> > Since that revision has Boolean (true/false) parameters of > > babel-key-use-sign and babel-key-use-verify (but not key-use with > > values of sign/verify/both), I did want to be sure we were talking > > about the right model revision. > > The second part of my inquiry -- how does the information model enable > incremental deployment? Section 5 of draft-ietf-babel-mac.
Incremental deployment is enabled through the interfaces object babel-mac-verify parameter. Set this parameter to false until all routers have key(s). Then set to true. > > Toke, it would be helpful if we could understand what key-use is intended > for. My personal opinion right now is that we should: > > - remove key-use from the draft; > > - add a per-interface configuration "allow-unauthentified", which, if set, > causes all packets received on that interface to be accepted, whether > signed, unsigned, or incorrectly signed. > > Incremental deployment is an important feature, and I think that we need to > make really sure that the information model allows it. The key-use-sign and key-use-verify are only peripherally involved in incremental deployment and key rotation -- you need to have at least one key with key-use-verify=true and key-use-sign=true. The common case when incrementally deploying will be to provide a single key with valid and sign = true and all interfaces' babel-mac-verify = false. Once all routers have the key, set babel-mac-verify to true in all routers. When rotating, the common case will be to provide an additional key with valid and sign = true. Once the new key is in all routers, delete old one. I don't think an additional per-interface parameter is needed. I think babel-mac-verify should be fine. If the group wants to remove the key-use parameters and only support symmetrical keying, I have no objection. We could also make those parameters optional-to-implement (square brackets), with the expectation that an implementation wouldn't implement them if it only supports symmetric keying. Barbara _______________________________________________ Babel-users mailing list Babel-users@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users