[Babel-users] [babel] Reworked implementation of HMAC authentication
Juliusz Chroboczek
jch at irif.fr
Sat Mar 9 01:37:45 GMT 2019
>> - we compute HMAC for each TLV, rather than just once for the whole
>> packet, which, again, makes us vulnerable to DoS;
> ugh.
Don't worry, it's an easy fix.
>> - we don't support key rotation.
> Sigh.
The data structures are designed so it'll be easy, the problem is
designing an understandable user interface. Given the following interface
declaration:
interface eth0 hmac key1
what does the following mean?
interface eth0 hmac key2
Does it add key2 to the set of keys associated with eth0, or does it
override the current value? I'm afraid that either will cause confusion.
I'm considering keeping the set of keys associated with an interface
static, and allowing key rotation by redefining existing keys. So you'd
say
interface eth0 hmac key1 hmac key2
key id key1 type sha256 value ...
key id key2 type none
and do key rotation by saying
key id key2 type sha256 value ...
key id key1 type none
I'll look at Barbara's information model, the must be some insights there.
-- Juliusz
More information about the Babel-users
mailing list