[Babel-users] About an authentication extension

Rodrigo Garcia strysg at riseup.net
Thu Sep 7 23:38:00 UTC 2017 

Hello, i've been working on an extension to the babel protocol to
authenticate updates using RSA. It's mostly an academic excercise and i
have planned the first functional versions in a month or so.

The main idea is to make that a *central entity* generates a set of
encrypted tokens using a RSA *private key*. The set of tokens is unique
to every node on the network and every node receives it's unique set of
tokens, a network prefix and the *public key* from the central entity.

Every decrypted token has the form:

<network_prefix>_<randomnumber>

example:

80.0.2.0/24_48003818
80.0.2.0/24_41106879

I was planning to use encrypted tokens of 512 octets.

Every node must send a token from it's unique set of tokens on every
route update. When a node receives an update, it tries to decrypt the
token using the *public key* of the central entity and checks if the
decrypted token contains the network prefix being advertised.

If so, the update is taken, if not it is ignored.

So I came to define a new TLV named lorauth

 0                   1                     2
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |     Type=29   |           Length              |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |      Clen                     |  Cipher...
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

Clen: Length of encrypted token
Cipher: Encrypted Token

But as the Cipher length is 512 it needs 2 octets in _Length_, so here
the questions:

* If I use 2 octets will this extension be compatible with other
extensions according to rfc - 7557 ?

* I'm guessing it take lots of extra work to every node by decrypting on
every update, but a node may be less restrictive and only *prefer*
updates authenticated this way, than common updates. Can you think of
better ideas to reduce the need of decrypting?

* What general idea you have about this authentication mechanism?

== Implementation questions ==

I'm a C beginner and started a fork on
https://git.laotrared.net/LaOtraRed-dev/babeld-lor

* I'm aiming to add two fields to the _source table_

   unsigned short clen;
   unsigned char cipher[513];

  Can you point some functions that I have to modify to make the
autentication mechanism work?

* I've seen the struct xroute on xroute.h , I still don't get the idea
of this struct and whether or not it is mandatory to add the fields;
clen , cipher there.

Thanks in advance for any comments :)

More information about the Babel-users mailing list