[Babel-users] Using HMAC in a distributed environment
Juliusz Chroboczek
jch at irif.fr
Fri Jun 11 14:56:24 BST 2021
This is in reply to https://github.com/openwrt-routing/packages/issues/678 :
> I'm very interested in MAC authentication for the Babel routing
> protocol. However, I'm unsure if I can apply some of the parts to
> a decentralized network like freifunk, where everyone can
> participate. The basic idea is that I want to exclude unknown members
> through mac authentication? How do your share a secret key between
> neighbors (can I automatize the process?)? Any idea how we can use it?
The issue you have is that you're running a mesh network, so you cannot
easily have per-link keys: you need to have a single global key
The simplest mechanism would be to distribute the secret keys over rsync.
On every host, you run Babel with an extra config file:
babeld -c /etc/babeld.conf -c /etc/babeld-keys.d/key1.conf
and you have a central host that does, every night,
key="$(dd if=/dev/random bs=32 count=1 | xxd -ps -c32)"
echo "key id k1 type hmac-sha256 value $key" > key1.conf
for i in $hosts; do
rsync key1.conf babel-keys@"$host":/etc/babeld.keys.d/
ssh babel@"$host":/etc/init.d/babeld restart
done
Alternatively, you could have a daemon on each host that performs an HTTPS
GET to fetch the new key.
A better, more robust, solution would be to design a rekeying daemon.
Every 20 minutes, a host performs key generation, then transfers the new
key to each of its neighbours; the neighbours in turn transfer the key to
their, and after a few hops all of the hosts will know the new key. The
advantage of that is that it doesn't rely on routing working, since it
only uses link-local communication.
The actual key transfer could happen over ssh (which supports
communication with link-local addresses) or using a secure ad-hoc flooding
algorithm. If you're interested in working on that, I'd be interested in
collaborating.
-- Juliusz
More information about the Babel-users
mailing list