[Babel-users] [babel] HMAC Key rotation key format (was ripemd)

Mahesh Jethanandani mjethanandani at gmail.com
Mon Nov 26 19:44:23 GMT 2018


A draft that proposed pair-wise key management was proposed here <https://tools.ietf.org/html/draft-mahesh-karp-kmprp-00>.  It does not address the question of timestamp, but is something that could be exchanged as part of key rollover to allow routers to calculate the delta. Including the original authors of the draft.

> On Nov 26, 2018, at 6:21 AM, Dave Taht <dave.taht at gmail.com> wrote:
> 
> To me this leaves the biggest problem remaining is key rotation. Me
> being me, and remembering just how hard it was to get dnssec working
> on systems lacking reliable time,
> I worry about that part. What we settled on for dnsmasq-dnssec was to
> write the current time to flash every day (or few hours), boot up
> without dnssec enabled long enough to
> get an ntp server... and rely on key rollover taking hours or days to
> *usually* get a correct result. RTCs with batteries are usually not
> included.
> 
> that's still fragile (imagine a power failure lasting days, or a box
> being down for several days for repair. It happens).
> 
> In the case of routing... if you don't have the correct time... and
> you can't get a route so you can get the correct time from ntp... then
> what? Do we make GPSes MTI also?
> 
> Setting that aside for the moment, having a standardized file format
> for babel keys would be a boon and boost interoperability between
> bird/babel and other possible implementations.
> You would merely declare a key name in the main conf for bird or
> babel, and reference it in a separate file with a format like this:
> 
> KEY  START_DATE END_DATE TYPE VALUE
> name\wrfc3339\wrfc3339\wsha256|blake2s\wvalue
> 
> https://tools.ietf.org/html/rfc3339
> 
> administrators would push out this one standard format file to
> routers, strongly suggesting that UTC times be used universally and
> that key rollover should be staged over hours or days lest
> connectivity be lost. Other sanity checks like ensuring there is some
> form of persistent and correct time on routers using authentication
> are also needed.
> 
> alternatives might include certs and other stuff that bears drinking about.
> 
> 
> 
> 
> -- 
> 
> Dave Täht
> CTO, TekLibre, LLC
> http://www.teklibre.com
> Tel: 1-831-205-9740
> 
> _______________________________________________
> babel mailing list
> babel at ietf.org
> https://www.ietf.org/mailman/listinfo/babel

Mahesh Jethanandani
mjethanandani at gmail.com



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/babel-users/attachments/20181126/a70b60a1/attachment-0001.html>


More information about the Babel-users mailing list