-Python uses HMAC-SHA-256(key, payload).  Solution: add support for SHA-256(key + payload) to RIFT-Python (in addition to HMAC-SHA-256).

  (C2) RIFT-Juniper used different YAML configuration keywords than RIFT-Python.  Solution: change RIFT-Python to use the same configuration keywords.

  (C3) RIFT-Juniper only support configuration of outer keys on a per-interface basis, whereas RIFT-Python support configuring the outer keys on a per-node and per-interface basis with an inheritance rule.  Solution: for interop testing, only use per-interface configuration.

  (C4) RIFT-Juniper only supports SHA-256, whereas RIFT-Python also supports other key lengths (e.g. SHA-224, SHA-384, and more).  Solution: limit interop testing to SHA-256.

All four of these issues are implementation issues, and none of these issues require any changes to the draft.

Next step: finish interop testing for the origin keys. (I plan to do this Thursday  morning, Netherlands time)

— Bruno