[Babel-users] MAC rekeying in babeld and information model

STARK, BARBARA H bs7652 at att.com
Mon Jan 20 16:23:56 GMT 2020 

> > Since that revision has Boolean (true/false) parameters of
> > babel-key-use-sign and babel-key-use-verify (but not key-use with
> > values of sign/verify/both), I did want to be sure we were talking
> > about the right model revision.
> 
> The second part of my inquiry -- how does the information model enable
> incremental deployment?  Section 5 of draft-ietf-babel-mac.

Incremental deployment is enabled through the interfaces object babel-mac-verify parameter. Set this parameter to false until all routers have key(s). Then set to true.

> 
> Toke, it would be helpful if we could understand what key-use is intended
> for.  My personal opinion right now is that we should:
> 
>   - remove key-use from the draft;
> 
>   - add a per-interface configuration "allow-unauthentified", which, if set,
>     causes all packets received on that interface to be accepted, whether
>     signed, unsigned, or incorrectly signed.
> 
> Incremental deployment is an important feature, and I think that we need to
> make really sure that the information model allows it.

The key-use-sign and key-use-verify are only peripherally involved in incremental deployment and key rotation -- you need to have at least one key with key-use-verify=true and key-use-sign=true. The common case when incrementally deploying will be to provide a single key with valid and sign = true and all interfaces' babel-mac-verify = false. Once all routers have the key, set babel-mac-verify to true in all routers. When rotating, the common case will be to provide an additional key with valid and sign = true. Once the new key is in all routers, delete old one.

I don't think an additional per-interface parameter is needed. I think babel-mac-verify should be fine. If the group wants to remove the key-use parameters and only support symmetrical keying, I have no objection. We could also make those parameters optional-to-implement (square brackets), with the expectation that an implementation wouldn't implement them if it only supports symmetric keying.
Barbara

More information about the Babel-users mailing list