To: Linux-HA mailing list <linux-ha@muc.de>, Mike Wangsmo <wanger@redhat.com> Date: Tue, 31 Aug 1999 23:27:00 -0600 From: Alan Robertson <alanr@bell-labs.com> Subject: Cluster packet authentication Hi, Neal McBurnett, Mitja Sarp and I have had an off-the-list chat about packet authentication for heartbeat. Neal provided a great security perspective. We've come to a conclusion which we like quite a bit. Please look over this proposal for holes from a security perspective, as well as from an HA perspective. This text below is taken from some of the emails, and I think it is an accurate representation of our thinking. Good ideas are Neal's and Mitja's. All errors are mine. Changes to ha.cf: Add a new directive that says "keyfile keyfilename" which would identify the file containing the signature methods in it. Add a new directive called "auth" which specifies which authentication method(s) in the keyfile to authenticate packets with. The keyfile would contain lines like these: 2 crc 3 HMAC-SHA1 abracadabra This key file would permit packets to be authenticated by either CRC (insecure) or HMAC-SHA1 (secure) methods using the given key. To specify that the current machine was to only authenticate it's packets with HMAC-SHA1, one would specify "auth 3" in the config file. If you wanted to send them with BOTH crc and HMAC-SHA1 authentication methods it would be legal to say "auth 2 3". To change from an old key of "abracadabra" to one of "xyzzy", you would put this in your key files: 3 HMAC-SHA1 abracadabra 4 HMAC-SHA1 xyzzy This means you would accept packets authenticated with either method 3 ("auth 3") or 4 ("auth 4"). Once the new keyfiles were distributed, then you could change the ha.cf files on the machines from saying "auth 3" to "auth 4" gracefully, and everyone would be happy all along the way. When you finally want to repudiate the old key, you can replace the key file with this one: 4 HMAC-SHA1 xyzzy At this point, packets authenticated using "abracadabra" would be rejected. On the wire, packets would only have auth-type numbers followed by authentication tokens on them, so that the type of authentication methods selected would not be broadcast in an obvious way with every packet. This both shortens the packets, and avoids giving an adversary with a sniffer any unnecessary information. This method is similar to what NTP uses to deal with a very similar problem. The nice thing about this is that those on physically secure networks can just use CRCs or MD5s if they wish. Those on insecure networks can use shared secret authentication, or whatever new authentication method comes up in the future. Please examine this critically! Thanks again to Neal and Mitja! -- Alan Robertson alanr@bell-labs.com ------------------------------------------------------------------------------ Linux HA Web Site: http://www.henge.com/~alanr/ha/ Linux HA HOWTO: http://metalab.unc.edu/pub/Linux/ALPHA/linux-ha/High-Availability-HOWTO.html ------------------------------------------------------------------------------