mirror of
https://gitlab.labs.nic.cz/labs/bird.git
synced 2024-05-11 16:54:54 +00:00
Babel: Add MAC authentication support
This implements support for MAC authentication in the Babel protocol, as specified by RFC 8967. The implementation seeks to follow the RFC as close as possible, with the only deliberate deviation being the addition of support for all the HMAC algorithms already supported by Bird, as well as the Blake2b variant of the Blake algorithm. For description of applicability, assumptions and security properties, see RFC 8967 sections 1.1 and 1.2.
This commit is contained in:
Toke Høiland-Jørgensen
committed by
Ondrej Zajicek (work)
Ondrej Zajicek (work)
parent
69d10132a6
commit
b218a28f61
@@ -828,8 +828,8 @@ agreement").
|
||||
<tag><label id="proto-pass-algorithm">algorithm ( keyed md5 | keyed sha1 | hmac sha1 | hmac sha256 | hmac sha384 | hmac sha512 | blake2s128 | blake2s256 | blake2b256 | blake2b512 )</tag>
|
||||
The message authentication algorithm for the password when cryptographic
|
||||
authentication is enabled. The default value depends on the protocol.
|
||||
For RIP and OSPFv2 it is Keyed-MD5 (for compatibility), for OSPFv3
|
||||
protocol it is HMAC-SHA-256.
|
||||
For RIP and OSPFv2 it is Keyed-MD5 (for compatibility), for OSPFv3 and
|
||||
Babel it is HMAC-SHA-256.
|
||||
|
||||
</descrip>
|
||||
|
||||
@@ -1817,6 +1817,19 @@ protocol babel [<name>] {
|
||||
check link <switch>;
|
||||
next hop ipv4 <address>;
|
||||
next hop ipv6 <address>;
|
||||
authentication none|mac [permissive];
|
||||
password "<text>";
|
||||
password "<text>" {
|
||||
id <num>;
|
||||
generate from "<date>";
|
||||
generate to "<date>";
|
||||
accept from "<date>";
|
||||
accept to "<date>";
|
||||
from "<date>";
|
||||
to "<date>";
|
||||
algorithm ( hmac sha1 | hmac sha256 | hmac sha384 | hmac
|
||||
sha512 | blake2s | blake2b );
|
||||
};
|
||||
};
|
||||
}
|
||||
</code>
|
||||
@@ -1907,6 +1920,25 @@ protocol babel [<name>] {
|
||||
interface. If not set, the same link-local address that is used as the
|
||||
source for Babel packets will be used. In normal operation, it should not
|
||||
be necessary to set this option.
|
||||
|
||||
<tag><label id="babel-authentication">authentication none|mac [permissive]</tag>
|
||||
Selects authentication method to be used. <cf/none/ means that packets
|
||||
are not authenticated at all, <cf/mac/ means MAC authentication is
|
||||
performed as described in <rfc id="8967">. If MAC authentication is
|
||||
selected, the <cf/permissive/ suffix can be used to select an operation
|
||||
mode where outgoing packets are signed, but incoming packets will be
|
||||
accepted even if they fail authentication. This can be useful for
|
||||
incremental deployment of MAC authentication across a network. If MAC
|
||||
authentication is selected, a key must be specified with the
|
||||
<cf/password/ configuration option. Default: none.
|
||||
|
||||
<tag><label id="babel-password">password "<m/text/"</tag> Specifies a
|
||||
password used for authentication. See the <ref id="proto-pass"
|
||||
name="password"> common option for a detailed description. The Babel
|
||||
protocol will only accept HMAC-based algorithms or one of the Blake
|
||||
algorithms, and the length of the supplied password string must match the
|
||||
key size used by the selected algorithm.
|
||||
|
||||
</descrip>
|
||||
|
||||
<sect1>Attributes
|
||||
|
||||
Reference in New Issue
Block a user