![[LWN Logo]](/images/lwn.banner.gif)
To: Linux-HA mailing list <linux-ha@muc.de>, Mike Wangsmo <wanger@redhat.com>
Date: Tue, 31 Aug 1999 23:27:00 -0600
From: Alan Robertson <alanr@bell-labs.com>
Subject: Cluster packet authentication
Hi,
Neal McBurnett, Mitja Sarp and I have had an off-the-list chat about packet
authentication for heartbeat. Neal provided a great security perspective.
We've come to a conclusion which we like quite a bit. Please look over this
proposal for holes from a security perspective, as well as from an HA
perspective.
This text below is taken from some of the emails, and I think it is an accurate
representation of our thinking. Good ideas are Neal's and Mitja's. All errors
are mine.
Changes to ha.cf:
Add a new directive that says "keyfile keyfilename" which would identify the
file containing the signature methods in it. Add a new directive called "auth"
which specifies which authentication method(s) in the keyfile to authenticate
packets with.
The keyfile would contain lines like these:
2 crc
3 HMAC-SHA1 abracadabra
This key file would permit packets to be authenticated by either CRC (insecure)
or HMAC-SHA1 (secure) methods using the given key. To specify that the current
machine was to only authenticate it's packets with HMAC-SHA1, one would specify
"auth 3" in the config file. If you wanted to send them with BOTH crc and
HMAC-SHA1 authentication methods it would be legal to say "auth 2 3".
To change from an old key of "abracadabra" to one of "xyzzy", you would put this
in your key files:
3 HMAC-SHA1 abracadabra
4 HMAC-SHA1 xyzzy
This means you would accept packets authenticated with either method 3 ("auth
3") or 4 ("auth 4").
Once the new keyfiles were distributed, then you could change the ha.cf files on
the machines from saying "auth 3" to "auth 4" gracefully, and everyone would be
happy all along the way. When you finally want to repudiate the old key, you
can replace the key file with this one:
4 HMAC-SHA1 xyzzy
At this point, packets authenticated using "abracadabra" would be rejected.
On the wire, packets would only have auth-type numbers followed by
authentication tokens on them, so that the type of authentication methods
selected would not be broadcast in an obvious way with every packet. This both
shortens the packets, and avoids giving an adversary with a sniffer any
unnecessary information.
This method is similar to what NTP uses to deal with a very similar problem.
The nice thing about this is that those on physically secure networks can just
use CRCs or MD5s if they wish. Those on insecure networks can use shared secret
authentication, or whatever new authentication method comes up in the future.
Please examine this critically!
Thanks again to Neal and Mitja!
-- Alan Robertson
alanr@bell-labs.com
------------------------------------------------------------------------------
Linux HA Web Site:
http://www.henge.com/~alanr/ha/
Linux HA HOWTO:
http://metalab.unc.edu/pub/Linux/ALPHA/linux-ha/High-Availability-HOWTO.html
------------------------------------------------------------------------------