Relaxed Packet Counter Verification for Babel MAC AuthenticationIRIF, University of Paris-CitéCase 7014Paris CEDEX 1375205Francejch@irif.frRed Hattoke@toke.dk
rtg
babelsecurity, authentication, packet reordering, wifiThis document relaxes the packet verification rules defined in "MAC
Authentication for the Babel Routing Protocol" (RFC 8967) in order to make
the protocol more robust in the presence of packet reordering. This
document updates RFC 8967.Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by
the Internet Engineering Steering Group (IESG). Further
information on Internet Standards is available in Section 2 of
RFC 7841.
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
() in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Revised BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Revised BSD License.
Table of Contents
. Introduction
. Specification of Requirements
. Relaxing PC Verification
. Multiple Highest PC Values
. Generalisations
. Window-Based Verification
. Combining the Two Techniques
. Security Considerations
. IANA Considerations
. Normative References
. Informative References
Acknowledgments
Authors' Addresses
IntroductionThe design of the Babel MAC authentication mechanism assumes that packet reordering is an exceptional
occurrence, and the protocol drops any packets that arrive out-of-order.
The assumption that packets are not routinely reordered is generally
correct on wired links, but turns out to be incorrect on some kinds of
wireless links.In particular, IEEE 802.11 (Wi-Fi) defines
a number of power-saving modes that allow stations (mobile nodes) to
switch their radio off for extended periods of time, ranging in the
hundreds of milliseconds. The access point (network switch) buffers all
multicast packets and only sends them out after the power-saving interval
ends. The result is that multicast packets are delayed by up to a few
hundred milliseconds with respect to unicast packets, which, under some
traffic patterns, causes the Packet Counter (PC) verification procedure in
RFC 8967 to systematically fail for multicast packets.This document defines two distinct ways to relax the PC validation:
using two separate receiver-side states, one for unicast and one for
multicast packets (), which allows arbitrary
reordering between unicast and multicast packets, and
using a window of
previously received PC values (), which allows
a bounded amount of reordering between arbitrary packets.
We assume that
reordering between arbitrary packets only happens occasionally, and, since
Babel is designed to gracefully deal with occasional packet loss, usage of
the former mechanism is RECOMMENDED, while usage of the latter is OPTIONAL.
The two mechanisms MAY be used simultaneously ().This document updates RFC 8967 by relaxing the packet verification rules
defined therein. It does not change the security properties of the
protocol.Specification of Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14
when, and only when, they appear in all capitals, as shown here.
Relaxing PC VerificationThe Babel MAC authentication mechanism prevents replay by decorating
every sent packet with a strictly increasing value, the Packet Counter
(PC). Notwithstanding the name, the PC does not actually count packets:
a sender is permitted to increment the PC by more than one between two successively transmitted packets.A receiver maintains the highest PC received from each neighbour. When
a new packet is received, the receiver compares the PC contained in the
packet with the highest received PC:
if the new value is smaller or equal,
then the packet is discarded;
otherwise, the packet is accepted, and the
highest PC value for that neighbour is updated.
Note that there does not exist a one-to-one correspondence between
sender states and receiver states: multiple receiver states track a single
sender state. The receiver states corresponding to a single sender state
are not necessarily identical, since only a subset of receiver states are
updated when a packet is sent to a unicast address or when a multicast
packet is received by a subset of the receivers.Multiple Highest PC ValuesInstead of maintaining a single highest PC value for each neighbour, an
implementation of the procedure described in this section uses two values:
the highest multicast value PCm and the highest non-multicast (unicast)
value PCu. More precisely, the (Index, PC) pair contained in the
neighbour table () is replaced
by a triple (Index, PCm, PCu), where:
Index is an arbitrary string of 0 to 32 octets, and
PCm and PCu are 32-bit (4-octet) integers.
When a Challenge Reply is successful, both highest PC values are updated
to the value contained in the PC TLV from the packet containing the
successful challenge. More precisely, the last sentence of the fourth
bullet point of is replaced
as follows:OLD:
If the packet contains a successful Challenge Reply, then the PC
and Index contained in the PC TLV MUST be stored in the
neighbour table entry corresponding to the sender (which already exists in
this case), and the packet is accepted.
NEW:
If the packet contains a successful Challenge Reply, then the Index
contained in the PC TLV MUST be stored in the Index field of the neighbour
table entry corresponding to the sender (which already exists in this
case), the PC contained in the TLV MUST be stored in both the PCm and
PCu fields of the neighbour table entry, and the packet is accepted.
When a packet that does not contain a successful Challenge Reply is
received, the PC value that it contains is compared to either the PCu or
the PCm field of the corresponding neighbour entry, depending on whether
or not the packet was sent to a multicast address. If the comparison is
successful, then the same value (PCm or PCu) is updated. More precisely,
the last bullet point of is
replaced as follows:OLD:
At this stage, the packet contains no successful Challenge Reply, and the Index contained in the PC TLV is equal to the Index in the neighbour table entry corresponding to the sender. The receiver compares the received PC with the PC contained in the neighbour table; if the received PC is smaller or equal than the PC contained in the neighbour table, the packet MUST be dropped and processing stops (no challenge is sent in this case, since the mismatch might be caused by harmless packet reordering on the link). Otherwise, the PC contained in the neighbour table entry is set to the received PC, and the packet is accepted.
NEW:
At this stage, the packet contains no successful Challenge Reply and
the Index contained in the PC TLV is equal to the Index in the neighbour
table entry corresponding to the sender. The receiver compares the
received PC with either the PCm field (if the packet was sent to a multicast
IP address) or the PCu field (otherwise) in the neighbour table. If the
received PC is smaller than or equal to the value contained in the neighbour
table, the packet MUST be dropped and processing stops. Note that no challenge is
sent in this case, since the mismatch might be caused by harmless packet
reordering on the link. Otherwise, the PCm (if the packet was sent to
a multicast address) or the PCu (otherwise) field contained in the
neighbour table entry is set to the received PC, and the packet is
accepted.
GeneralisationsModern networking hardware tends to maintain more than just two queues,
and it might be tempting to generalise the approach taken to more than
just the two last PC values. For example, one might be tempted to use
distinct last PC values for packets received with different values of the
Type of Service (TOS) field, or with different IEEE 802.11 access
categories. However, choosing a highest PC field by consulting a value
that is not protected by the Message Authentication Code (MAC) () would no longer protect against replay.
In effect, this means that only the destination address and port number
as well as the data stored in the packet body may be used for choosing the highest PC
value, since these are the only fields that are protected by the MAC (in
addition to the source address and port number, which are already used
when choosing the neighbour table entry and therefore provide no
additional information). Since Babel implementations do not usually send
packets with differing TOS values or IEEE 802.11 access categories, this
is unlikely to be an issue in practice.The following example shows why it would be unsafe to select the highest
PC depending on the TOS field. Suppose that a node B were to maintain
distinct highest PC values for different values T1 and T2 of the TOS field,
and that, initially, all of the highest PC fields at B have value 42. Suppose
now that a node A sends a packet P1 with TOS equal to T1 and PC equal to
43; when B receives the packet, it sets the highest PC value associated with
TOS T1 to 43. If an attacker were now to send an exact copy of P1 but
with TOS equal to T2, B would consult the highest PC value associated with
T2, which is still equal to 42, and accept the replayed packet.Window-Based VerificationWindow-based verification is similar to what is described in . When using window-based verification,
in addition to retaining within its neighbour table the highest PC value
PCh seen from every neighbour, an implementation maintains a fixed-size
window of booleans corresponding to PC values directly below PCh. More
precisely, the (Index, PC) pair contained in the neighbour table () is replaced by:
a triple (Index, PCh, Window), where Index is an arbitrary string of
0 to 32 octets, PCh is a 32-bit (4-octet) integer, and Window is a vector
of booleans of size S (the default value S=128 is RECOMMENDED).
The window is a vector of S boolean values numbered from 0 (the "left
edge" of the window) up to S-1 (the "right edge"); the boolean associated
with the index i indicates whether a packet with a PC value of (PCh - (S-1) + i)
has been seen before. Shifting the window to the left by an integer
amount k is defined as moving all values so that the value previously at
index n is now at index (n - k); k values are discarded at the left edge,
and k new unset values are inserted at the right edge.Whenever a packet is received, the receiver computes its index
i = (PC - PCh + S - 1). It then proceeds as follows:
If the index i is negative, the packet is considered too old,
and it MUST be discarded.
If the index i is non-negative and strictly less than the
window size S, the window value at the index is checked. If this
value is already set, the received PC has been seen before and the
packet MUST be discarded. Otherwise, the corresponding window value is marked as set, and the packet is accepted.
If the index i is larger or equal to the window size (i.e., PC
is strictly larger than PCh), the window MUST be shifted to the left by
(i - S + 1) values (or, equivalently, by the difference PC - PCh), and
the highest PC value PCh MUST be set to the received PC. The value at
the right of the window (the value with index S - 1) MUST be set, and
the packet is accepted.
When receiving a successful Challenge Reply, the remembered highest PC
value PCh MUST be set to the value received in the Challenge Reply, and
all of the values in the window MUST be reset except the value at index
S - 1, which MUST be set.Combining the Two TechniquesThe two techniques described above serve complementary purposes:
splitting the state allows multicast packets to be reordered with respect
to unicast ones by an arbitrary number of PC values, while
the window-based technique allows arbitrary packets to be reordered but only
by a bounded number of PC values.
Thus, they can profitably be combined.An implementation that uses both techniques MUST maintain, for every
entry of the neighbour table, two distinct windows, one for multicast and
one for unicast packets. When a successful Challenge Reply is received,
both windows MUST be reset. When a packet that does not contain
a Challenge Reply is received, if the packet's destination address is
a multicast address, the multicast window MUST be consulted and possibly
updated, as described in . Otherwise, the unicast
window MUST be consulted and possibly updated.Security ConsiderationsThe procedures described in this document do not change the security
properties described in . In particular, the choice between the multicast and the
unicast packet counter is made by examining a packet's destination IP address,
which is included in the pseudo-header and therefore participates in MAC
computation. Hence, an attacker cannot change the destination address without
invalidating the MAC, and therefore cannot replay a unicast packet as a
multicast one or vice versa.While these procedures do slightly increase the amount of per-neighbour
state maintained by each node, this increase is marginal (between 4 and 36
octets per neighbour, depending on implementation choices), and should not
significantly impact the ability of nodes to survive denial-of-service
attacks.IANA ConsiderationsThis document has no IANA actions.Normative ReferencesKey words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Ambiguity of Uppercase vs Lowercase in RFC 2119 Key WordsRFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.MAC Authentication for the Babel Routing ProtocolThis document describes a cryptographic authentication mechanism for the Babel routing protocol that has provisions for replay avoidance. This document obsoletes RFC 7298.Informative ReferencesIEEE Standard for Information Technology--Telecommunications and Information Exchange between Systems - Local and Metropolitan Area Networks--Specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) SpecificationsIEEEIP Encapsulating Security Payload (ESP)This document describes an updated version of the Encapsulating Security Payload (ESP) protocol, which is designed to provide a mix of security services in IPv4 and IPv6. ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. This document obsoletes RFC 2406 (November 1998). [STANDARDS-TRACK]AcknowledgmentsThe authors are greatly indebted to ,
who first identified the problem that this document aims to solve and first
suggested the solution described in .Authors' AddressesIRIF, University of Paris-CitéCase 7014Paris CEDEX 1375205Francejch@irif.frRed Hattoke@toke.dk