[Babel-users] securing default routes and source specific gateways

Dave Taht dave.taht at gmail.com
Tue Apr 7 14:25:36 UTC 2015


On Tue, Apr 7, 2015 at 3:32 AM, Juliusz Chroboczek
<jch at pps.univ-paris-diderot.fr> wrote:
>> Also the diagram above would require a security model that manages to
>> keep things safe with untrusted speakers in between (here you would need
>> an advice from somebody experienced with the problem stated this way).
>
> Looks like SBGP to me.

Well, that died, mutated, came back to life, died again, and I dont
know what is going on today but so far as I know it STILL involves a
lot of phone calls and teeth gnashing when china re-routes the
internet. I think resolving the question whilst babel is still at a
relatively small scale would be good, before people start deploying it
on citywide networks.

The context of the question comes from this part of a post to the
working-group-that-shall-not-be-named that apparently flew over
everyone´s head in the other sturm und drang[1]:

"Security has two meanings here, one of which is not useful, one that
may be. The "lets encrypt and authenticate everything" part is not
terribly useful (particularly in a world that still has arp and ra). I see
no reason for e2e encryption here, do see so a small one for authentication,
but am not sure it needs to be e2e.

A part that *usefully* allowed a network to allow a mixture of authenticated
nodes (injecting default routes), while retaining un-authenticated routing
for other nodes would be nice. I only briefly deployed the HMAC auth,
but as the quagga version fell too far behind the mainline, did not gain
enough operational experience with it to have a feel for it. I look forward
to seeing it in babeld-1.7.

... somewhat related ...

I have a smallish bcp38-ish like document for some best current practices
(like filtering out local announcements of non-rfc1918 addresses,
 filtering out route announcements for the hip 1.0.0.0/24, 2001:10::/28,
 and advice to not announce local-only vpn routes) which I could maybe
 finish by Prague. (On the other hand I think it is easier read if on a wiki.)

... But it is the prospect of someone with a laptop announcing the lowest
metric possible default route is through them and out via 3G that is
the biggest hole in the "security" of not just babel, but all non-authenticated
routing protocols (targeted at the home. at least. So far as I know there
are a lot of insecured routing protocol *deployments* in general. Someone
feel free to correct me)."

Now, I like that a malicious (or misconfigured) droid can only damage
the nearest couple hops in the case of sending a default route but I
imagine everyone here has misconfigured a router to announce a default
route, only to suck a goodly portion of their network through a
non-working [2] device.

Having some means to indicate that a default route (in particular) is
honestly such, would lead to a network where a mixture of secured and
insecured devices could exist (think guifi), where individual exit
node owners could publish their willingness to share their source
specific gateway with other exit node operators, and so on.



> -- Juliusz
>
> _______________________________________________
> Babel-users mailing list
> Babel-users at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/babel-users

[1] Incidentally I did not know the true meaning of the origin of this
phrase before looking it up just now, I had just thought it meant
"conflict". It does seem appropo in context of the
working-group-that-shall-not-be-named.

[2] Probably my biggest failover problem is that links to cable modems
stay up, even when the cable modem is down. I need to beat on
babel-pinger harder.

-- 
Dave Täht
We CAN make better hardware, ourselves, beat bufferbloat, and take
back control of the edge of the internet! If we work together, on
making it:

https://www.kickstarter.com/projects/onetswitch/onetswitch-open-source-hardware-for-networking



More information about the Babel-users mailing list