[Babel-users] [babel] HMAC Key rotation key format (was ripemd)

Dave Taht dave at taht.net
Thu Nov 29 06:14:07 GMT 2018 

Mahesh Jethanandani <mjethanandani at gmail.com> writes:

> A draft that proposed pair-wise key management was proposed here. It
> does not address the question of timestamp, but is something that
> could be exchanged as part of key rollover to allow routers to
> calculate the delta. Including the original authors of the draft.

I'm sorry but adding this level of complexity is not in the cards
from my perspective. Layering key exchange over a different out of band
medium, being a slip of paper, a telephone call, ssh or https seems
saner.

>
>     On Nov 26, 2018, at 6:21 AM, Dave Taht <dave.taht at gmail.com>
>     wrote:
>
>     
>     
>     To me this leaves the biggest problem remaining is key rotation.
>     Me
>     being me, and remembering just how hard it was to get dnssec
>     working
>     on systems lacking reliable time,
>     I worry about that part. What we settled on for dnsmasq-dnssec was
>     to
>     write the current time to flash every day (or few hours), boot up
>     without dnssec enabled long enough to
>     get an ntp server... and rely on key rollover taking hours or days
>     to
>     *usually* get a correct result. RTCs with batteries are usually
>     not
>     included.
>     
>     that's still fragile (imagine a power failure lasting days, or a
>     box
>     being down for several days for repair. It happens).
>     
>     In the case of routing... if you don't have the correct time...
>     and
>     you can't get a route so you can get the correct time from ntp...
>     then
>     what? Do we make GPSes MTI also?
>     
>     Setting that aside for the moment, having a standardized file
>     format
>     for babel keys would be a boon and boost interoperability between
>     bird/babel and other possible implementations.
>     You would merely declare a key name in the main conf for bird or
>     babel, and reference it in a separate file with a format like
>     this:
>     
>     KEY START_DATE END_DATE TYPE VALUE
>     name\wrfc3339\wrfc3339\wsha256|blake2s\wvalue
>     
>     https://tools.ietf.org/html/rfc3339
>     
>     administrators would push out this one standard format file to
>     routers, strongly suggesting that UTC times be used universally
>     and
>     that key rollover should be staged over hours or days lest
>     connectivity be lost. Other sanity checks like ensuring there is
>     some
>     form of persistent and correct time on routers using
>     authentication
>     are also needed.
>     
>     alternatives might include certs and other stuff that bears
>     drinking about.
>     
>     
>     
>     
>     -- 
>     
>     Dave Täht
>     CTO, TekLibre, LLC
>     http://www.teklibre.com
>     Tel: 1-831-205-9740
>     
>     _______________________________________________
>     babel mailing list
>     babel at ietf.org
>     https://www.ietf.org/mailman/listinfo/babel
>     
>
> Mahesh Jethanandani
> mjethanandani at gmail.com
>
>
> _______________________________________________
> Babel-users mailing list
> Babel-users at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users

More information about the Babel-users mailing list