Hello, i've been working on an extension to the babel protocol to authenticate updates using RSA. It's mostly an academic excercise and i have planned the first functional versions in a month or so.
The main idea is to make that a *central entity* generates a set of encrypted tokens using a RSA *private key*. The set of tokens is unique to every node on the network and every node receives it's unique set of tokens, a network prefix and the *public key* from the central entity. Every decrypted token has the form: <network_prefix>_<randomnumber> example: 80.0.2.0/24_48003818 80.0.2.0/24_41106879 I was planning to use encrypted tokens of 512 octets. Every node must send a token from it's unique set of tokens on every route update. When a node receives an update, it tries to decrypt the token using the *public key* of the central entity and checks if the decrypted token contains the network prefix being advertised. If so, the update is taken, if not it is ignored. So I came to define a new TLV named lorauth 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type=29 | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Clen | Cipher... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Clen: Length of encrypted token Cipher: Encrypted Token But as the Cipher length is 512 it needs 2 octets in _Length_, so here the questions: * If I use 2 octets will this extension be compatible with other extensions according to rfc - 7557 ? * I'm guessing it take lots of extra work to every node by decrypting on every update, but a node may be less restrictive and only *prefer* updates authenticated this way, than common updates. Can you think of better ideas to reduce the need of decrypting? * What general idea you have about this authentication mechanism? == Implementation questions == I'm a C beginner and started a fork on https://git.laotrared.net/LaOtraRed-dev/babeld-lor * I'm aiming to add two fields to the _source table_ unsigned short clen; unsigned char cipher[513]; Can you point some functions that I have to modify to make the autentication mechanism work? * I've seen the struct xroute on xroute.h , I still don't get the idea of this struct and whether or not it is mandatory to add the fields; clen , cipher there. Thanks in advance for any comments :) _______________________________________________ Babel-users mailing list Babel-users@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/babel-users