[Babel-users] [babel] MAC auth. for Babel in babeld
Antonin Décimo
antonin.decimo at gmail.com
Fri Aug 28 21:41:11 BST 2020
Another thing that could be added: a separate table for uncompleted
challenges (see en paragraph of section 7).
> > There is one feature that I have not implemented (yet): expiring
> > per-neighbour state (section 4.4) using the Hello history or a timer
> > based on the last accepted packet.
>
> Yes, you have :-)
Well that’s a relief!
> Please find out if you're allowed to enter the office (not obvious
> due to COVID). If not, I'll ask the boss for permission, or else
> we'll meet at my place.
You’ll have to invite me to allow me to enter the premises 🧛
> > I’m also looking for feedback on the user interface. [...] In
> > particular, do you think that implementing keysets and allowing an
> > unbounded number of keys is too much for babeld?
>
> As a general rule, I'm in favour of reflecting the implementation
> details in the user interface to the extent possible -- if you don't
> do that, the interface becomes confusing to the user who cannot
> build an accurate mental model of what's going on.
After some failed attemps, I had started the other way around and
designed the most complete user interfacte I could think of, and then
build the implementation to match that model.
> If that's too complicated, I'd rather we add some macros than dumb
> down the interface. (Commands that expand to a sequence of
> lower-level commands.)
Hmm, nice idea. We could have a single keyset of two key slots, shared
by all interfaces, with the simplest user interface. We can have a
pre-configured timer for key rotation during which both keys would be
available.
interface default mac true
rotate-key hmac-sha256 0000
…
rotate-key hmac-sha256 1111
It’s not clear right now how the 'complete' and the 'simple' interface
could be used in the same time, but that is absolutely workable.
> You should consider what happens to your code when there are too many
> keys, and the MACs no longer fit in a packet. A silent failure would be
> bad.
The packet is not send. There are two error messages. The buffer is
discarded.
-- Antonin
More information about the Babel-users
mailing list