diff options
| author | Toke Høiland-Jørgensen <toke@toke.dk> | 2021-04-17 15:04:16 +0200 |
|---|---|---|
| committer | Ondrej Zajicek (work) <santiago@crfreenet.org> | 2021-06-06 16:28:18 +0200 |
| commit | b218a28f61e1e9a93c3a4f2e180590f85df62e79 (patch) | |
| tree | d0b83010d01eb77fe2c15e4b0c758115dc08bc63 /doc | |
| parent | 69d10132a6020e00ea2e8f899fdebf8128329699 (diff) | |
Babel: Add MAC authentication support
This implements support for MAC authentication in the Babel protocol, as
specified by RFC 8967. The implementation seeks to follow the RFC as close
as possible, with the only deliberate deviation being the addition of
support for all the HMAC algorithms already supported by Bird, as well as
the Blake2b variant of the Blake algorithm.
For description of applicability, assumptions and security properties,
see RFC 8967 sections 1.1 and 1.2.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/bird.sgml | 36 |
1 files changed, 34 insertions, 2 deletions
diff --git a/doc/bird.sgml b/doc/bird.sgml index 01725128..8235740e 100644 --- a/doc/bird.sgml +++ b/doc/bird.sgml @@ -828,8 +828,8 @@ agreement"). <tag><label id="proto-pass-algorithm">algorithm ( keyed md5 | keyed sha1 | hmac sha1 | hmac sha256 | hmac sha384 | hmac sha512 | blake2s128 | blake2s256 | blake2b256 | blake2b512 )</tag> The message authentication algorithm for the password when cryptographic authentication is enabled. The default value depends on the protocol. - For RIP and OSPFv2 it is Keyed-MD5 (for compatibility), for OSPFv3 - protocol it is HMAC-SHA-256. + For RIP and OSPFv2 it is Keyed-MD5 (for compatibility), for OSPFv3 and + Babel it is HMAC-SHA-256. </descrip> @@ -1817,6 +1817,19 @@ protocol babel [<name>] { check link <switch>; next hop ipv4 <address>; next hop ipv6 <address>; + authentication none|mac [permissive]; + password "<text>"; + password "<text>" { + id <num>; + generate from "<date>"; + generate to "<date>"; + accept from "<date>"; + accept to "<date>"; + from "<date>"; + to "<date>"; + algorithm ( hmac sha1 | hmac sha256 | hmac sha384 | hmac + sha512 | blake2s | blake2b ); + }; }; } </code> @@ -1907,6 +1920,25 @@ protocol babel [<name>] { interface. If not set, the same link-local address that is used as the source for Babel packets will be used. In normal operation, it should not be necessary to set this option. + + <tag><label id="babel-authentication">authentication none|mac [permissive]</tag> + Selects authentication method to be used. <cf/none/ means that packets + are not authenticated at all, <cf/mac/ means MAC authentication is + performed as described in <rfc id="8967">. If MAC authentication is + selected, the <cf/permissive/ suffix can be used to select an operation + mode where outgoing packets are signed, but incoming packets will be + accepted even if they fail authentication. This can be useful for + incremental deployment of MAC authentication across a network. If MAC + authentication is selected, a key must be specified with the + <cf/password/ configuration option. Default: none. + + <tag><label id="babel-password">password "<m/text/"</tag> Specifies a + password used for authentication. See the <ref id="proto-pass" + name="password"> common option for a detailed description. The Babel + protocol will only accept HMAC-based algorithms or one of the Blake + algorithms, and the length of the supplied password string must match the + key size used by the selected algorithm. + </descrip> <sect1>Attributes |