Hi Martin,
Thanks for looking into this.
Our threat model should be described in the introduction. From your
comments I'm guessing it isn't clear, so we should fix that. The basic
idea is that any on-link device can change the routing of the entire
network, and that's bad for hopefully obvious reasons. The goal of
Babel over DTLS is to prevent that. Can you suggest a better way
to convey that?
I've removed the mention of the certificate status request extension,
as I don't think it's relevant and don't remember why it was added.
PSK can either be used with:
- one key for the entire network, which does not allow revocation
- one key per node (N), but that requires all nodes to know all keys
which allows impersonation
- pairwise (N^2) keys, which does not scale well
so PSK would be suited in the simple case where revocation is not
wanted, but in that use-case we recommend Babel-HMAC.
I'll let the Babel-HMAC authors start a separate thread.
David
On Fri, Nov 9, 2018 at 4:26 AM Martin Thomson <martin.thom...@gmail.com>
wrote:
> Hi David,
>
> I couldn't find any description of the threat model involved here, nor
> could I find any analysis of the security against that model. Without
> that, I can't really say whether this is right or not. For instance,
> there is specific mention of the certificate status request extension,
> but there is no mention of why.
>
> Given the configuration that I might infer from the hmac draft, I'm a
> little surprised that this doesn't use PSK.
>
> I'm somewhat dismayed by the firm recommendation to use the HMAC
> mechanism, which doesn't seem particularly robust. Offhand, it seems
> like replays are possible if you allow the possibility of the node
> crashing and dumping state. The same applies during a rollover of the
> 32-bit counter. Of course, that might not be permitted by the threat
> model.
> On Thu, Nov 8, 2018 at 9:15 AM David Schinazi <dschinazi.i...@gmail.com>
> wrote:
> >
> > Hi everyone,
> >
> > Over in the Babel working group we have a draft about securing Babel
> with DTLS:
> > https://tools.ietf.org/html/draft-ietf-babel-dtls-01
> >
> > It's 5 pages long, could any TLS experts please give it a quick read and
> let us know if we're using DTLS correctly?
> >
> > Also, should the document contain guidance such as which DTLS version to
> use?
> >
> > Thanks,
> > David
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
>
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
