[Babel-users] Using HMAC in a distributed environment

[Juliusz Chroboczek]

This is in reply to https://github.com/openwrt-routing/packages/issues/678 :

> I'm very interested in MAC authentication for the Babel routing
> protocol. However, I'm unsure if I can apply some of the parts to
> a decentralized network like freifunk, where everyone can
> participate. The basic idea is that I want to exclude unknown members
> through mac authentication? How do your share a secret key between
> neighbors (can I automatize the process?)? Any idea how we can use it?

The issue you have is that you're running a mesh network, so you cannot
easily have per-link keys: you need to have a single global key

The simplest mechanism would be to distribute the secret keys over rsync.
On every host, you run Babel with an extra config file:

    babeld -c /etc/babeld.conf -c /etc/babeld-keys.d/key1.conf

and you have a central host that does, every night,

    key="$(dd if=/dev/random bs=32 count=1 | xxd -ps -c32)"
    echo "key id k1 type hmac-sha256 value $key" > key1.conf
    for i in $hosts; do
       rsync key1.conf babel-keys@"$host":/etc/babeld.keys.d/
       ssh babel@"$host":/etc/init.d/babeld restart
    done

Alternatively, you could have a daemon on each host that performs an HTTPS
GET to fetch the new key.

A better, more robust, solution would be to design a rekeying daemon.
Every 20 minutes, a host performs key generation, then transfers the new
key to each of its neighbours; the neighbours in turn transfer the key to
their, and after a few hops all of the hosts will know the new key.  The
advantage of that is that it doesn't rely on routing working, since it
only uses link-local communication.

The actual key transfer could happen over ssh (which supports
communication with link-local addresses) or using a secure ad-hoc flooding
algorithm.  If you're interested in working on that, I'd be interested in
collaborating.

-- Juliusz