On Wed, Aug 12, 2015 at 3:23 AM, Russ White <[email protected]> wrote: >> * lower-layer security (e.g. put a frightening guy or gal with >> a truncheon in front of each Ethernet plug, or use 802.1X); >> * HMAC authentication (RFC 7298); >> * Stenberg-style authentication (move everything to unicast except >> hellos, use DTLS); >> * use the replay protection from RFC 7298 together with statically keyed >> IPsec. >> >> There are different tradeoffs between these techniques (reuse of existing >> libraries vs. compact code, authentication only vs. privacy, etc.), so the >> current plan is to implement them all and let the community decide. I am >> therefore strongly opposed to putting any security mechanism in the base >> spec. > > I would allow separate development in this area -- but it does need to be > done.
I know that the OLSRv2 document was delayed by a long time because we had planned to put security into a second document. > I would look at requirements and solutions, and make a single > decision. Otherwise you fragment the implementations, as not every one of > these is as easy to implement as it might seem, and you might find holes > that need to be fixed in all four at some point. A single solution is > better, IMHO. The problem is that the selected solution heavily depends on the network you plan to deploy. See here for the "compromise" that were used for OLSRv2: https://tools.ietf.org/html/rfc7181#section-23.5 We should get a security AD involved before we decide "this is enough for Standard Track Babel" and get an unpleasant surprise. Henning Rogge _______________________________________________ Babel-users mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/babel-users
