Mahesh Jethanandani <[email protected]> writes: > A draft that proposed pair-wise key management was proposed here. It > does not address the question of timestamp, but is something that > could be exchanged as part of key rollover to allow routers to > calculate the delta. Including the original authors of the draft.
I'm sorry but adding this level of complexity is not in the cards from my perspective. Layering key exchange over a different out of band medium, being a slip of paper, a telephone call, ssh or https seems saner. > > On Nov 26, 2018, at 6:21 AM, Dave Taht <[email protected]> > wrote: > > > > To me this leaves the biggest problem remaining is key rotation. > Me > being me, and remembering just how hard it was to get dnssec > working > on systems lacking reliable time, > I worry about that part. What we settled on for dnsmasq-dnssec was > to > write the current time to flash every day (or few hours), boot up > without dnssec enabled long enough to > get an ntp server... and rely on key rollover taking hours or days > to > *usually* get a correct result. RTCs with batteries are usually > not > included. > > that's still fragile (imagine a power failure lasting days, or a > box > being down for several days for repair. It happens). > > In the case of routing... if you don't have the correct time... > and > you can't get a route so you can get the correct time from ntp... > then > what? Do we make GPSes MTI also? > > Setting that aside for the moment, having a standardized file > format > for babel keys would be a boon and boost interoperability between > bird/babel and other possible implementations. > You would merely declare a key name in the main conf for bird or > babel, and reference it in a separate file with a format like > this: > > KEY START_DATE END_DATE TYPE VALUE > name\wrfc3339\wrfc3339\wsha256|blake2s\wvalue > > https://tools.ietf.org/html/rfc3339 > > administrators would push out this one standard format file to > routers, strongly suggesting that UTC times be used universally > and > that key rollover should be staged over hours or days lest > connectivity be lost. Other sanity checks like ensuring there is > some > form of persistent and correct time on routers using > authentication > are also needed. > > alternatives might include certs and other stuff that bears > drinking about. > > > > > -- > > Dave Täht > CTO, TekLibre, LLC > http://www.teklibre.com > Tel: 1-831-205-9740 > > _______________________________________________ > babel mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/babel > > > Mahesh Jethanandani > [email protected] > > > _______________________________________________ > Babel-users mailing list > [email protected] > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users _______________________________________________ Babel-users mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users
