[Babel-users] RFC: Babel packet authentication

Tue Jun 12 19:37:50 UTC 2012

We've just had a long discussion with Denis on IRC.  Here's a summary.

Short summary: this is very impressive work, and I'm very grateful to be
able to accept that as an experimental extension to the Babel protocol
(which is itself experimental).  TLV types 11 and 12 are hereby assigned
to this extension.

Long version.  I still prefer a trailer-based approach, which allows
validating a packet with no knowledge of the packet's structure.
However, Denis' has taken care to mitigate the flaws of a TLV-based
approach (notably by having an "obviously correct" packet validation
function run before any parsing is attempted), he is strongly in favour
of a TLV-based approach, and has a lot of experience with security
features in routing protocols.  I yield to his superior experience.

The design of TLV 11 (cryptographic timestamp) is excellent.  I am fully
confident that it can be reused by a trailer-based extension.

I am slightly less confident about TLV 12 (digest); in particular, I am
not sure that it is necessary to have an explicit field for the
key-id -- I'd simply make the whole body opaque.  However, I don't see
anything actually wrong with the current definition.

I very much like the way of avoiding a pseudo-header in digest
computation (by overwriting the digest with the packet's source
address).

The writeup needs some editing, but nothing serious.  In particular,
it's not clear how to deal with IPv4 source addresses (not an issue for
the current implementation, which only runs over v6).

Commit f2fdcb0 ("babeld: focus Rx packet structure/sizing checks") is
great, I intend to pull it into standalone babeld (with Denis'
permission).  babel_packet_examin I'll rename -- suggestions?  (I
suggest babel_packet_validate.)

Commit 797213b ("babeld: improve Rx check for fixed-size TLVs") is
wrong.  See RFC 6126 Section 4.3, which allows sub-TLVs to be included
into any TLV.  Please revert.

Nothing to say about commit b256107.

Commit c9d6a7f is the big one.  I haven't fully reviewed it yet, but
here's a few things I notice.

We're going to break if the interface has multiple link-local addresses.
Not a big deal -- I don't think we're dealing with that edge-case in the
first place.  Fixing that would require a bunch of system calls for each
packet, probably not worth it.

babel_auth_got_source_address should probably fail if there's no
link-local address rather than returning a non-local one.

Unless I'm missing something, in babel_auth_make_packet there's an
obsolete comment (FIXME: write source address).

That's all for now.  Denis, please feel free to merge your code into the
trunk and document it, any further nits can be corrected there.

-- Juliusz