| RFC 9467 | Babel MAC Relaxed Verification | January 2024 |
| Chroboczek & Høiland-Jørgensen | Standards Track | [Page] |
This document relaxes the packet verification rules defined in "MACAuthentication for the Babel Routing Protocol" (RFC 8967) in order to makethe protocol more robust in the presence of packet reordering. Thisdocument updates RFC 8967.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9467.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The design of the Babel MAC authentication mechanism[RFC8967] assumes that packet reordering is an exceptionaloccurrence, and the protocol drops any packets that arrive out-of-order.The assumption that packets are not routinely reordered is generallycorrect on wired links, but turns out to be incorrect on some kinds ofwireless links.¶
In particular, IEEE 802.11 (Wi-Fi)[IEEE80211] definesa number of power-saving modes that allow stations (mobile nodes) toswitch their radio off for extended periods of time, ranging in thehundreds of milliseconds. The access point (network switch) buffers allmulticast packets and only sends them out after the power-saving intervalends. The result is that multicast packets are delayed by up to a fewhundred milliseconds with respect to unicast packets, which, under sometraffic patterns, causes the Packet Counter (PC) verification procedure inRFC 8967 to systematically fail for multicast packets.¶
This document defines two distinct ways to relax the PC validation:¶
We assume thatreordering between arbitrary packets only happens occasionally, and, sinceBabel is designed to gracefully deal with occasional packet loss, usage ofthe former mechanism isRECOMMENDED, while usage of the latter isOPTIONAL.The two mechanismsMAY be used simultaneously (Section 3.3).¶
This document updates RFC 8967 by relaxing the packet verification rulesdefined therein. It does not change the security properties of theprotocol.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The Babel MAC authentication mechanism prevents replay by decoratingevery sent packet with a strictly increasing value, the Packet Counter(PC). Notwithstanding the name, the PC does not actually count packets:a sender is permitted to increment the PC by more than one between two successively transmitted packets.¶
A receiver maintains the highest PC received from each neighbour. Whena new packet is received, the receiver compares the PC contained in thepacket with the highest received PC:¶
Note that there does not exist a one-to-one correspondence betweensender states and receiver states: multiple receiver states track a singlesender state. The receiver states corresponding to a single sender stateare not necessarily identical, since only a subset of receiver states areupdated when a packet is sent to a unicast address or when a multicastpacket is received by a subset of the receivers.¶
Instead of maintaining a single highest PC value for each neighbour, animplementation of the procedure described in this section uses two values:the highest multicast value PCm and the highest non-multicast (unicast)value PCu. More precisely, the (Index, PC) pair contained in theneighbour table (Section 3.2 of [RFC8967]) is replacedby a triple (Index, PCm, PCu), where:¶
When a Challenge Reply is successful, both highest PC values are updatedto the value contained in the PC TLV from the packet containing thesuccessful challenge. More precisely, the last sentence of the fourthbullet point ofSection 4.3 of [RFC8967] is replacedas follows:¶
OLD:¶
If the packet contains a successful Challenge Reply, then the PCand Index contained in the PC TLVMUST be stored in theneighbour table entry corresponding to the sender (which already exists inthis case), and the packet is accepted.¶
NEW:¶
If the packet contains a successful Challenge Reply, then the Indexcontained in the PC TLVMUST be stored in the Index field of the neighbourtable entry corresponding to the sender (which already exists in thiscase), the PC contained in the TLVMUST be stored in both the PCm andPCu fields of the neighbour table entry, and the packet is accepted.¶
When a packet that does not contain a successful Challenge Reply isreceived, the PC value that it contains is compared to either the PCu orthe PCm field of the corresponding neighbour entry, depending on whetheror not the packet was sent to a multicast address. If the comparison issuccessful, then the same value (PCm or PCu) is updated. More precisely,the last bullet point ofSection 4.3 of [RFC8967] isreplaced as follows:¶
OLD:¶
At this stage, the packet contains no successful Challenge Reply, and the Index contained in the PC TLV is equal to the Index in the neighbour table entry corresponding to the sender. The receiver compares the received PC with the PC contained in the neighbour table; if the received PC is smaller or equal than the PC contained in the neighbour table, the packetMUST be dropped and processing stops (no challenge is sent in this case, since the mismatch might be caused by harmless packet reordering on the link). Otherwise, the PC contained in the neighbour table entry is set to the received PC, and the packet is accepted.¶
NEW:¶
At this stage, the packet contains no successful Challenge Reply andthe Index contained in the PC TLV is equal to the Index in the neighbourtable entry corresponding to the sender. The receiver compares thereceived PC with either the PCm field (if the packet was sent to a multicastIP address) or the PCu field (otherwise) in the neighbour table. If thereceived PC is smaller than or equal to the value contained in the neighbourtable, the packetMUST be dropped and processing stops. Note that no challenge issent in this case, since the mismatch might be caused by harmless packetreordering on the link. Otherwise, the PCm (if the packet was sent toa multicast address) or the PCu (otherwise) field contained in theneighbour table entry is set to the received PC, and the packet isaccepted.¶
Modern networking hardware tends to maintain more than just two queues,and it might be tempting to generalise the approach taken to more thanjust the two last PC values. For example, one might be tempted to usedistinct last PC values for packets received with different values of theType of Service (TOS) field, or with different IEEE 802.11 accesscategories. However, choosing a highest PC field by consulting a valuethat is not protected by the Message Authentication Code (MAC) (Section 4.1 of [RFC8967]) would no longer protect against replay.In effect, this means that only the destination address and port numberas well as the data stored in the packet body may be used for choosing the highest PCvalue, since these are the only fields that are protected by the MAC (inaddition to the source address and port number, which are already usedwhen choosing the neighbour table entry and therefore provide noadditional information). Since Babel implementations do not usually sendpackets with differing TOS values or IEEE 802.11 access categories, thisis unlikely to be an issue in practice.¶
The following example shows why it would be unsafe to select the highestPC depending on the TOS field. Suppose that a node B were to maintaindistinct highest PC values for different values T1 and T2 of the TOS field,and that, initially, all of the highest PC fields at B have value 42. Supposenow that a node A sends a packet P1 with TOS equal to T1 and PC equal to43; when B receives the packet, it sets the highest PC value associated withTOS T1 to 43. If an attacker were now to send an exact copy of P1 butwith TOS equal to T2, B would consult the highest PC value associated withT2, which is still equal to 42, and accept the replayed packet.¶
Window-based verification is similar to what is described inSection 3.4.3 of [RFC4303]. When using window-based verification,in addition to retaining within its neighbour table the highest PC valuePCh seen from every neighbour, an implementation maintains a fixed-sizewindow of booleans corresponding to PC values directly below PCh. Moreprecisely, the (Index, PC) pair contained in the neighbour table (Section 3.2 of [RFC8967]) is replaced by:¶
The window is a vector of S boolean values numbered from 0 (the "leftedge" of the window) up to S-1 (the "right edge"); the boolean associatedwith the index i indicates whether a packet with a PC value of (PCh - (S-1) + i)has been seen before. Shifting the window to the left by an integeramount k is defined as moving all values so that the value previously atindex n is now at index (n - k); k values are discarded at the left edge,and k new unset values are inserted at the right edge.¶
Whenever a packet is received, the receiver computes its indexi = (PC - PCh + S - 1). It then proceeds as follows:¶
When receiving a successful Challenge Reply, the remembered highest PCvalue PChMUST be set to the value received in the Challenge Reply, andall of the values in the windowMUST be reset except the value at indexS - 1, whichMUST be set.¶
The two techniques described above serve complementary purposes:¶
Thus, they can profitably be combined.¶
An implementation that uses both techniquesMUST maintain, for everyentry of the neighbour table, two distinct windows, one for multicast andone for unicast packets. When a successful Challenge Reply is received,both windowsMUST be reset. When a packet that does not containa Challenge Reply is received, if the packet's destination address isa multicast address, the multicast windowMUST be consulted and possiblyupdated, as described inSection 3.2. Otherwise, the unicastwindowMUST be consulted and possibly updated.¶
The procedures described in this document do not change the securityproperties described inSection 1.2 of [RFC8967]. In particular, the choice between the multicast and theunicast packet counter is made by examining a packet's destination IP address,which is included in the pseudo-header and therefore participates in MACcomputation. Hence, an attacker cannot change the destination address withoutinvalidating the MAC, and therefore cannot replay a unicast packet as amulticast one or vice versa.¶
While these procedures do slightly increase the amount of per-neighbourstate maintained by each node, this increase is marginal (between 4 and 36octets per neighbour, depending on implementation choices), and should notsignificantly impact the ability of nodes to survive denial-of-serviceattacks.¶
This document has no IANA actions.¶
The authors are greatly indebted toDaniel Gröber,who first identified the problem that this document aims to solve and firstsuggested the solution described inSection 3.1.¶