[Babel-users] Babel-MAC merged into master

Juliusz Chroboczek jch at irif.fr
Sun May 30 21:52:58 BST 2021


Dear all,

I've just merged the hmac branch into master, that implements MAC
authentication for Babel (RFC 8967).  Many, many thanks to Antonin Décimo,
who did a lot of the work needed to clean up the code for inclusion in
babeld.

Here's an example configuration:

  key id k type hmac-sha256 value aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
  interface wlan0 key k

The "key" statement defines a key called "k".  The interface statement
"key" option requests that packets be signed with key "k", and that all
incoming packets be verified with the key.

I've checked interoperability with Bird for key type "hmac-sha256".
I wasn't able to confirm interoperability for key type "blake2s", I still
need to understand what's the problem.

There's one major feature I haven't merged yet, it's support for key
rotation: only one key is supported, and you cannot change keys at
runtime.  Antonin did implement these features, but I find his
implementation confusing, so I'll wait until grokking comes.

While the protocol has been proved correct, we make no claims beyond the
ones in RFC 8967 Section 1.2; please make sure that you understand the
protocol's limitations.  What is more, while we have tried to be careful,
this code is experimental and might have bugs.  In addition, we only
secure the Babel control traffic: ARP, ND, ICMP and of course user traffic
need to be secured by other means.

Please test, and send complaints and patches.

-- Juliusz



More information about the Babel-users mailing list