From b218a28f61e1e9a93c3a4f2e180590f85df62e79 Mon Sep 17 00:00:00 2001 From: Toke Høiland-Jørgensen Date: Sat, 17 Apr 2021 15:04:16 +0200 Subject: Babel: Add MAC authentication support This implements support for MAC authentication in the Babel protocol, as specified by RFC 8967. The implementation seeks to follow the RFC as close as possible, with the only deliberate deviation being the addition of support for all the HMAC algorithms already supported by Bird, as well as the Blake2b variant of the Blake algorithm. For description of applicability, assumptions and security properties, see RFC 8967 sections 1.1 and 1.2. --- doc/bird.sgml | 36 +++- proto/babel/Makefile | 2 +- proto/babel/babel.c | 156 +++++++++++++++- proto/babel/babel.h | 66 ++++++- proto/babel/config.Y | 42 ++++- proto/babel/packets.c | 496 +++++++++++++++++++++++++++++++++++++++++++++++++- 6 files changed, 772 insertions(+), 26 deletions(-) diff --git a/doc/bird.sgml b/doc/bird.sgml index 01725128..8235740e 100644 --- a/doc/bird.sgml +++ b/doc/bird.sgml @@ -828,8 +828,8 @@ agreement"). The message authentication algorithm for the password when cryptographic authentication is enabled. The default value depends on the protocol. - For RIP and OSPFv2 it is Keyed-MD5 (for compatibility), for OSPFv3 - protocol it is HMAC-SHA-256. + For RIP and OSPFv2 it is Keyed-MD5 (for compatibility), for OSPFv3 and + Babel it is HMAC-SHA-256. @@ -1817,6 +1817,19 @@ protocol babel [] { check link ; next hop ipv4
; next hop ipv6
; + authentication none|mac [permissive]; + password "<text>"; + password "<text>" { + id <num>; + generate from "<date>"; + generate to "<date>"; + accept from "<date>"; + accept to "<date>"; + from "<date>"; + to "<date>"; + algorithm ( hmac sha1 | hmac sha256 | hmac sha384 | hmac + sha512 | blake2s | blake2b ); + }; }; } @@ -1907,6 +1920,25 @@ protocol babel [] { interface. If not set, the same link-local address that is used as the source for Babel packets will be used. In normal operation, it should not be necessary to set this option. + + + Selects authentication method to be used. . If MAC authentication is + selected, the