On Fri, Mar 8, 2019 at 4:00 PM Juliusz Chroboczek <[email protected]> wrote: > > Hi, > > I've finally gotten my act together, and reworked Clara's and Weronika's > implementation of Babel-HMAC. You can get the code by doing > > git clone -b hmac --recurse-submodules https://github.com/jech/babeld
Yea! I'll try to clear some time to play with this before ietf. No promises though, I'm frantically busy on other stuff. > > While this code is almost completely untested, it is meant to eventually > implement the protocol described in > > https://tools.ietf.org/html/draft-ietf-babel-hmac > > Known issues: > > - no interop testing has been done yet; > - we create a neighbour entry too early, which makes us vulnerable to DoS; > - we compute HMAC for each TLV, rather than just once for the whole > packet, which, again, makes us vulnerable to DoS; ugh. > - we don't timeout neighbours properly, which makes us vulnerable to > delayed packets; > - we only support sending one HMAC (receiving multiple HMACs should > work, but for obvious reasons it's untested); > - we don't support key rotation. Sigh. Still, happy to see it! Thanks very much! > > You can test this code by saying something like: > > babeld -C 'key id test type sha256 value > ebf49e6fbc6414aa567e30891846e96963cdda73289b9cd245d67ff9d281abc0' -C > 'interface eth0 hmac test' > > The "key" stanza defines a key of type sha256, with the value given as > a 32 byte-long hex key. The "interface" stanza enables the key on the > interface eth0. > > In addition to "type sha256", we support "type blake2s", which requires > a 16 byte-long key. > > -- Juliusz > > > > > > > _______________________________________________ > Babel-users mailing list > [email protected] > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users -- Dave Täht CTO, TekLibre, LLC http://www.teklibre.com Tel: 1-831-205-9740 _______________________________________________ Babel-users mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users
