[Babel-users] [babel] MAC auth. for Babel in babeld

Antonin Décimo antonin.decimo at gmail.com
Fri Aug 28 21:41:11 BST 2020 

Another thing that could be added: a separate table for uncompleted
challenges (see en paragraph of section 7).


> > There is one feature that I have not implemented (yet): expiring
> > per-neighbour state (section 4.4) using the Hello history or a timer
> > based on the last accepted packet.
>
> Yes, you have :-)

Well that’s a relief!

> Please find out if you're allowed to enter the office (not obvious
> due to COVID). If not, I'll ask the boss for permission, or else
> we'll meet at my place.

You’ll have to invite me to allow me to enter the premises 🧛

> > I’m also looking for feedback on the user interface.  [...]  In
> > particular, do you think that implementing keysets and allowing an
> > unbounded number of keys is too much for babeld?
>
> As a general rule, I'm in favour of reflecting the implementation
> details in the user interface to the extent possible -- if you don't
> do that, the interface becomes confusing to the user who cannot
> build an accurate mental model of what's going on.

After some failed attemps, I had started the other way around and
designed the most complete user interfacte I could think of, and then
build the implementation to match that model.

>  If that's too complicated, I'd rather we add some macros than dumb
> down the interface. (Commands that expand to a sequence of
> lower-level commands.)

Hmm, nice idea. We could have a single keyset of two key slots, shared
by all interfaces, with the simplest user interface. We can have a
pre-configured timer for key rotation during which both keys would be
available.

    interface default mac true
    rotate-key hmac-sha256 0000
    …
    rotate-key hmac-sha256 1111

It’s not clear right now how the 'complete' and the 'simple' interface
could be used in the same time, but that is absolutely workable.

> You should consider what happens to your code when there are too many
> keys, and the MACs no longer fit in a packet. A silent failure would be
> bad.

The packet is not send. There are two error messages. The buffer is
discarded.

-- Antonin

More information about the Babel-users mailing list