[Babel-users] HMAC: should keys expire?
Juliusz Chroboczek
jch at irif.fr
Sat Oct 10 15:42:08 BST 2020
The thing to undestand about HMAC is that while it can be used directly,
it's really designed to be used with a keying protocol. This could take
one of many forms:
- a central server periodically (say, every 30 minutes) draws a new
random key, then contacts all nodes over ssh and installs the new key.
a few minutes later, the old keys are removed.
- every node performs authentified Diffie-Hellman with each of its
neighbours; it installs all the keys negotiated on the relevant
interfaces (this assumes that the number of neighbours on each
interface is small enough);
- the nodes periodically perform some form of distributed consensus and
agree on a small set of keys.
In all cases, the old keys must expire after the new keys are installed.
There are two ways to achieve that:
1. the keying daemon removes the old keys;
2. keys are installed with an explicit lifetime, and the routing daemon
itself discards the keys when they expire.
Approach 2 feels more robust to me, since it ensures keys will expire even
if the keying daemon crashes or is stopped for some reason. Do we need to
equip keys with an explicit lifetime?
-- Juliusz
More information about the Babel-users
mailing list