[Babel-users] hmac key rotation?
Dave Taht
dave.taht at gmail.com
Fri Nov 23 22:19:35 GMT 2018
Has this been discussed to any extent?
* Problem A) babeld cannot regenerate the entire config file (?). Nor
do you really want to, given
dynamic configuration on the command line and via the telnet
interface, and multiple conf files
supported.
Plan A: Have a new file named babel.keys that you can write to or be
written dynamically.
Put keys in there. As many as you want.
* Problem B) Key rotation itself is hairy.
1) You want to keep a key around for a while in case some old speaker
comes online that was offline when you did the update
2) You want to upgrade everybody as fast as possible to the new key so
you only have to hash once as soon as everybody
has flipped over. Logging that a given speaker is still using an old
key would be good. [1]
3) You have to stage the rollover itself so it happens to all routers
at nearly the same time
4) You need to eventually retire the key
It's good to think about how dnssec does this: https://kb.isc.org/docs/aa-00822
* Proposal 1:
a babel.keys format:
keyname start_date end_date key_type key
Proposal 2:
something exactly like dnssec
...
[1] In terms of a convienence feature, I wouldn't mind if one day
there was a <hostname>myname</hostname> message,
'cause figuring out fe80::eea8:6bff:fefe:9a2 doesn't have the right
key is kind of painful.
--
Dave Täht
CTO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-831-205-9740
More information about the Babel-users
mailing list