[Babel-users] HMAC Key rotation key format (was ripemd)
Dave Taht
dave.taht at gmail.com
Mon Nov 26 14:21:26 GMT 2018
To me this leaves the biggest problem remaining is key rotation. Me
being me, and remembering just how hard it was to get dnssec working
on systems lacking reliable time,
I worry about that part. What we settled on for dnsmasq-dnssec was to
write the current time to flash every day (or few hours), boot up
without dnssec enabled long enough to
get an ntp server... and rely on key rollover taking hours or days to
*usually* get a correct result. RTCs with batteries are usually not
included.
that's still fragile (imagine a power failure lasting days, or a box
being down for several days for repair. It happens).
In the case of routing... if you don't have the correct time... and
you can't get a route so you can get the correct time from ntp... then
what? Do we make GPSes MTI also?
Setting that aside for the moment, having a standardized file format
for babel keys would be a boon and boost interoperability between
bird/babel and other possible implementations.
You would merely declare a key name in the main conf for bird or
babel, and reference it in a separate file with a format like this:
KEY START_DATE END_DATE TYPE VALUE
name\wrfc3339\wrfc3339\wsha256|blake2s\wvalue
https://tools.ietf.org/html/rfc3339
administrators would push out this one standard format file to
routers, strongly suggesting that UTC times be used universally and
that key rollover should be staged over hours or days lest
connectivity be lost. Other sanity checks like ensuring there is some
form of persistent and correct time on routers using authentication
are also needed.
alternatives might include certs and other stuff that bears drinking about.
--
Dave Täht
CTO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-831-205-9740
More information about the Babel-users
mailing list