[Babel-users] MAC auth. for Babel in babeld

Antonin Décimo antonin.decimo at gmail.com
Thu Aug 20 11:35:31 BST 2020 

Dear all,

I’ve rolled up my sleeves and finished my implementation of the MAC
authentication protocol in babeld.

It can be found on the branch "hmac" in

    https://github.com/MisterDA/babeld.git

Or on the opened pull-request in the main repository at

    https://github.com/jech/babeld/pull/52


There is one bug that I’m aware of: sometimes the local configuration
interface will respond "bad", letting the user think that there was an
error during the parsing or the processing of the configuration, but
everything happened correctly.

There is one feature that I have not implemented (yet): expiring
per-neighbour state (section 4.4) using the Hello history or a timer
based on the last accepted packet.

The code has not undergone review. No interoperability testing has
been done.

I’m also looking for feedback on the user interface. Here follows the
manual page describing the new configuration options (underscores
indicate user defined values).

In particular, do you think that implementing keysets and allowing an
unbounded number of keys is too much for babeld?

Key rotation is done through the local configuration interface.


   MAC authentication for the Babel routing protocol
       This protocol provides basic security properties for the Babel
       routing protocol. The scope of this protocol is strictly
       limited: it only provides authentication (we assume that
       routing information is not confidential), it only supports
       symmetric keying, and it only allows for the use of a small
       number of symmetric keys on every link.

       Keys and keysets are reference-counted. They are discarded as
       soon as they are no longer referenced.

       Interface configuration

           mac {true|false}
                  Enable MAC security on this interface.

           mac-verify {true|false}
                  Check packet signatures, reject unsigned or
                  incorrectly signed packets. The default is true.

           add-keyset _keyset-name_
                  Add the keyset _keyset-name_ to the set of keysets
                  of this interface.

           rm-keyset _keyset-name_
                  Remove the keyset _keyset-name_ from the set of
                  keysets of this interface.

       Global options

           key name _name_ algorithm {hmac-sha256|blake2s} value
           _value_ use {sign|verify|both}
                  Configure a key for use with the mac interface
                  option. The algorithm is either hmac-sha256 or
                  blake2s. The value is a hexadecimal string (up to 64
                  bytes for hmac-sha256 or up to 32 bytes for
                  blake2s). The use specifies whether the key is used
                  to sign packets, verify packets, or both (signing
                  and verifying packets).

           keyset _name_
                  Create an empty keyset.

           keyset-add-key _keyset-name_ _key-name_
                  Add the key _key-name_ to the keyset _keyset-name_.

           keyset-rm-key _keyset-name_ _key-name_
                  Remove the key _key-name_ from the keyset
                  _keyset-name_.


Thanks!

-- Antonin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/babel-users/attachments/20200820/60411981/attachment.html>

More information about the Babel-users mailing list