[Babel-users] HOWTO: MAC security for Babel

Juliusz Chroboczek jch at irif.fr
Tue Jun 8 13:13:37 BST 2021 

Dear all,

A quick tutorial on protecting your Babel network with cryptographic
signatures using the Babel-MAC protocol extension.


0. What does MAC security do?
=============================

It protects your Babel infrastructure by preventing an attacker from
impersonating a Babel router by either spoofing Babel packets or replaying
old Babel packets.

It does not encrypt your Babel traffic: Babel packets are signed, not
encrypted.  This means that tcpdump and wireshark can still be used for
debugging.

It is cheap: you should not see a significant increase in CPU load due to
MAC protection, and the per-packet overhead is moderate (51 bytes for
SHA-256, 35 bytes for Blake2s-128).  It also does not significantly slow
down neighbour acquisition: the initial cryptographic handshake is just
one packet exchange.

It does not protect your non-Babel traffic: for example, it doesn't
prevent an attacker from sending data packets from a spoofed IP address;
you still need to rely on higher-level (HTTPS, SSH, etc.) or lower-layer
(WPA3, OpenVPN, Wireguard) mechanisms for that.  However, since Babel-MAC
will prevent an attacker from spoofing their location in the network
(which router they're using to access the network), it will make it easier
to find the attacker and kindly explain to them that there's a bug
somewhere.  (In no case do we condone the use of physical violence.)

MAC security is implemented in babeld master since 2021-05-31 and BIRD
master since 2021-06-06.


1. Generate a key
=================

Babel-MAC is vulnerable to brute-force attacks, so you should use a strong
key.  The best way is to generate a random key:

    dd if=/dev/random bs=32 count=1 | xxd -ps -c32

The security of Babel-MAC relies on this key only being shared with people
authorised to announce Babel routes.


2. Install the key on your routers
==================================

Babeld
------

On each router running babeld, add the following to the configuration file:

    key id k1 type hmac-sha256 value fe3c...
    default key k1

replacing fec3... with your secret key.  This will enable MAC protection
on all interfaces (you will still need to enable the interfaces, either
from the config file or from the command line).

Alternatively, you may enable MAC protection on just some interfaces:

    key id k1 type hmac-sha256 value fe3c...
    interface eth0
    interface wlan0 key k1

Note that babeld supports using multiple configuration files (specify the
'-c' option multiple times), but will not reload the files automatically
(you'll need to restart babeld whenever you change the keys).


BIRD
----

On each router running Bird, add "authentication mac" and "key" options to
your interface definitions:

    protocol babel {
       interface "eth0" {
           authentication mac;
           key fe3c... {
               algorithm hmac sha256;
           };
       };
    }


3. Restart your network
=======================

Restart all of your Babel routers.  Your routers should associate as
previously.  If you run tcpdump, you should now see that all Babel packets
carry a PC and a MAC:

     $ sudo tcpdump -n -i wlan0 udp
     [...]
     babel 2 (86) hello router-id update/prefix nh update pc | mac


4. Optional: Incremental deployment
===================================

If you need to keep your network running, you may deploy MAC protection
incrementally by temporarily running your routers in a mode in which they
sign packets but don't verify signatures.  In a first step, install your
keys but tell your routers to accept unsigned packets.  In babeld, say

    accept-bad-signatures true

and in Bird

    authentication mac permissive;

After you're satisfied that all routers have the key installed, you may
incrementally start restarting your routers with the permissive option
switched off.


5. Unimplemented: key rotation
==============================

The protocol supports a mode of operation where two keys are used on each
interface, and packets are signed by both.  This is intended to support
key rotation: the new key is added to all routers, then, once this is
done, the old key is removed.

The current code in babeld doesn't support key rotation, since we haven't
been able to find a user interface that's simple and powerful enough to
handle all cases (Antonin's code did have support, but the user interface
was confusing).  The current plan is to gain more experience with MAC
protection before we design a user interface for key rotation.


6. Acknowledgments
==================

The first MAC algorithm for Babel was designed and implemented by Denis
Ovsienko.  The current algorithm was designed and initially implemented by
Clara Dô, Weronika Kołodziejak, and myself.  The code was then extensively
massaged by Antonin Décimo.  The Bird implementation is due to Toke
Høiland-Jørgensen.  Also thanks to Étienne Marais and to Julien Muchembled
(the latter employed by Nexedi, who are good guys).

-- Juliusz

More information about the Babel-users mailing list