>> - we compute HMAC for each TLV, rather than just once for the whole >> packet, which, again, makes us vulnerable to DoS;
> ugh. Don't worry, it's an easy fix. >> - we don't support key rotation. > Sigh. The data structures are designed so it'll be easy, the problem is designing an understandable user interface. Given the following interface declaration: interface eth0 hmac key1 what does the following mean? interface eth0 hmac key2 Does it add key2 to the set of keys associated with eth0, or does it override the current value? I'm afraid that either will cause confusion. I'm considering keeping the set of keys associated with an interface static, and allowing key rotation by redefining existing keys. So you'd say interface eth0 hmac key1 hmac key2 key id key1 type sha256 value ... key id key2 type none and do key rotation by saying key id key2 type sha256 value ... key id key1 type none I'll look at Barbara's information model, the must be some insights there. -- Juliusz _______________________________________________ Babel-users mailing list Babel-users@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users