[Babel-users] Reworked implementation of HMAC authentication
Juliusz Chroboczek
jch at irif.fr
Fri Mar 8 23:59:53 GMT 2019
Hi,
I've finally gotten my act together, and reworked Clara's and Weronika's
implementation of Babel-HMAC. You can get the code by doing
git clone -b hmac --recurse-submodules https://github.com/jech/babeld
While this code is almost completely untested, it is meant to eventually
implement the protocol described in
https://tools.ietf.org/html/draft-ietf-babel-hmac
Known issues:
- no interop testing has been done yet;
- we create a neighbour entry too early, which makes us vulnerable to DoS;
- we compute HMAC for each TLV, rather than just once for the whole
packet, which, again, makes us vulnerable to DoS;
- we don't timeout neighbours properly, which makes us vulnerable to
delayed packets;
- we only support sending one HMAC (receiving multiple HMACs should
work, but for obvious reasons it's untested);
- we don't support key rotation.
You can test this code by saying something like:
babeld -C 'key id test type sha256 value ebf49e6fbc6414aa567e30891846e96963cdda73289b9cd245d67ff9d281abc0' -C 'interface eth0 hmac test'
The "key" stanza defines a key of type sha256, with the value given as
a 32 byte-long hex key. The "interface" stanza enables the key on the
interface eth0.
In addition to "type sha256", we support "type blake2s", which requires
a 16 byte-long key.
-- Juliusz
More information about the Babel-users
mailing list