[Babel-users] MAC auth. for Babel in babeld

Toke Høiland-Jørgensen toke at toke.dk
Mon Sep 28 16:45:45 BST 2020


Juliusz Chroboczek <jch at irif.fr> writes:

>> You could simply reject 'mac true' if no key is configured (i.e., reject
>> interface bring-up or reconfig, as appropriate depending on context).
>
> Suppose you were running Babel together with a keying daemon.  Say, one
> that periodically performs an authenticated supersingular isogeny
> Diffie-Helman exchange and then feeds the resulting key to the Babel
> daemon.
>
> You could of course delay starting the Babel daemon until you got yourself
> a non-empty set of keys, but wouldn't it be more robust to start Babel in
> authenticated mode with no keys (which would cause it to drop packets) and
> then incrementally feed it keys as they are learned?

Hmm, not sure I have any opinion about which would be more robust off
the top of my head. But I can see your point that someone might
implement it that way; and I suppose I could be convinced that such a
configuration could be allowed, as long as it fails safe, of course. I
think that at least emitting a clear warning on startup would help users
avoid the most common configuration errors, though...

-Toke



More information about the Babel-users mailing list