[Babel-users] HMAC: should keys expire?
Toke Høiland-Jørgensen
toke at toke.dk
Sat Oct 10 22:00:36 BST 2020
Juliusz Chroboczek <jch at irif.fr> writes:
> The thing to undestand about HMAC is that while it can be used directly,
> it's really designed to be used with a keying protocol. This could take
> one of many forms:
>
> - a central server periodically (say, every 30 minutes) draws a new
> random key, then contacts all nodes over ssh and installs the new key.
> a few minutes later, the old keys are removed.
>
> - every node performs authentified Diffie-Hellman with each of its
> neighbours; it installs all the keys negotiated on the relevant
> interfaces (this assumes that the number of neighbours on each
> interface is small enough);
>
> - the nodes periodically perform some form of distributed consensus and
> agree on a small set of keys.
>
> In all cases, the old keys must expire after the new keys are installed.
> There are two ways to achieve that:
>
> 1. the keying daemon removes the old keys;
> 2. keys are installed with an explicit lifetime, and the routing daemon
> itself discards the keys when they expire.
>
> Approach 2 feels more robust to me, since it ensures keys will expire even
> if the keying daemon crashes or is stopped for some reason. Do we need to
> equip keys with an explicit lifetime?
FWIW the Bird configuration format already supports supplying both a
start and end time for key validity:
https://bird.network.cz/?get_doc&v=20&f=bird-3.html#ss3.3
(see suboptions for "password").
I guess it's not quite the same as key expiry (as the keys will
technically still be around in the configuration file), but it does make
it possible to have the daemon enforce a time after which they will no
longer be accepted.
-Toke
More information about the Babel-users
mailing list