[Babel-users] MAC auth. for Babel in babeld
Toke Høiland-Jørgensen
toke at toke.dk
Tue Sep 22 23:27:14 BST 2020
Hi Antonin
Great to see! A few comments:
> The code has not undergone review. No interoperability testing has
> been done.
I've done basic interoperability testing with the latest version of my
MAC implementation for Babel in Bird. They can successfully exchange
messages with both hmac-sha256 and blake2s hash algorithms configured.
A few comments/suggestions on the babeld implementation:
- You don't enforce a minimum key length. For blake2s this means the key
will effectively be zero-padded up to the block size of 32 bytes (not
sure what hmac-sha256 does). For Bird I'm enforcing that the key size
must match the hash output size (32 bytes for both blake2s and
hmac-sha256). This is based on the security considerations section in
the draft; should babeld do the same? (this also tripped me up when
testing, because I accidentally pasted a truncated key into the babeld
config without noticing).
- I think the configuration is a bit verbose. This was the minimal
config I needed to enable MAC in babeld:
key name test algorithm hmac-sha256 value 7465737474657374746573747465737474657374746573747465737474657374 use both
keyset test
keyset-add-key test test
interface veth0 mac true add-keyset test
The two middle lines feel like they are a bit redundant; could we go
without them for simple configs?
-Toke
More information about the Babel-users
mailing list