Re: [homenet] Fwd: I-D Action: draft-lemon-homenet-babel-security-latest-00.txt
> That makes perfect sense to me. I don't think the DTLS implementation would be > that hard—is there any chance that anyone would be interested in working on > this during the hackathon in Singapore? A student of mine (Antonin, whom you might remember from Berlin) has been working on that. Unfortunately, it turned out a little bit more difficult than expected, and so he ran out of summer. He'll come back to it, I believe, but certainly not before the January exam session is over. -- Juliusz ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] Fwd: I-D Action: draft-lemon-homenet-babel-security-latest-00.txt
On Oct 25, 2017, at 3:06 PM, Juliusz Chroboczek wrote: > 1. You're using a TLV, which means that the TLV parser runs before auth. > Is this good practice? What about using the packet trailer ? If you aren't using a shotgun parser, it shouldn't matter. > 2. A number of security mechanisms are being considered for Babel. > There's Denis' RFC 7557, which you're aware of. The other technique that > we're working on is the use of DTLS. See point 3. > > 3. The main improvement of RFC6126bis over 6126 is the ability to run Babel > over unicast with no multicast except for discovery (and no multicast at > all if discovery is done out of band). This makes it possible to use DTLS > and/or dynamically keyed IPsec to secure Babel. At least some of the > participants of the Babel WG are in favour of such an approach. Yup. DTLS is just convenient—it means that it's not necessary to re-invent the wheel. > 4. It is my understanding that there is consensus in the Babel WG that we > don't adopt before there is an implementation. That's not to diminish > your input, just the statement of an (IMHO happy) state of affairs. That makes perfect sense to me. I don't think the DTLS implementation would be that hard—is there any chance that anyone would be interested in working on this during the hackathon in Singapore? I say "anyone" because I don't want to put you on the spot. ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] Fwd: I-D Action: draft-lemon-homenet-babel-security-latest-00.txt
[Added babel@ietf to CC.] Thanks, Ted. > https://datatracker.ietf.org/doc/draft-lemon-homenet-babel-security-latest/ I'm not a security specialist, so just a few comments: 1. You're using a TLV, which means that the TLV parser runs before auth. Is this good practice? What about using the packet trailer ? 2. A number of security mechanisms are being considered for Babel. There's Denis' RFC 7557, which you're aware of. The other technique that we're working on is the use of DTLS. See point 3. 3. The main improvement of RFC6126bis over 6126 is the ability to run Babel over unicast with no multicast except for discovery (and no multicast at all if discovery is done out of band). This makes it possible to use DTLS and/or dynamically keyed IPsec to secure Babel. At least some of the participants of the Babel WG are in favour of such an approach. 4. It is my understanding that there is consensus in the Babel WG that we don't adopt before there is an implementation. That's not to diminish your input, just the statement of an (IMHO happy) state of affairs. Dinnertime for me. Be hearing from you later. -- Juliusz ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
[homenet] Fwd: I-D Action: draft-lemon-homenet-babel-security-latest-00.txt
Oops, given that Juliusz is asking questions about security considerations, it might be worth sharing this. This isn't just my work, but for reasons having to do with available time, the other names will have to be added later. > Begin forwarded message: > > From: internet-dra...@ietf.org > Subject: I-D Action: draft-lemon-homenet-babel-security-latest-00.txt > Date: October 23, 2017 at 12:06:39 PM EDT > To: > Reply-To: internet-dra...@ietf.org > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > >Title : Babel Security Model >Author : Ted Lemon > Filename: draft-lemon-homenet-babel-security-latest-00.txt > Pages : 6 > Date: 2017-10-23 > > Abstract: > This document describes how to add authenticity to Babel messages so > as to prevent malicious tampering or black hole attacks. Peer trust > is outside the scope of this document. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-lemon-homenet-babel-security-latest/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-lemon-homenet-babel-security-latest-00 > https://datatracker.ietf.org/doc/html/draft-lemon-homenet-babel-security-latest-00 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > ___ > I-D-Announce mailing list > i-d-annou...@ietf.org > https://www.ietf.org/mailman/listinfo/i-d-announce > Internet-Draft directories: http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] draft-ietf-homenet-babel-profile: please review Security Considerations
I think that relying on the trustworthiness of a link is not a great plan. It might be better to say something like "this protocol relies on the trustworthiness of the local link. better security can be achieved using babel security [ref]. keying and configuration for babel security is out of scope for this document." > On Oct 25, 2017, at 11:42 AM, Juliusz Chroboczek wrote: > >> Please, please, please take the time to read the Security Considerations >> and tell me if there's anything I need to change. > >> https://tools.ietf.org/html/draft-ietf-homenet-babel-profile-02#section-4 > > This is now > >https://tools.ietf.org/html/draft-ietf-homenet-babel-profile-03#section-4 > > I believe this answers at least some of the concerns that Leif Johansson > expressed in his early review of 10 August 2017. I believe this is the > best that we can do without further protocol work, but I would love to be > proved wrong. > > Barbara, Stephen -- should I write up an answer to Leif's security review? > > Thanks, > > -- Juliusz > > ___ > homenet mailing list > homenet@ietf.org > https://www.ietf.org/mailman/listinfo/homenet ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] draft-ietf-homenet-babel-profile: please review Security Considerations
> Please, please, please take the time to read the Security Considerations > and tell me if there's anything I need to change. > https://tools.ietf.org/html/draft-ietf-homenet-babel-profile-02#section-4 This is now https://tools.ietf.org/html/draft-ietf-homenet-babel-profile-03#section-4 I believe this answers at least some of the concerns that Leif Johansson expressed in his early review of 10 August 2017. I believe this is the best that we can do without further protocol work, but I would love to be proved wrong. Barbara, Stephen -- should I write up an answer to Leif's security review? Thanks, -- Juliusz ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
[homenet] I-D Action: draft-ietf-homenet-babel-profile-03.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Home Networking WG of the IETF. Title : Homenet profile of the Babel routing protocol Author : Juliusz Chroboczek Filename: draft-ietf-homenet-babel-profile-03.txt Pages : 8 Date: 2017-10-25 Abstract: This document defines the subset of the Babel routing protocol [RFC6126bis] and its extensions that a Homenet router must implement, as well as the interactions between HNCP [RFC7788] and Babel. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-homenet-babel-profile/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-homenet-babel-profile-03 https://datatracker.ietf.org/doc/html/draft-ietf-homenet-babel-profile-03 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-homenet-babel-profile-03 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
[homenet] draft-ietf-homenet-babel-profile: please review Security Considerations
Dear all, This is just to remind you that I'm going to request Last Call for draft-ietf-homenet-babel-profile. I'll be submitting a very slightly amended (editorial changes only) version in the next days. Please, please, please take the time to read the Security Considerations and tell me if there's anything I need to change. https://tools.ietf.org/html/draft-ietf-homenet-babel-profile-02#section-4 -- Juliusz ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet