[Babel-users] key rotation take #2
Juliusz Chroboczek
jch at irif.fr
Fri Dec 14 16:51:31 GMT 2018
> This is the present babel conf file format:
> key id key1 type sha1 value deadbeefdeadbeefdeadbeefdeadbeefdeadbeef
> key id key2 type sha1 value dea2f0d01a57b0071057a11da7adeadbeeffffff
> interface enp7s0 unicast false hmac key1
> interface wg1 hmac key2
Right. It currently cannot be updated dynamically, but the plan is that
it will at some point before HMAC get merged into mainline.
> so we invent a new keyword "serial".
> a key rollover is initiated by adding a new key with the same name and a
> larger serial number than the old one.
I don't understand what problem you're trying to solve.
You're happily HMACing your packets:
key id key1 type sha1 value ...
interface wlan0 hmac key1
At some point, you decide to start using a new key:
key id key2 type sha1 value ...
interface wlan0 hmac key1 hmac key2
You deploy the new key on all routers, then you delete the old key:
interface wlan0 hmac key2
Why do you need a serial number?
-- Juliusz
More information about the Babel-users
mailing list