<?xmlversion="1.0" encoding="US-ASCII"?>version='1.0' encoding='utf-8'?> <!DOCTYPE rfc SYSTEM"rfc2629.dtd" []> <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> <?rfc toc="yes"?> <?rfc tocdepth="2"?> <?rfc symrefs="yes"?> <?rfc sortrefs="yes" ?> <?rfc compact="no" ?>"rfc2629-xhtml.ent"> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" number="8967" docName="draft-ietf-babel-hmac-12" ipr="trust200902"obsoletes="7298">obsoletes="7298" updates="" submissionType="IETF" consensus="true" xml:lang="en" tocInclude="true" tocDepth="2" symRefs="true" sortRefs="true" version="3"> <!-- xml2rfc v2v3 conversion 3.0.0 --> <front> <title abbrev="MACauthenticationAuthentication for Babel">MACauthenticationAuthentication for the Babelrouting protocol</title>Routing Protocol</title> <seriesInfo name="RFC" value="8967"/> <author fullname="ClaraDo"Dô" initials="C."surname="Do">surname="Dô"> <organization>IRIF, University of Paris-Diderot</organization> <address> <postal><street></street> <city>75205 Paris Cedex<city>Paris CEDEX 13</city><region></region> <code></code><code>75205</code> <country>France</country> </postal> <email>clarado_perso@yahoo.fr</email> </address> </author> <author fullname="Weronika Kolodziejak" initials="W." surname="Kolodziejak"> <organization>IRIF, University of Paris-Diderot</organization> <address> <postal><street></street> <city>75205 Paris Cedex<city>Paris CEDEX 13</city><region></region> <code></code><code>75205</code> <country>France</country> </postal> <email>weronika.kolodziejak@gmail.com</email> </address> </author> <author fullname="Juliusz Chroboczek" initials="J." surname="Chroboczek"> <organization>IRIF, University of Paris-Diderot</organization> <address> <postal> <street>Case 7014</street><city>75205 Paris Cedex<city>Paris CEDEX 13</city><region></region> <code></code><code>75205</code> <country>France</country> </postal> <email>jch@irif.fr</email> </address> </author> <dateday="4" month="September" year="2020"/>month="January" year="2021"/> <keyword>routing protocol</keyword> <keyword>authentication</keyword> <keyword>replay</keyword> <keyword>replay protection</keyword> <abstract> <t>This document describes a cryptographic authentication mechanism for the Babel routing protocol that has provisions for replay avoidance. This document obsoletes RFC 7298.</t> </abstract> </front> <middle> <sectiontitle="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t>By default, the Babel routing protocol <xref target="RFC8966" format="default"/> trusts the information contained in every UDP datagram that it receives on the Babel port. An attacker can redirect traffic to itself or to a different node in the network, causing a variety of potential issues. In particular, an attacker might:<list style="symbols"> <t>spoof</t> <ul spacing="normal"> <li>spoof a Babelpacket,packet and redirect traffic by announcing a route with a smaller metric, a larger sequence number, or a longerprefix;</t> <t>spoofprefix;</li> <li>spoof a malformed packet, which could cause an insufficiently robust implementation to crash or interfere with the rest of thenetwork;</t> <t>replaynetwork;</li> <li>replay a previously captured Babel packet, which could cause traffic to be redirected or otherwise interfere with thenetwork.</t> </list></t>network.</li> </ul> <t>Protecting a Babel network is challenging due to the fact that the Babel protocol uses both unicast and multicast communication. One possible approach, used notably by the Babel over Datagram Transport Layer Security (DTLS) protocol <xreftarget="I-D.ietf-babel-dtls"/>,target="RFC8968" format="default"/>, is to use unicast communication for all semantically significant communication, and then use a standard unicast security protocol to protect the Babel traffic. In this document, we take the opposite approach: we define a cryptographic extension to the Babel protocol that is able to protect both unicast and multicasttraffic,traffic and thus requires very few changes to the core protocol. This document obsoletes <xreftarget="RFC7298"/>.</t>target="RFC7298" format="default"/>.</t> <sectiontitle="Applicability">numbered="true" toc="default"> <name>Applicability</name> <t>The protocol defined in this document assumes that all interfaces on a given link are equally trusted and share a small set of symmetric keys (usually just one, and two during key rotation). The protocol is inapplicable in situations where asymmetric keying is required, where the trust relationship is partial, or where large numbers of trusted keys are provisioned on a single link at the same time.</t> <t>This protocol supports incremental deployment (where an insecure Babel network is made secure with no service interruption), and it supports graceful key rotation (where the set of keys is changed with no service interruption).</t> <t>This protocol does not require synchronised clocks, it does not require persistently monotonic clocks, and it does not require persistent storage except for what might be required for storing cryptographic keys.</t> </section> <sectiontitle="Assumptionsanchor="security-properties" numbered="true" toc="default"> <name>Assumptions andsecurity properties" anchor="security-properties">Security Properties</name> <t>The correctness of the protocol relies on the following assumptions:<list style="symbols"> <t>that</t> <ul spacing="normal"> <li>that the Message Authentication Code (MAC) being used is invulnerable to forgery, i.e., that an attacker is unable to generate a packet with a correct MAC without access to the secretkey;</t> <t>thatkey;</li> <li>that a node never generates the same index or nonce twice over the lifetime of akey.</t> </list>key.</li> </ul> <t> The first assumption is a property of the MAC being used. The second assumption can be met either by using a robust random number generator <xreftarget="RFC4086"/>target="RFC4086" format="default"/> and sufficiently large indices and nonces, by using a reliable hardware clock, or by rekeying often enough that collisions are unlikely.</t> <t>If the assumptions above are met, the protocol described in this document has the following properties:<list style="symbols"> <t>it</t> <ul spacing="normal"> <li>it is invulnerable to spoofing: any Babel packet accepted as authentic is the exact copy of a packet originally sent by an authorisednode;</t> <t>locallynode;</li> <li>locally to a single node, it is invulnerable to replay: if a node has previously accepted a given packet, then it will never again accept a copy of this packet or an earlier packet from the samesender;</t> <t>amongsender;</li> <li>among different nodes, it is only vulnerable to immediate replay: if a node A has accepted an authentic packet from C, then a node B will only accept a copy of that packet if B has accepted an older packet fromCC, and B has received no later packet fromC.</t> </list></t>C.</li> </ul> <t>While this protocol makes efforts to mitigate the effects of a denial of service attack, it does not fully protect against such attacks.</t> </section> <sectiontitle="Specificationnumbered="true" toc="default"> <name>Specification ofRequirements"> <t>TheRequirements</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shownhere.</t>here. </t> </section> </section> <sectiontitle="Conceptual overviewnumbered="true" toc="default"> <name>Conceptual Overview of theprotocol">Protocol</name> <t>When a node B sends out a Babel packet through an interface that is configured for MAC cryptographic protection, it computes one or more MACs (one per key)whichthat it appends to the packet. When a node A receives a packet over an interface that requires MAC cryptographic protection, it independently computes a set of MACs and compares them to the MACs appended to the packet; if there is no match, the packet is discarded.</t> <t>In order to protect against replay, B maintains a per-interface 32-bit integer known as the "packet counter" (PC). Whenever B sends a packet through the interface, it embeds the current value of the PC within the region of the packet that is protected by the MACs and increases the PC by at least one. When A receives the packet, it compares the value of the PC with the one contained in the previous packet received from B, and unless it is strictly greater, the packet is discarded.</t> <t>By itself, the PC mechanism is not sufficient to protect against replay. Consider a peer A that has no information about a peer B (e.g., because it has recently rebooted). Suppose that A receives a packet ostensibly from B carrying a given PC; since A has no information about B, it has no way to determine whether the packet is freshly generated or a replay of a previously sent packet.</t> <t>In this situation, peer A discards the packet and challenges B to prove that it knows the MAC key. It sends a"challenge request","Challenge Request", a TLV containing a unique nonce, a value that has never been used before and will never be used again. Peer B replies to thechallenge requestChallenge Request with a"challenge reply","Challenge Reply", a TLV containing a copy of the nonce chosen by A, in a packet protected by MAC and containing the new value of B's PC. Since the nonce has never been used before, B's reply proves B's knowledge of the MAC key and the freshness of the PC.</t> <t>By itself, this mechanism is safe against replay if B never resets its PC. In practice, however, this is difficult to ensure, as persistent storage is prone to failure, and hardware clocks, even when available, are occasionally reset. Suppose that B resets its PC to an earliervalue,value and sends a packet with a previously used PC n. Peer A challenges B, B successfully responds to the challenge, and A accepts the PC equal ton + 1.n + 1. At this point, an attacker C may send a replayed packet with PC equal ton + 2,n + 2, which will be accepted by A.</t> <t>Another mechanism is needed to protect against this attack. In this protocol, every PC is tagged with an "index", an arbitrary string of octets. Whenever B resets its PC, or whenever B doesn't know whether its PC has been reset, it picks an index that it has never used before (either by drawing it randomly or by using a reliable hardware clock) and starts sending PCs with that index. Whenever A detects that B has changed its index, it challenges B again.</t> <t>With this additional mechanism, this protocol is invulnerable to replay attacks (see <xreftarget="security-properties"/> above).</t>target="security-properties" format="default"/>).</t> </section> <sectiontitle="Data Structures">numbered="true" toc="default"> <name>Data Structures</name> <t>Every Babel node maintains a set of conceptual data structures described inSection 3.2 of<xreftarget="RFC6126bis"/>.target="RFC8966" sectionFormat="of" section="3.2"/>. This protocol extends these data structures as follows.</t> <sectiontitle="Theanchor="interface-table" numbered="true" toc="default"> <name>The InterfaceTable" anchor="interface-table">Table</name> <t>Every Babel node maintains an interface table, as described inSection 3.2.3 of<xreftarget="RFC6126bis"/>.target="RFC8966" sectionFormat="of" section="3.2.3"/>. Implementations of this protocolMUST<bcp14>MUST</bcp14> allow each interface to be provisioned with a set of one or more MAC keys and the associated MAC algorithms (see <xreftarget="mac-computation"/>target="mac-computation" format="default"/> for suggestedalgorithms,algorithms and <xreftarget="security-considerations"/>target="security-considerations" format="default"/> for suggested methods for key generation). In order to allow incremental deployment of this protocol (see <xreftarget="incremental-deployment"/>),target="incremental-deployment" format="default"/>), implementationsSHOULD<bcp14>SHOULD</bcp14> allow an interface to be configured in a mode in which it participates in the MAC authentication protocol but accepts packets that are not authenticated.</t> <t>This protocol extends eachentry in thistablethat isentry associated with an interface on which MAC authentication has been configured with two new pieces of data:<list style="symbols"> <t></t> <ul spacing="normal"> <li> a set of one or more MAC keys, each associated with a given MACalgorithm;</t> <t>algorithm;</li> <li> a pair (Index, PC), where Index is an arbitrary string of 0 to 32 octets, and PC is a 32-bit (4-octet)integer.</t> </list>integer.</li> </ul> <t> We say that an index is fresh when it has never been used before with any of the keys currently configured on the interface. The Index field is initialised to a fresh index, forexampleexample, by drawing a random string of sufficient length (see <xreftarget="security-considerations"/>target="security-considerations" format="default"/> for suggested sizes), and the PC is initialised to an arbitrary value (typically 0).</t> </section> <sectiontitle="Thenumbered="true" toc="default"> <name>The Neighbourtable">Table</name> <t>Every Babel node maintains a neighbour table, as described inSection 3.2.4 of<xreftarget="RFC6126bis"/>.target="RFC8966" sectionFormat="of" section="3.2.4"/>. This protocol extends each entry in this table with two new pieces of data:<list style="symbols"> <t></t> <ul spacing="normal"> <li> a pair (Index, PC), where Index is a string of 0 to 32 octets, and PC is a 32-bit (4-octet)integer;</t> <t>integer;</li> <li> a Nonce, which is an arbitrary string of 0 to 192 octets, and an associated challenge expirytimer.</t> </list>timer.</li> </ul> <t> The Index and PC are initially undefined, and they are managed as described in <xreftarget="packet-reception"/>.target="packet-reception" format="default"/>. The Nonce and challenge expiry timer are initially undefined, and they are used as described in <xreftarget="sending-challenges"/>.</t>target="sending-challenges" format="default"/>.</t> </section> </section> <sectiontitle="Protocol Operation">numbered="true" toc="default"> <name>Protocol Operation</name> <sectiontitle="MAC computation" anchor="mac-computation">anchor="mac-computation" numbered="true" toc="default"> <name>MAC Computation</name> <t>A Babel node computes the MAC of a Babel packet as follows.</t> <t>First, the node builds a pseudo-header that will participate in MAC computation but will not be sent. If the packet is carried over IPv6, the pseudo-header has the following format:<figure><artwork><![CDATA[</t> <artwork name="" type="" align="left" alt=""><![CDATA[ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | | + Src address + | | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Src port | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + + | Dest address | + + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Dest port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+]]></artwork></figure>]]></artwork> <t> If the packet is carried over IPv4, the pseudo-header has the following format:<figure><artwork><![CDATA[</t> <artwork name="" type="" align="left" alt=""><![CDATA[ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Src address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Src port | Dest address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Dest port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+]]></artwork></figure></t> <t>Fields : <list style="hanging" hangIndent="14"> <t hangText="Src address">The]]></artwork> <t>Fields: </t> <dl newline="false" spacing="normal" indent="14"> <dt>Src address</dt> <dd>The source IP address of thepacket.</t> <t hangText="Src port">Thepacket.</dd> <dt>Src port</dt> <dd>The source UDP port number of thepacket.</t> <t hangText="Dest address">Thepacket.</dd> <dt>Dest address</dt> <dd>The destination IP address of thepacket.</t> <t hangText="Src port">Thepacket.</dd> <dt>Src port</dt> <dd>The destination UDP port number of thepacket.</t> </list></t>packet.</dd> </dl> <t>The node takes the concatenation of the pseudo-header and the Babel packet including the packet header but excluding the packet trailer (from octet 0 inclusive up to (BodyLength + 4)Length + 4) exclusive) and computes a MAC with one of the implemented algorithms. Every implementationMUST<bcp14>MUST</bcp14> implement HMAC-SHA256 as defined in <xreftarget="RFC6234"/>target="RFC6234" format="default"/> andSection 2 of<xreftarget="RFC2104"/>, SHOULDtarget="RFC2104" sectionFormat="of" section="2"/>, <bcp14>SHOULD</bcp14> implement keyed BLAKE2s <xreftarget="RFC7693"/>,target="RFC7693" format="default"/> with 128-bit (16-octet) digests, andMAY<bcp14>MAY</bcp14> implement other MAC algorithms.</t> </section> <sectiontitle="Packet Transmission" anchor="packet-transmission">anchor="packet-transmission" numbered="true" toc="default"> <name>Packet Transmission</name> <t>A Babel node might delay actually sending TLVs by a small amount, in order to aggregate multiple TLVs in a single packet up to the interface MTU(Section 4 of <xref target="RFC6126bis"/>).(<xref target="RFC8966" sectionFormat="of" section="4"/>). For an interface on which MAC protection is configured, the TLV aggregation logicMUST<bcp14>MUST</bcp14> take into account the overhead due to PC TLVs (one in each packet) and MAC TLVs (one per configured key).</t> <t>Before sending a packet, the following actions are performed:<list style="symbols"></t> <ul spacing="normal"> <li> <t>a PC TLV containing the PC and Index associated with the outgoing interfaceMUST<bcp14>MUST</bcp14> be appended to the packetbody; thebody;</t> <ul> <li>the PCMUST<bcp14>MUST</bcp14> be incremented by a strictly positive amount (typically just1); if1);</li> <li>if the PC overflows, a fresh indexMUST<bcp14>MUST</bcp14> be generated (as defined in <xreftarget="interface-table"/>); atarget="interface-table" format="default"/>); </li> </ul> <t>a nodeMUST NOT<bcp14>MUST NOT</bcp14> include multiple PC TLVs in a single packet;</t><t>for</li> <li>for each key configured on the interface, a MAC is computed as specified in <xreftarget="mac-computation"/> above,target="mac-computation" format="default"/> and stored in a MAC TLV thatMUST<bcp14>MUST</bcp14> be appended to the packet trailer (seeSection 4.2 of<xreftarget="RFC6126bis"/>).</t> </list></t>target="RFC8966" sectionFormat="of" section="4.2"/>).</li> </ul> </section> <sectiontitle="Packet Reception" anchor="packet-reception">anchor="packet-reception" numbered="true" toc="default"> <name>Packet Reception</name> <t>When a packet is received on an interface that is configured for MAC protection, the following steps are performed before the packet is passed to normal processing: </t><t> <list style="symbols"> <t>First,<ul spacing="normal"> <li>First, the receiver checks whether the trailer of the received packet carries at least one MAC TLV; if not, the packetMUST<bcp14>MUST</bcp14> be immediately dropped and processing stops. Then, for each key configured on the receiving interface, the receiver computes the MAC of the packet. It then compares every generated MAC against every MAC included in the packet; if there is at least one match, the packet passes the MAC test; if there is none, the packetMUST<bcp14>MUST</bcp14> be silently dropped and processing stops at this point. In order to avoid memory exhaustion attacks, an entry in theNeighbour Table MUST NOTneighbour table <bcp14>MUST NOT</bcp14> be created before the MAC test has passed successfully. The MAC of the packetMUST NOT<bcp14>MUST NOT</bcp14> be computed for each MAC TLV contained in the packet, but only once for each configuredkey.</t> <t>Ifkey.</li> <li>If an entry for the sender does not exist in theNeighbour Table,neighbour table, itMAY<bcp14>MAY</bcp14> be created at this point (or, alternatively, its creation can be delayed until a challenge needs to be sent, seebelow);</t> <t>Thebelow).</li> <li>The packet body is then parsed a first time. During this "preparse" phase, the packet body is traversed and all TLVs are ignored except PC, ChallengeRequestRequest, and Challenge Reply TLVs. When a PC TLV is encountered, the enclosed PC and Index are saved for laterprocessing; ifprocessing. If multiple PCs are found (which should not happen, see <xreftarget="packet-transmission"/> above),target="packet-transmission" format="default"/>), only the first one is processed, the remaining onesMUST<bcp14>MUST</bcp14> be silently ignored. If a Challenge Request is encountered, a Challenge ReplyMUST<bcp14>MUST</bcp14> be scheduled, as described in <xreftarget="replying-challenges"/>.target="replying-challenges" format="default"/>. If a Challenge Reply is encountered, it is tested for validity as described in <xreftarget="receiving-challenges"/>target="receiving-challenges" format="default"/>, and a note is made of the result of thetest.</t> <t>Thetest.</li> <li>The preparse phase abovehas yieldedyields two pieces of data: the PC and Index from the first PC TLV, and a bit indicating whether the packet contains a successful Challenge Reply. If the packet does not contain a PC TLV, the packetMUST<bcp14>MUST</bcp14> bedroppeddropped, and processing stops at this point. If the packet contains a successful Challenge Reply, then the PC and Index contained in the PC TLVMUST<bcp14>MUST</bcp14> be stored in theNeighbour Tableneighbour table entry corresponding to the sender (which already exists in this case), and the packet isaccepted.</t> <t>Otherwise,accepted.</li> <li>Otherwise, if there is no entry in theNeighbour Tableneighbour table corresponding to the sender, or if such an entry exists but contains no Index, or if the Index it contains is different from the Index contained in the PC TLV, then a challengeMUST<bcp14>MUST</bcp14> be sent as described in <xreftarget="sending-challenges"/>,target="sending-challenges" format="default"/>, the packetMUST<bcp14>MUST</bcp14> be dropped, and processing stops at thisstage.</t> <t>Atstage.</li> <li>At this stage, the packet contains no successfulchallenge replyChallenge Reply, and the Index contained in the PC TLV is equal to the Index in theNeighbour Tableneighbour table entry corresponding to the sender. The receiver compares the received PC with the PC contained in theNeighbour Table;neighbour table; if the received PC is smaller or equal than the PC contained in theNeighbour Table,neighbour table, the packetMUST<bcp14>MUST</bcp14> be dropped and processing stops (no challenge is sent in this case, since the mismatch might be caused by harmless packet reordering on the link). Otherwise, the PC contained in theNeighbour Tableneighbour table entry is set to the received PC, and the packet isaccepted.</t> </list></t>accepted.</li> </ul> <t>In the algorithm described above,challenge requestsChallenge Requests are processed and challenges are sent before thePC/Index(Index, PC) pair is verified against the neighbour table. This simplifies the implementation somewhat (the node may simply schedule outgoing requests as it walks the packet during the preparsephase),phase) but relies on therate-limitingrate limiting described in <xreftarget="sending-challenges"/>target="sending-challenges" format="default"/> to avoid sending too many challenges in response to replayed packets. As an optimisation, a nodeMAY<bcp14>MAY</bcp14> ignore allchallenge requestsChallenge Requests contained in a packet except the last one, and itMAY<bcp14>MAY</bcp14> ignore achallenge requestChallenge Request in the case where it is contained in a packet with an Index that matches the one in theNeighbour Tableneighbour table and a PC that is smaller or equal to the one contained in theNeighbour Table.neighbour table. Since it is still possible to replay a packet with an obsolete Index, therate-limitingrate limiting described in <xreftarget="sending-challenges"/>target="sending-challenges" format="default"/> is required even if this optimisation is implemented.</t> <t>The same is true ofchallenge replies.Challenge Replies. However, since validating achallenge replyChallenge Reply has minimal additional cost(it's(it is just a bitwise comparison of two strings of octets), a similar optimisation forchallenge repliesChallenge Replies is not worthwhile.</t> <t>After the packet has been accepted, it is processed as normal, except that any PC, ChallengeRequestRequest, and Challenge Reply TLVs that it contains are silently ignored.</t> <sectiontitle="Challenge requestsnumbered="true" toc="default"> <name>Challenge Requests andreplies">Replies</name> <t>During the preparse stage, the receiver might encounter a mismatched Index, to which it will react by scheduling a Challenge Request. It might encounter a Challenge Request TLV, to which it will reply with a Challenge Reply TLV. Finally, it might encounter a Challenge Reply TLV, which it will attempt to match with a previously sent Challenge Request TLV in order to update theNeighbour Tableneighbour table entry corresponding to the sender of the packet.</t> <sectiontitle="Sending challenges" anchor="sending-challenges">anchor="sending-challenges" numbered="true" toc="default"> <name>Sending Challenges</name> <t>When it encounters a mismatched Index during the preparse phase, a node picks a nonce that it has never used with any of the keys currently configured on the relevant interface, forexampleexample, by drawing a sufficiently large random string of bytes or by consulting a strictly monotonic hardware clock. ItMUST<bcp14>MUST</bcp14> then store the nonce in the entry of theNeighbour Tableneighbour table associated to the neighbour (the entry might need to be created at this stage), initialise the neighbour's challenge expiry timer to 30 seconds, and send a Challenge Request TLV to the unicast address corresponding to the neighbour.</t> <t>A nodeMAY<bcp14>MAY</bcp14> aggregate a Challenge Request with other TLVs; in other words, if it has already buffered TLVs to be sent to the unicast address of the neighbour, itMAY<bcp14>MAY</bcp14> send the buffered TLVs in the same packet as the Challenge Request. However, itMUST<bcp14>MUST</bcp14> arrange for the Challenge Request to be sent in a timely manner, as any packets received from that neighbour will be silently ignored until the challenge completes.</t> <t>A nodeMUST<bcp14>MUST</bcp14> impose a rate limitation to the challenges it sends; the limitSHOULD<bcp14>SHOULD</bcp14> default to onechallenge requestChallenge Request every300ms,300 ms andMAY<bcp14>MAY</bcp14> be configurable. This rate limiting serves two purposes. First, since a challenge may be sent in response to a packet replayed by an attacker, it limits the number of challenges that an attacker can cause a node to send. Second, it limits the number of challenges sent when there are multiple packets in flight from a single neighbour.</t> </section> <sectiontitle="Replyinganchor="replying-challenges" numbered="true" toc="default"> <name>Replying tochallenges" anchor="replying-challenges">Challenges</name> <t>When it encounters a Challenge Request during the preparse phase, a node constructs a Challenge Reply TLV by copying the Nonce from the Challenge Request into the Challenge Reply. ItMUST<bcp14>MUST</bcp14> then send the Challenge Reply to the unicast address from which the Challenge Request was sent. A challenge sent to a multicast addressMUST<bcp14>MUST</bcp14> be silently ignored.</t> <t>A nodeMAY<bcp14>MAY</bcp14> aggregate a Challenge Reply with other TLVs; in other words, if it has already buffered TLVs to be sent to the unicast address of the sender of the Challenge Request, itMAY<bcp14>MAY</bcp14> send the buffered TLVs in the same packet as the Challenge Reply. However, itMUST<bcp14>MUST</bcp14> arrange for the Challenge Reply to be sent in a timely manner (within a fewseconds),seconds) andSHOULD NOT<bcp14>SHOULD NOT</bcp14> send any other packets over the same interface before sending the Challenge Reply, as those would be dropped by the challenger.</t> <t>Since achallenge replyChallenge Reply might be caused by a replayedchallenge request,Challenge Request, a nodeMUST<bcp14>MUST</bcp14> impose a rate limitation to thechallenge repliesChallenge Replies it sends; the limitSHOULD<bcp14>SHOULD</bcp14> default to onechallenge replyChallenge Reply for each peer every300ms300 ms andMAY<bcp14>MAY</bcp14> be configurable.</t> </section> <sectiontitle="Receiving challenge replies" anchor="receiving-challenges">anchor="receiving-challenges" numbered="true" toc="default"> <name>Receiving Challenge Replies</name> <t>When it encounters a Challenge Reply during the preparse phase, a node consults theNeighbour Tableneighbour table entry corresponding to the neighbour that sent the Challenge Reply. If no challenge is in progress, i.e., if there is no Nonce stored in theNeighbour Tableneighbour table entry or the challenge timer has expired, the Challenge ReplyMUST<bcp14>MUST</bcp14> be silentlyignoredignored, and the challenge has failed.</t> <t>Otherwise, the node compares the Nonce contained in the Challenge Reply with the Nonce contained in theNeighbour Tableneighbour table entry. If the two are equal (they have the same length and content), then the challenge has succeeded and the nonce stored in theNeighbour Tableneighbour table for this neighbourSHOULD<bcp14>SHOULD</bcp14> be discarded; otherwise, the challenge has failed (and the nonce is not discarded).</t> </section> </section> </section> <sectiontitle="Expiring per-neighbour state" anchor="expire">anchor="expire" numbered="true" toc="default"> <name>Expiring Per-Neighbour State</name> <t>The per-neighbour (Index, PC) pair is maintained in the neighbour table, and is normally discarded when the neighbour table entry expires. ImplementationsMUST<bcp14>MUST</bcp14> ensure that an (Index, PC) pair is discarded within a finite time since the last time a packet has been accepted. In particular, unsuccessful challengesMUST NOT<bcp14>MUST NOT</bcp14> prevent an (Index, PC) pair from being discarded for unbounded periods of time.</t> <t>A possible implementation strategy for implementations that use a Hello history (Appendix A of <xreftarget="RFC6126bis"/>)target="RFC8966" format="default"/>) is to discard the (Index, PC) pair whenever the Hello history becomes empty. Another implementation strategy is to use a timer that is reset whenever a packet isaccepted,accepted and to discard the (Index, PC) pair whenever the timer expires. If the latter strategy isbeingused, the timerSHOULD<bcp14>SHOULD</bcp14> default to a value of5 min,5 minutes andMAY<bcp14>MAY</bcp14> be configurable.</t> </section> </section> <sectiontitle="Incremental deploymentanchor="incremental-deployment" numbered="true" toc="default"> <name>Incremental Deployment andkey rotation" anchor="incremental-deployment">Key Rotation</name> <t>In order to perform incremental deployment, the nodes in the network are first configured in a mode where packets are sent with authentication but not checked on reception. Once all the nodes in the network are configured to send authenticated packets, nodes are reconfigured to reject unauthenticated packets.</t> <t>In order to perform key rotation, the new key is added to all thenodes; oncenodes. Once this is done, both the old and the new key are sent in all packets, and packets are accepted if they are properly signed by either of the keys. At that point, the old key is removed.</t> <t>In order to support the procedures described above, implementations of this protocolSHOULD<bcp14>SHOULD</bcp14> support an interface configuration in which packets are sent authenticated but received packets are accepted without verification, and theySHOULD<bcp14>SHOULD</bcp14> allow changing the set of keys associated with an interface without a restart.</t> </section> <sectiontitle="Packet Format">numbered="true" toc="default"> <name>Packet Format</name> <sectiontitle="MAC TLV"> <figure><artwork><![CDATA[numbered="true" toc="default"> <name>MAC TLV</name> <artwork name="" type="" align="left" alt=""><![CDATA[ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = 16 | Length | MAC... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-]]></artwork></figure> <t>Fields : <list style="hanging" hangIndent="10"> <t hangText="Type">Set]]></artwork> <t>Fields: </t> <dl newline="false" spacing="normal" indent="10"> <dt>Type</dt> <dd>Set to 16 to indicate a MACTLV.</t> <t hangText="Length">TheTLV.</dd> <dt>Length</dt> <dd>The length of the body, in octets, exclusive of the Type and Length fields. The length depends on the MAC algorithm beingused.</t> <t hangText="MAC">Theused.</dd> <dt>MAC</dt> <dd>The body contains the MAC of the packet, computed as described in <xreftarget="mac-computation"/>.</t> </list></t>target="mac-computation" format="default"/>.</dd> </dl> <t>This TLV is allowed in the packet trailer (seeSection 4.2 of<xreftarget="RFC6126bis"/>),target="RFC8966" sectionFormat="of" section="4.2"/>) andMUST<bcp14>MUST</bcp14> be ignored if it is found in the packet body.</t> </section> <sectiontitle="PC TLV"> <figure><artwork><![CDATA[numbered="true" toc="default"> <name>PC TLV</name> <artwork name="" type="" align="left" alt=""><![CDATA[ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = 17 | Length | PC | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Index... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-]]></artwork></figure> <t>Fields : <list style="hanging" hangIndent="10"> <t hangText="Type">Set]]></artwork> <t>Fields: </t> <dl newline="false" spacing="normal" indent="10"> <dt>Type</dt> <dd>Set to 17 to indicate a PCTLV.</t> <t hangText="Length">TheTLV.</dd> <dt>Length</dt> <dd>The length of the body, in octets, exclusive of the Type and Lengthfields.</t> <t hangText="PC">Thefields.</dd> <dt>PC</dt> <dd>The Packet Counter (PC), a 32-bit (4-octet) unsigned integerwhichthat is increased with every packet sent over this interface. A fresh index (as defined in <xreftarget="interface-table"/>) MUSTtarget="interface-table" format="default"/>) <bcp14>MUST</bcp14> be generated whenever the PCoverflows.</t> <t hangText="Index">Theoverflows.</dd> <dt>Index</dt> <dd>The sender's Index, an opaque string of 0 to 32octets.</t> </list></t>octets.</dd> </dl> <t>Indices are limited to a size of 32 octets: a nodeMUST NOT<bcp14>MUST NOT</bcp14> send a TLV with an index of size strictly larger than 32 octets, and a nodeMAY<bcp14>MAY</bcp14> ignore a PC TLV with an index of length strictly larger than 32 octets. Indices of length 0 are valid: if a node has reliable stable storage and the packet counter never overflows, then only one index is necessary, and the value of length 0 is the canonical choice.</t> </section> <sectiontitle="Challengenumbered="true" toc="default"> <name>Challenge RequestTLV"> <figure><artwork><![CDATA[TLV</name> <artwork name="" type="" align="left" alt=""><![CDATA[ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = 18 | Length | Nonce... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-]]></artwork></figure> <t>Fields : <list style="hanging" hangIndent="10"> <t hangText="Type">Set]]></artwork> <t>Fields: </t> <dl newline="false" spacing="normal" indent="10"> <dt>Type</dt> <dd>Set to 18 to indicate a Challenge RequestTLV.</t> <t hangText="Length">TheTLV.</dd> <dt>Length</dt> <dd>The length of the body, in octets, exclusive of the Type and Lengthfields.</t> <t hangText="Nonce">Thefields.</dd> <dt>Nonce</dt> <dd>The nonce uniquely identifying the challenge, an opaque string of 0 to 192octets.</t> </list></t>octets.</dd> </dl> <t>Nonces are limited to a size of 192 octets: a nodeMUST NOT<bcp14>MUST NOT</bcp14> send a Challenge Request TLV with a nonce of size strictly larger than 192 octets, and a nodeMAY<bcp14>MAY</bcp14> ignore a nonce that is of size strictly larger than 192 octets. Nonces of length 0 are valid: if a node has reliable stable storage, then it may use a sequential counter for generating nonceswhichthat get encoded in the minimum number of octets required; the value 0 is then encoded as the string of length 0.</t> </section> <sectiontitle="Challengenumbered="true" toc="default"> <name>Challenge ReplyTLV"> <figure><artwork><![CDATA[TLV</name> <artwork name="" type="" align="left" alt=""><![CDATA[ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = 19 | Length | Nonce... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-]]></artwork></figure> <t>Fields : <list style="hanging" hangIndent="10"> <t hangText="Type">Set]]></artwork> <t>Fields: </t> <dl newline="false" spacing="normal" indent="10"> <dt>Type</dt> <dd>Set to 19 to indicate a Challenge ReplyTLV.</t> <t hangText="Length">TheTLV.</dd> <dt>Length</dt> <dd>The length of the body, in octets, exclusive of the Type and Lengthfields.</t> <t hangText="Nonce">Afields.</dd> <dt>Nonce</dt> <dd>A copy of the nonce contained in the correspondingchallenge request.</t> </list></t>Challenge Request.</dd> </dl> </section> </section> <sectiontitle="Security Considerations" anchor="security-considerations">anchor="security-considerations" numbered="true" toc="default"> <name>Security Considerations</name> <t>This document defines a mechanism that provides basic security properties for the Babel routing protocol. The scope of this protocol is strictly limited: it only provides authentication (we assume that routing information is not confidential), it only supports symmetric keying, and it only allows for the use of a small number of symmetric keys on every link. Deployments that need more features, e.g., confidentiality or asymmetric keying, should use a morefeaturefulfeature-rich security mechanism such as the one described in <xreftarget="I-D.ietf-babel-dtls"/>.</t>target="RFC8968" format="default"/>.</t> <t>This mechanism relies on two assumptions, as described in <xreftarget="security-properties"/>.target="security-properties" format="default"/>. First, it assumes that the MAC being used is invulnerable to forgery(Section 1.1 of <xref target="RFC6039"/>);(<xref target="RFC6039" sectionFormat="of" section="1.1"/>); at the time of writing, HMAC-SHA256, which is mandatory to implement (<xreftarget="mac-computation"/>),target="mac-computation" format="default"/>), is believed to be safe against practical attacks.</t> <t>Second, it assumes that indices and nonces are generated uniquely over the lifetime of a key used for MAC computation (more precisely, indices must be unique for a given (key, source) pair, and nonces must be unique for a given (key, source, destination) triple). This property can be satisfied either by using a cryptographically secure random number generator to generate indices and nonces that contain enough entropy (64-bit values are believed to be large enough for all practicalapplications),applications) or by using a reliably monotonic hardware clock. If uniqueness cannot be guaranteed (e.g., because a hardware clock has been reset), then rekeying is necessary.</t> <t>The expiry mechanism mandated in <xreftarget="expire"/>target="expire" format="default"/> is required to prevent an attacker from delaying an authentic packet by an unbounded amount of time. If an attacker is able to delay the delivery of a packet (e.g., because it is located at alayerLayer 2 switch), then the packet will be accepted as long as the corresponding (Index, PC) pair is present at the receiver. If the attacker is able to cause the (Index, PC) pair to persist for arbitrary amounts of time (e.g., by repeatedly causing failed challenges), then it is able to delay the packet by arbitrary amounts of time, even after the sender has left the network, which could allow it to redirect or blackhole traffic to destinations previously advertised by the sender.</t> <t>This protocol exposes large numbers of packets and their MACs to an attacker that is able to capture packets; it is therefore vulnerable to brute-force attacks. Keys must be chosen in a manner that makes them difficult to guess. Ideally, they should have a length of 32 octets (both for HMAC-SHA256 andBlake2s),BLAKE2s), and be chosen randomly. If, for some reason, it is necessary to derive keys from a human-readable passphrase, it is recommended to use a key derivation function that hampers dictionary attacks, such as PBKDF2 <xreftarget="RFC2898"/>,target="RFC8018" format="default"/>, bcrypt <xreftarget="BCRYPT"/>target="BCRYPT" format="default"/>, or scrypt <xreftarget="RFC7914"/>.target="RFC7914" format="default"/>. In that case, only the derived keys should be communicated to the routers; the original passphrase itself should be kept on the host used to perform the key generation (e.g., anadministator'sadministrator's secure laptop computer).</t> <t>While it is probably not possible to be immune against denial of service (DoS) attacks in general, this protocol includes a number of mechanisms designed to mitigate such attacks. In particular, reception of a packet with no correct MAC creates no local Babel state (<xreftarget="packet-reception"/>).target="packet-reception" format="default"/>). Reception of a replayed packet with correct MAC, on the other hand, causes a challenge to be sent; this is mitigated somewhat by requiring that challenges berate-limitedrate limited (<xreftarget="sending-challenges"/>).</t>target="sending-challenges" format="default"/>).</t> <t>Receiving a replayed packet with an obsolete index causes an entry to be created in theNeighbour Table,neighbour table, which, at first sight, makes the protocol susceptible to resource exhaustion attacks (similarly to the familiar "TCP SYN Flooding" attack <xreftarget="RFC4987"/>).target="RFC4987" format="default"/>). However, the MAC computation includes the sender address (<xreftarget="mac-computation"/>),target="mac-computation" format="default"/>), and thus the amount of storage that an attacker can force a node to consume is limited by the number of distinct source addresses used with a single MAC key (see alsoSection 4 of<xreftarget="RFC6126bis"/>,target="RFC8966" sectionFormat="of" section="4"/>, which mandates that the source address is a link-local IPv6 address or a local IPv4 address).</t> <t>In order to make this kind of resource exhaustion attacks less effective, implementations may use a separate table of uncompleted challenges that is separate from theNeighbour Tableneighbour table used by the core protocol (the data structures described inSection 3.2 of<xreftarget="RFC6126bis"/>target="RFC8966" sectionFormat="of" section="3.2"/> are conceptual, and any data structure that yields the same result may be used). Implementers might also consider using the fact that the nonces included inchallenge requestsChallenge Requests andrepliesReplies can be fairly large (up to 192 octets), which should in principle allow encoding the per-challenge state as a secure "cookie" within the nonce itself;note howevernote, however, that any such scheme will need to prevent cookie replay.</t> </section> <sectiontitle="IANA Considerations">numbered="true" toc="default"> <name>IANA Considerations</name> <t>IANA has allocated the following values in the Babel TLV Types registry:</t><texttable> <ttcol>Type</ttcol><ttcol>Name</ttcol><ttcol>Reference</ttcol> <c>16</c><c>MAC</c><c>this document</c> <c>17</c><c>PC</c><c>this document</c> <c>18</c><c>Challenge Request</c><c>this document</c> <c>19</c><c>Challenge Reply</c><c>this document</c> </texttable> </section> <section title="Acknowledgments"> <t>The protocol described in this document is based on the original HMAC protocol defined by Denis Ovsienko <xref target="RFC7298"/>. The use of a pseudo-header was suggested by David Schinazi. The use of an index to avoid replay was suggested by Markus Stenberg. The authors are also indebted to Antonin Decimo, Donald Eastlake, Toke Hoiland-Jorgensen, Florian Horn, Benjamin Kaduk, Dave Taht and Martin Vigoureux.</t><table align="center"> <thead> <tr> <th align="left">Type</th> <th align="left">Name</th> <th align="left">Reference</th> </tr> </thead> <tbody> <tr> <td align="left">16</td> <td align="left">MAC</td> <td align="left">RFC 8967</td> </tr> <tr> <td align="left">17</td> <td align="left">PC</td> <td align="left">RFC 8967</td> </tr> <tr> <td align="left">18</td> <td align="left">Challenge Request</td> <td align="left">RFC 8967</td> </tr> <tr> <td align="left">19</td> <td align="left">Challenge Reply</td> <td align="left">RFC 8967</td> </tr> </tbody> </table> </section> </middle> <back><references title="Normative References"> <reference anchor="RFC2119"><front> <title>Key words for use in RFCs to Indicate Requirement Levels</title> <author initials="S." surname="Bradner" fullname="S. Bradner"/> <date year="1997" month="March"/> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="2119"/> <seriesInfo name="DOI" value="10.17487/RFC2119"/> </reference> <reference anchor="RFC8174"><front> <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> <author initials="B." surname="Leiba" fullname="B. Leiba"/> <date year="2017" month="May"/> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="8174"/> <seriesInfo name="DOI" value="10.17487/RFC8174"/> </reference><references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <referenceanchor='RFC6126bis'><front>anchor="RFC8966" target="https://www.rfc-editor.org/info/rfc8966"> <front> <title>The Babel Routing Protocol</title> <authorinitials='J' surname='Chroboczek' fullname='Juliusz Chroboczek'/> <author initials='D' surname='Schinazi' fullname='David Schinazi'/> <date month='October' day='23' year='2018' /> </front> <seriesInfo name='Internet-Draft' value='draft-ietf-babel-rfc6126bis-06'/> </reference> <reference anchor="RFC2104" target="https://www.rfc-editor.org/info/rfc2104"> <front> <title>HMAC: Keyed-Hashing for Message Authentication</title> <author initials="H." surname="Krawczyk" fullname="H. Krawczyk"></author> <author initials="M." surname="Bellare" fullname="M. Bellare"></author> <author initials="R." surname="Canetti" fullname="R. Canetti"></author> <date year="1997" month="February"/> </front> <seriesInfo name="RFC" value="2104"/> <seriesInfo name="DOI" value="10.17487/RFC2104"/> </reference> <reference anchor="RFC6234" target="https://www.rfc-editor.org/info/rfc6234"> <front> <title>US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)</title>fullname="Juliusz Chroboczek" initials="J." surname="Chroboczek"/> <author fullname="David Schinazi" initials="D."surname="Eastlake 3rd" fullname="D. Eastlake 3rd"> </author> <author initials="T." surname="Hansen" fullname="T. Hansen"></author> <date year="2011" month="May"/> </front> <seriesInfo name="RFC" value="6234"/> <seriesInfo name="DOI" value="10.17487/RFC6234"/> </reference> <reference anchor="RFC7693" target="https://www.rfc-editor.org/info/rfc7693"> <front> <title>The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)</title> <author initials="M-J." surname="Saarinen" fullname="M-J. Saarinen" role="editor"/> <author initials="J-P." surname="Aumasson" fullname="J-P. Aumasson"/>surname="Schinazi"/> <dateyear="2015" month="November"/>month="January" year="2021"/> </front> <seriesInfo name="RFC"value="7693"/>value="8966"/> <seriesInfo name="DOI"value="10.17487/RFC7693"/>value="10.17487/RFC8966"/> </reference> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2104.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6234.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7693.xml"/> </references><references title="Informational References"><references> <name>Informational References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7298.xml"/> <referenceanchor="RFC7298" target="https://www.rfc-editor.org/info/rfc7298"><front> <title>Babel Hashed Message Authentication Code (HMAC) Cryptographic Authentication</title> <author initials="D." surname="Ovsienko" fullname="D. Ovsienko"></author> <date year="2014" month="July"/> </front> <seriesInfo name="RFC" value="7298"/> <seriesInfo name="DOI" value="10.17487/RFC7298"/> </reference> <reference anchor="I-D.ietf-babel-dtls"><front>anchor="RFC8968" target="https://www.rfc-editor.org/info/rfc8968"> <front> <title>Babel Routing Protocol over Datagram Transport Layer Security</title> <author initials="A"surname="Decimo"surname="Décimo" fullname="AntoninDecimo"/>Décimo"> <organization /> </author> <author initials="D" surname="Schinazi" fullname="DavidSchinazi"/>Schinazi"> <organization /> </author> <author initials="J" surname="Chroboczek" fullname="JuliuszChroboczek"/> <date month="July" day="5" year="2019"/> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-babel-dtls-07"/> <format type="TXT" target="http://www.ietf.org/internet-drafts/draft-ietf-babel-dtls-07.txt"/> </reference> <reference anchor="RFC6039" target="https://www.rfc-editor.org/info/rfc6039"> <front> <title> Issues with Existing Cryptographic Protection Methods for Routing Protocols </title> <author initials="V." surname="Manral" fullname="V. Manral"/> <author initials="M." surname="Bhatia" fullname="M. Bhatia"/> <author initials="J." surname="Jaeggli" fullname="J. Jaeggli"/> <author initials="R." surname="White" fullname="R. White"/> <date year="2010" month="October"/> </front> <seriesInfo name="RFC" value="6039"/> <seriesInfo name="DOI" value="10.17487/RFC6039"/> </reference> <reference anchor='RFC4086' target='http://www.rfc-editor.org/info/rfc4086'> <front> <title>Randomness Requirements for Security</title> <author initials='D.' surname='Eastlake 3rd' fullname='D. Eastlake 3rd'/> <author initials='J.' surname='Schiller' fullname='J. Schiller'/> <author initials='S.' surname='Crocker' fullname='S. Crocker'/> <date year='2005' month='June'/> </front> <seriesInfo name='BCP' value='106'/> <seriesInfo name='RFC' value='4086'/> <seriesInfo name='DOI' value='10.17487/RFC4086'/> </reference> <reference anchor="RFC4987" target="https://www.rfc-editor.org/info/rfc4987"> <front> <title>TCP SYN Flooding Attacks and Common Mitigations</title> <author initials="W." surname="Eddy" fullname="W. Eddy"/>Chroboczek"> <organization /> </author> <dateyear="2007" month="August"/>month="January" year="2021" /> </front> <seriesInfo name="RFC"value="4987"/>value="8968" /> <seriesInfo name="DOI"value="10.17487/RFC4987"/>value="10.17487/RFC8968"/> </reference> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6039.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4086.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4987.xml"/> <reference anchor="BCRYPT"> <front> <title>A Future-Adaptable Password Scheme</title> <author initials="P." surname="Niels" fullname="Niels Provos"/> <author initials="D."surname="Mazieres"surname="Mazières" fullname="DavidMazieres"/>Mazières"/> <date month="June" year="1999"/> </front><annotation>In Proceedings<refcontent>Proceedings of the FREENIX Track: 1999 USENIX Annual TechnicalConference.</annotation> </reference> <reference anchor="RFC2898" target="https://www.rfc-editor.org/info/rfc2898"> <front> <title>PKCS #5: Password-Based Cryptography Specification Version 2.0</title> <author initials="B." surname="Kaliski" fullname="B. Kaliski"/> <date year="2000" month="September"/> </front> <seriesInfo name="RFC" value="2898"/> <seriesInfo name="DOI" value="10.17487/RFC2898"/> </reference> <reference anchor="RFC7914" target="https://www.rfc-editor.org/info/rfc7914"> <front> <title>The scrypt Password-Based Key Derivation Function</title> <author initials="C." surname="Percival" fullname="C. Percival"/> <author initials="S." surname="Josefsson" fullname="S. Josefsson"/> <date year="2016" month="August"/> </front> <seriesInfo name="RFC" value="7914"/> <seriesInfo name="DOI" value="10.17487/RFC7914"/>Conference</refcontent> </reference> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8018.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7914.xml"/> </references> </references> <sectiontitle="Changes from previous versions"> <t>[RFC Editor: please remove this section before publication.]</t> <section title="Changes since draft-ietf-babel-hmac-00"> <t><list style="symbols"> <t>Changed the title.</t> <t>Removed the appendix about the packet trailer,numbered="false" toc="default"> <name>Acknowledgments</name> <t>The protocol described in this document isnow in rfc6126bis.</t> <t>Removed the appendix with implicit indices.</t> <t>Clarified the definitions of acronyms.</t> <t>Limitedbased on thesize of nonces and indices.</t> </list></t> </section> <section title="Changes since draft-ietf-babel-hmac-01"> <t><list style="symbols"> <t>Made BLAKE2s a recommendedoriginal HMACalgorithm.</t> <t>Added requirement to expire per-neighbour crypto state.</t> </list></t> </section> <section title="Changes since draft-ietf-babel-hmac-02"> <t><list style="symbols"> <t>Clarified that PCs are 32-bit unsigned integers.</t> <t>Clarified that indices and nonces are of arbitrary size.</t> <t>Added reference to RFC 4086.</t> </list></t> </section> <section title="Changes since draft-ietf-babel-hmac-03"> <t><list style="symbols"> <t>Use the TLV values allocatedprotocol defined byIANA.</t> <t>Fixed an issue with packets that contain a successful challenge reply: they should be accepted before checking the PC value.</t> <t>Clarified that keys are the exact value of the HMAC hash size, and not subject to preprocessing; this makes management more deterministic.</t> </list></t> </section> <section title="Changes since draft-ietf-babel-hmac-04"> <t><list style="symbols"> <t>Use normative language in more places.</t> </list></t> </section> <section title="Changes since draft-ietf-babel-hmac-05"> <t><list style="symbols"> <t>Do not update RFC 6126bis.</t> <t>Clarify that indices and nonces<contact fullname="Denis Ovsienko"/> <xref target="RFC7298" format="default"/>. The use oflength 0 are valid.</t> <t>Clarify that multiple PC TLVs in a single packet are not allowed.</t> <t>Allow discarding challenge requests when they carry an old PC.</t> </list></t> </section> <section title="Changes since draft-ietf-babel-hmac-06"> <t><list style="symbols"> <t>Do not update RFC 6126bis, for real this time.</t> </list></t> </section> <section title="Changes since draft-ietf-babel-hmac-07"> <t><list style="symbols"> <t>Clarify thataNeighbour Table entry may be created just after the HMAC has been computed.</t> <t>Clarify that a Neighbour Table entry already exists when a successful Challenge Reply has been received.</t> <t>Expand the Security Considerations section with information about resource exhaustion attacks.</t> </list></t> <section title="Changes since draft-ietf-babel-hmac-08"> <t><list style="symbols"> <t>Fix the size of the key to be equal to the block size, not the hash size.</t> <t>Moved the information about incremental deployment to the body.</t> <t>Clarified the double purposepseudo-header was suggested by <contact fullname="David Schinazi"/>. The use ofrate limitation.</t> <t>Editorial changes.</t> </list></t> </section> <section title="Changes since draft-ietf-babel-hmac-09"> <t><list style="symbols"> <t>Renamed HMAC to MAC throughout, relevant rewording.</t> <t>Made it mandatoryan index torate-limit challenge replies in additionavoid replay was suggested by <contact fullname="Markus Stenberg"/>. The authors are also indebted torequests.</t> <t>Added discussion of key generation.</t> <t>Added discussion of the consequences of delaying packets.</t> </list></t> </section> <section title="Changes since draft-ietf-babel-hmac-10"> <t><list style="symbols"> <t>Fixed minor typos.</t> </list></t> </section> <section title="Changes since draft-ietf-babel-hmac-11"> <t><list style="symbols"> <t>Clarified that the state SHOULD be discarded after a successful challenge.</t> <t>Replaced "pre-image attack" with "forgery", this is more accurate.</t> <t>Minor editorial changes.</t> </list></t> </section> </section><contact fullname="Antonin Décimo"/>, <contact fullname="Donald Eastlake"/>, <contact fullname="Toke Høiland-Jørgensen"/>, <contact fullname="Florian Horn"/>, <contact fullname="Benjamin Kaduk"/>, <contact fullname="Dave Taht"/>, and <contact fullname="Martin Vigoureux"/>.</t> </section> </back> </rfc>