> On Mar 12, 2019, at 4:10 PM, Juliusz Chroboczek <[email protected]> wrote: > >> So, currently, as defined, both HMAC and DTLS are global. Based on what >> I am reading here, it appears that is not what was intended. So I will >> join Barbara in saying we do not want to cause a rebellion by suggesting >> something totally radical here :-) > >> BTW, do we want to maintain the ability to have a global config for security >> such that it applies to all interfaces? > > What happens when a new interface is added to an existing configuration? > With a global configuration, it is automatically and hopefully atomically > configured with the global configuration. Without a global configuration, > the new interface might be created with a default security configuration, > which might (or might not) constitute a security hole.
Agree. Will keep the global configuration option. Requires an update to the IM and DM. > > Both of our security protocols have two properties: > > 1. the ability to have multiple credentials configured on a single > interface at the same time; > 2. the ability to have different sets of credentials on different > interfaces. > > The first property is what allows incremental key rotation (add the new > key, which might involve climbing trees, then remove the old key, which, > again, might involve visiting your local hospital's emergency room after > you fell off from a ladder). This capability is supported by the keychain model. > > The second property is what enables interconnection of routing domains > managed by different administrative entities -- you probably don't want to > share your domain's private keys, so the peering link would most probably > use a different set of credentials. This is particularly critical for > HMAC, which only supports symmetric keying. Hmm. Can the two domains use certs/asymmetric keys to send the symmetric key obtained by one end, in a secure fashion to the partner domain? > > I think that these are important properties, and they should be reflected > in the YANG model. > > -- Juliusz Mahesh Jethanandani [email protected] _______________________________________________ Babel-users mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users
