[Babel-users] Babel MAC auth fails due to packet reordering

Juliusz Chroboczek jch at irif.fr
Tue May 3 19:18:07 BST 2022 

> I'm seeing babel mac authentication failures related to the packet counter
> on a wireless link. I've tracked this down to being because of packet
> reordering.

Babel-MAC does not deal with packet reordering: we assume that packets
don't get reordered on the local link.  It would be fairly trivial to
extend it to deal with moderate amounts of reordering (by keeping a window
of reordered packets, like in DTLS), but I'd rather we didn't make the
code more complex: this is a security algorithm, and good security relies
on simplicity.

> Wireshark packet traces on both sides look something like this:

Cool, thanks a lot.

> Sender:
> 
>     Src     Dst       PC
>     fe80::1 fe80::2   1452  Babel router-id update update update pc hmac
>     fe80::1 ff02::1:6 1453  Babel hello pc hmac
>     fe80::1 fe80::2   1454  Babel ihu pc hmac
> 
> Receiver:
> 
>     fe80::1 fe80::2   1452  Babel router-id update update update pc hmac
>     fe80::1 fe80::2   1454  Babel ihu pc hmac
>     fe80::1 ff02::1:6 1453  Babel hello pc hmac
> 
> AFAICT babeld shares the packet counter across unicast and multicast
> hellos, however since these constitute different flows it seems reasonable
> for something in the network stack to reorder them.

So the multicast packet overtook the unicast one.  That's probably due to
neighbour discovery delaying the unicast packet.  Could you please provide
the timestamps?

> A quick skimming of RFC 7298 suggests the PC is indeed intended to be
> per-interface without taking the {mult,un}icast bit into account. Is this
> an oversight in the spec?

No, it's by design: the protocol assumes that there is no reordering on
the local link.

Daniel, how often does it happen?  If it's due to neighbour discovery, it
should happen no more often than once per minute, and Babel should be
quite able to compensate for that.  If it happens more often than that,
then we'll need to look into it further, and perhaps implement
a reordering window in HMAC.

-- Juliusz

More information about the Babel-users mailing list