[Babel-users] [babel] Babel to standard
Henning Rogge
hrogge at gmail.com
Wed Aug 12 08:38:50 UTC 2015
On Wed, Aug 12, 2015 at 3:23 AM, Russ White <russ at riw.us> wrote:
>> * lower-layer security (e.g. put a frightening guy or gal with
>> a truncheon in front of each Ethernet plug, or use 802.1X);
>> * HMAC authentication (RFC 7298);
>> * Stenberg-style authentication (move everything to unicast except
>> hellos, use DTLS);
>> * use the replay protection from RFC 7298 together with statically keyed
>> IPsec.
>>
>> There are different tradeoffs between these techniques (reuse of existing
>> libraries vs. compact code, authentication only vs. privacy, etc.), so the
>> current plan is to implement them all and let the community decide. I am
>> therefore strongly opposed to putting any security mechanism in the base
>> spec.
>
> I would allow separate development in this area -- but it does need to be
> done.
I know that the OLSRv2 document was delayed by a long time because we
had planned to put security into a second document.
> I would look at requirements and solutions, and make a single
> decision. Otherwise you fragment the implementations, as not every one of
> these is as easy to implement as it might seem, and you might find holes
> that need to be fixed in all four at some point. A single solution is
> better, IMHO.
The problem is that the selected solution heavily depends on the
network you plan to deploy.
See here for the "compromise" that were used for OLSRv2:
https://tools.ietf.org/html/rfc7181#section-23.5
We should get a security AD involved before we decide "this is enough
for Standard Track Babel" and get an unpleasant surprise.
Henning Rogge
More information about the Babel-users
mailing list