MAC Authentication for the Babel Routing Protocol
draft-ietf-babel-hmac-12

[Ballot comment]
[[ comments ]]

[ section 4.3 ]

* s/worthwile/worthwhile/

[ section 5 ]

* Is another option for implementations to be in a mode where:

    - they send authenticated packets
    - they attempt to authenticate packets received
    - if a packet does not authenticate is it still accepted
    - if a packet does authenticate then the neighbor entry is updated
      to note that all future communications with that neighbor must be
      use authentication (and any unauthenticated packets from this neighbor
      are dropped and maybe logged)?

[ section 7 ]

* s/an administators/an administrator's/, I think

[Ballot comment]
Nits:

- sec 4.3.1.1 please clarify if the challenge request 300ms limit is per neighbor or per sending node (4.3.1.2 says per neighbor for challenge reply; I suspect it’s the same?)

- sec 7. “...this sort of resource attacks less effective...” s/attacks/attack”

[Ballot comment]
Thanks for addressing my discuss and sorry for my late reaction (this somehow slipped through given the on-going discussion on draft-ietf-babel-rfc6126bis)!

OLD COMMENT (for the record):

The shepherd write-up says: "This document updates the rfc6126bis draft as noted on the title page
and in the Abstract." However, that seems not to be the case...?

This brings me to a separate question I would like to ask: Why is this an extension in a separate document and not an (optional) part of rfc6126bis?

[Ballot comment]
Thank you for addressing my Discuss (and Comment) points!

One further note on the added text: I think that there is only mixed consensus
that PBKDF2 remains an algorithm that effectively hampers dictionary attacks,
since it's parallelizable and not memory-hard, but I don't object to listing it here.

[Ballot discuss]
Are the HMAC keys required to be the hash function's block size or its
output size?  Section 3.1 says just "the length of each key is exactly
the hash size of the associated HMAC algorithm", and "hash size"
conventionally refers to the output length.  The referenced Section 2 of
RFC 2104 concerns itself with the hash's compression function's block
size B, which is generally different.

Also in Section 3.1, if we are going to claim that a "random string of
sufficient length" suffices to initialize a fresh index, we need to
provide guidance on what constitutes "sufficient length" to achieve the
needed property.

Blake2s is a keyed MAC, but is not an HMAC construction.  If we are to
allow its usage for providing integrity protection of babel packets
directly, we therefore cannot refer to the preotection scheme as "HMAC"
generically.  Fixing this will, unfortunately, be somewhat invasive to
the document, since we mention HMAC all over the place.  I believe that
"Keyed Message Authentication Code (Keyed MAC)" is an appropriate
replacement description.

The suggestion that the large challenge nonce size admits storage of
state in a secure "cookie" in the nonce is true, however, implementing
this properly presents some subtleties, and it seems like something of
an attractive nuisance to suggest that it is possible without giving
adequate guidance at how to do it safely.  Unfortunately, the best
reference I can think of, offhand, is the obsoleted RFC 5077.

Let's also have a discussion about whether 64 bits of randomness is
always sufficient; I left a longer note down in the Comment since I
don't expect this to end up being a blocking point.

[Ballot comment]
Thanks for the clear introduction and applicability statement; they
really help to lay out a clear picture of the scenarios in which we
operate!

This is a symmetric-keyed scenario, so most attacks that involve a
compromised node will be "uninteresting", in that once the key is
exposed all guarantees are lost.  However, it may still be worth noting
that a compromised node can cause disruption on multi-access links
without detection since there is no "end of generation" signal when a
node changes its index.  That is, if node B reboots or otherwise resets
its index/pc, then compromised node C can spoof packets from B with the
previous index and honest node A will accept them, and B will be unable
to detect that it has been spoofed.  On the flip side, we may want to
discuss that B can watch for messages that spoof its source address to
detect compromised nodes.

Is there any need for initial PC value randomization?  Do we want to
recommend starting at 0 or 1 (or prohibit recipients from assuming
that the initial value for an index will be that)?

Section 1

"This document obsoletes RFC 7298" should be in the Introduction as well
as the abstract.

Is the capability for an attacker to modify/spoof Babel packets in
order to cause data to get dropped or cause a routing loop worth
mentioning here?

Section 1.2

  o  that the Hashed Message Authentication Code (HMAC) being used is
      invulnerable to pre-image attacks, i.e., that an attacker is
      unable to generate a packet with a correct HMAC;

I think it's more conventional to include the caveat "without [access
to/knowledge of] the secret key" for this sort of statement about HMAC.

  The first assumption is a property of the HMAC being used.  The
  second assumption can be met either by using a robust random number
  generator [RFC4086] and sufficiently large indices and nonces, by
  using a reliable hardware clock, or by rekeying whenever a collision
  becomes likely.

Does this rekeying option require an external operation/management actor
to trigger it?  It might be worth mentioning with some operational
considerations.

  o  among different nodes, it is only vulnerable to immediate replay:
      if a node A has accepted a packet from C as valid, then a node B
      will only accept a copy of that packet as authentic if B has
      accepted an older packet from C and B has received no later packet
      from C.

nit: I don't think "A has accepted a packet from C" is quite the right
precondition; it seems to be more like "A has received a valid packet
from C", since whether or not A (as an attacker) considers it valid is
irrelevant to whether (honest) B will.

Section 4.1

If we had identifiers for symmetric keys or HMAC algorithms, we could
include those identifiers in the pseudo-header and thereby gain some
protection from downgrade/HMAC-stripping attacks in the presence of a
weak keyed MAC algorithm.  (I think we have to include both what we are
sending and what we think the peer can do in order to get substantial
protection, though, which diminishes the appeal for multicast
scenarios.)

nit: I don't think the past tense is correct for "packet was carried
over IPvN", since we're talking about a pseudo-header used in
computations before the packet is sent.

Section 4.2

It might be worth reiterating that every time a packet goes on the wire,
it gets a fresh PC, regardless of whether it's a "retransmit" after a
timeout or a new message.

  interface MTU (Section 4 of [RFC6126bis]).  For an interface on which
  HMAC protection is configured, the TLV aggregation logic MUST take
  into account the overhead due to PC TLVs (one in each packet) and
  HMAC TLVs (one per configured key).

(per configured key, and also per packet, right?)

Does it matter whether the sender increments the PC before or after
inserting it in the PC TLV?  (I think the only potential impact would be
as it relates to the value sent in response to a challenge nonce, but
the "increment by a positive not-necessarily-one amount" property may
provide all the flexibility we need.)

Section 4.3

Validating the HMACs is the sort of operation that we tend to recommend
be done in constnt-time to avoid side channel attacks.  I don't have a
concrete attack handy here at the moment, though.

      When a PC TLV is encountered, the enclosed PC and Index are saved
      for later processing; if multiple PCs are found (which should not
      happen, see Section 4.2 above), only the first one is processed,
      the remaining ones MUST be silently ignored.  If a Challenge

Any reason to not just drop the whole packet if there are multiple PCs
present?  I see this is not rfc7298bis but don't know what level of
breaking change is reasonable.

  o  The preparse phase above has yielded two pieces of data: the PC
      and Index from the first PC TLV, and a bit indicating whether the
      packet contains a successful Challenge Reply.  If the packet does
      not contain a PC TLV, the packet MUST be dropped and processing
      stops at this point.  If the packet contains a successful
      Challenge Reply, then the PC and Index contained in the PC TLV
      MUST be stored in the Neighbour Table entry corresponding to the
      sender (which already exists in this case), and the packet is
      accepted.

I'd suggest explicitly stating that if there is a challenge reply that
doesn't validate, the packet should be discarded.  Or are there
multicast scenarios where that is not the case? The key point being to
emphasize that just the presence of a challenge reply doesn't mean
anything, it has to be valid in order to have significance.

  o  At this stage, the packet contains no successful challenge reply
      and the Index contained in the PC TLV is equal to the Index in the
      Neighbour Table entry corresponding to the sender.  The receiver
      compares the received PC with the PC contained in the Neighbour
      Table; if the received PC is smaller or equal than the PC
      contained in the Neighbour Table, the packet MUST be dropped and
      processing stops (no challenge is sent in this case, since the
      mismatch might be caused by harmless packet reordering on the
      link).  Otherwise, the PC contained in the Neighbour Table entry
      is set to the received PC, and the packet is accepted.

Does this mean that if packet reordering is encountered, we will just
not process packets that get reordered later?  (AFAIK babel will still
work fine in such conditions, so I'm just checking my understanding.)

  it MAY ignore a challenge request in the case where it it contained

nit: s/it it/it is/

  The same is true of challenge replies.  However, since validating a
  challenge reply is extremely cheap (it's just a bitwise comparison of
  two strings of octets), a similar optimisation for challenge replies
  is not worthwile.

Er, challenge reply validation still requires the HMAC validation step,
right?

Section 4.3.1.1

  When it encounters a mismatched Index during the preparse phase, a
  node picks a nonce that it has never used with any of the keys
  currently configured on the relevant interface, for example by
  drawing a sufficiently large random string of bytes or by consulting

(same comment as above about "sufficiently large")

Section 4.3.1.2

  buffered TLVs in the same packet as the Challenge Reply.  However, it
  MUST arrange for the Challenge Reply to be sent in a timely manner
  (within a few seconds), and SHOULD NOT send any other packets over
  the same interface before sending the Challenge Reply, as those would
  be dropped by the challenger.

I think this "SHOULD NOT" (or rather, "would be dropped by the
challenger") is predicated on the challenge request having not been a
replay, but I do not see anything requiring the recipient to do nonce
uniqueness validation.

Section 4.3.1.3

  neighbour that sent the Challenge Reply.  If no challenge is in
  progress, i.e., if there is no Nonce stored in the Neighbour
  Table entry or the Challenge timer has expired, the Challenge Reply
  MUST be silently ignored and the challenge has failed.

I think "the challenge has failed" is predicated on the challenge reply
being in response to a challenge sent by this node.  The previous
section's "send the Challenge Reply to the unicast address" seems to
imply that there are no multicast scenarios which would make that not
the case, but I just wanted to check my understanding.

Section 5

Do we need to say whether sub-TLVs are allowed in any of these TLVs?
(Presumably they are not, since the length is needed in order to
identify the length of the variable-length fields, but being explicit
can be useful.)

Section 5.1

  This [HMAC] TLV is allowed in the packet trailer (see Section 4.2 of
  [RFC6126bis]), and MUST be ignored if it is found in the packet body.

side note: Using "MUST ignore" vs. "discard the packet" has some
protocol evolution consequences -- it in practice then becomes an
alternative padding technique for use in packet bodies, and if ever used
as such then could lead to a way to fingerprint an implementation or be
used as a hidden channel for sending other data.  But, I see that
ignoring at the TLV level is something of a core babel design choice,
and I don't see any serious consequences that would merit revisiting
that decision.

Section 6

  This mechanism relies on two assumptions, as described in
  Section 1.2.  First, it assumes that the hash being used is

s/hash/MAC/

  enough entropy (64-bit values are believed to be large enough for all
  practical applications), or by using a reliably monotonic hardware

It would require a bit more thought to convince me that 64-bit indices
are sufficient for *all* cases.  Specifically, if we want full 64-bit
strength, then the 64-bit space cannot be controlled or affected by the
attacker to cause collisions.  But I think there will be a reasonable
risk that an attacker can cause a given node to need to regenerate its
index on demand (e.g,. but triggering a bug that crashes it, or power
cycling it), at which point the random selection falls back to the
32-bit birthday bound on uniqueness over time.  Granted, the
consequences of that particular attack would be limited, as the attacker
could only replay the limited number of packets sent using the colliding
index the first time it was used, but this is only intended as an
example of ways in which 64-bit random values can be degraded to 32 bits
of security.

  present at the receiver.  If the attacker is able to cause the
  (Index, PC) pair to persist for arbitrary amounts of time (e.g., by
  repeatedly causing failed challenges), then it is able to delay the
  packet by arbitrary amounts of time, even after the sender has left
  the network.

I'd suggest adding another sentence describing the potential
consequences of selectively delayed input (i.e., messing up the
routing).

  protocol (the data structures described in Section 3.2 of
  [RFC6126bis] are conceptual, any data structure that yields the same
  result may be used).  Implementers might also consider using the fact

nit: that's a comma splice in the parenthetical; a semicolon would be better.

[Ballot discuss]
A few minor clarifications needed for implementation/precision in the security claims:

(1) Section 1.2.  Per “any packet accepted as authentic is the exactly copy of a packet originally sent”, this text can be read two ways – packet as Babel packet or as an IP packet.  I think  mean the former.  Recommend making this clearer as s/any packet/any Babel packet/

(2) Section 2, Per the paragraph, “By itself, this mechanism is safe against replay …”, please reiterate that for the attack by C to work: A and B must have both lost state; that C is replaying packets with PC previously sent by B (e.g., n+2).

(3) Section 4.1.  Per “The node takes the concatenation of the pseudo-header and the packet including the packet header but excluding the packet trailer (from
octet 0 inclusive up to (Body Length + 4) exclusive)”, as input for the HMAC.  “packet” is used to sometimes mean IP packet and sometimes a Babel packet carried in an IP packet.  As such, the above sentence could be interpretation as:

Option #1: HMAC(pseudo-header + the IP header + Babel packet header + Babel packet body)

Option #2: HMAC(pseudo-header + Babel packet header + Babel packet body)

I believe it is option #2.  Please be very clear in this text.

Other items:

(4) Section 2.  This section suggests that “one or more HMACs can be appended to the packet”.  Under what conditions would it be more than one?  What happens if only some of the HMACs are valid?  Is use of the same key assumed?

(5) Section 4.1.  The hash algorithm appears to be negotiated/set out of band (rather than negotiated). The text should explicitly state that somewhere.

(6) Section 6.  Per “In particular, reception of a packet with no correct HMAC creates no local state  whatsoever  (Section 4.3)”, unless this HMAC verification is happening on the NIC, this doesn’t seem sufficiently precise.  The “no local state” claim is likely true only as it relates to the tables data structures describes in Section 3.  However, the IP and DTLS stack certainly have to account for the packet.

[Ballot discuss]
A few minor clarifications needed for implementation/precision in the security claims:

(1) Section 1.2.  Per “any packet accepted as authentic is the exactly copy of a packet originally sent”, this text can be read two ways – packet as Babel packet or as an IP packet.  I think  mean the former.  Recommend making this clearer as s/any packet/any Babel packet/

(2) Section 2, Per the paragraph, “By itself, this mechanism is safe against replay …”, please reiterate that for the attack by C to work: A and B must have both lost state; that C is replaying packets with PC previously sent by B (e.g., n+2).

(3) Section 4.1.  Per “The node takes the concatenation of the pseudo-header and the packet including the packet header but excluding the packet trailer (from
octet 0 inclusive up to (Body Length + 4) exclusive)”, as input for the HMAC.  “packet” is used to sometimes mean IP packet and sometimes a Babel packet carried in an IP packet.  As such, the above sentence could be interpretation as:

Option #1: HMAC(pseudo-header + the IP header + Babel packet header + Babel packet body – Babel trailer)

Option #2: HMAC(pseudo-header + Babel packet header + Babel packet body)

I believe it is option #2.  Please be very clear in this text.

Other items:

(4) Section 2.  This section suggests that “one or more HMACs can be appended to the packet”.  Under what conditions would it be more than one?  What happens if only some of the HMACs are valid?  Is use of the same key assumed?

(5) Section 4.1.  The hash algorithm appears to be negotiated/set out of band (rather than negotiated). The text should explicitly state that somewhere.

(6) Section 6.  Per “In particular, reception of a packet with no correct HMAC creates no local state  whatsoever  (Section 4.3)”, unless this HMAC verification is happening on the NIC, this doesn’t seem sufficiently precise.  The “no local state” claim is likely true only as it relates to the tables data structures describes in Section 3.  However, the IP and DTLS stack certainly have to account for the packet.

[Ballot comment]
(7) Section 1 enumerates a series of attacks.  These are different than the ones listed in Section 6 of draft-ietf-babel-rfc6126bis and Section 1 of draft-ietf-babel-dtls.  As HMAC and DTLS are mitigations for attacks in draft-ietf-babel-rfc6126bis, they really should be harmonized.

(8) Section 1.  Per the “spoof of a malformed packet”, how would an HMAC address this?  Even assuming that a node discards the message without processing if the HMAC is bad, this would still be a problem from a malicious peer.

(9) Editorial nits:
-- Section 1.  “seqno” is commonly used in Babel text but it needs to be cited of explained here on for used -- s/seqno/sequence number/

-- Section 1.2.  Editorial. s/serious effort/effort/

-- Section 3.1. Typo.  s/authentified/authenticated/

-- Section 5.3.  Typo.  s/minumum/minimum/

[Ballot discuss]
I would like to quickly discuss the following approach taken in section 4.3.1.1:
  "Since a challenge may be prompted by a packet replayed by an
  attacker, a node MUST impose a rate limitation to the challenges it
  sends; the limit SHOULD default to one challenge request every 300ms,
  and MAY be configurable."
While it is important to limit challenge messages here, there might be a better approach than static rate-limiting given this is a request-response mechanism. Usually the approach is to only allow for one outstanding request (without reply) and apply some kind of loss detect/termination rule. In your case the easiest approach would be when the 30 sec timer is expired, or if the RTT is known (or can be estimated) then a value of e.g. 3xRTT could be appropriate as well. Please consider this alternative approach. Maybe also see RFC8085 for further guidance.

Further Appendix A (Incremental deployment and key rotation) contains normative language and therefore should probably be moved into the body of the document.

[Ballot discuss]
I would like to quickly discuss the following approach taken in section 4.3.1.1:
  "Since a challenge may be prompted by a packet replayed by an
  attacker, a node MUST impose a rate limitation to the challenges it
  sends; the limit SHOULD default to one challenge request every 300ms,
  and MAY be configurable."
While it is important to limit challenge message here, there might be a better approach than static rate-limiting given this is a request-response mechanism. Usually the approach is to only allow for one outstanding request (without) reply and apply some kind of loss detect/termination rule. In your case the easiest approach would be when the 30 sec timer is expired, or if the RTT is know or can be estimated than a value of e.g. 3xRTT could be appropriate as well. Please consider this alternative approach. May also see RFC8085 for further guidance.

Further Appendix A (Incremental deployment and key rotation) contains normative language and therefore should probably be moved into the body of the document.

[Ballot comment]
The shepherd write-up says: "This document updates the rfc6126bis draft as noted on the title page
and in the Abstract." However, that seems not to be the case...?

This brings me to a separate question I would like to ask: Why is this an extension in a separate document and not an (optional) part of rfc6126bis?

[Ballot comment]

Thank you for the work put into this document. Using HMAC is usually simple but this document builds a lot of negotiation around HMAC.

Regards,

-éric

== COMMENTS ==

I am a little puzzled by why HMAC keys/mechanisms are not identified to facilitate the key rollover. The used mechanism appears a little heavy on the required computing effort to compute several HMAC.

-- Section 1 --

The text about attacks on the Babel routing protocol should be better placed in the security considerations of RFC7216bis.

== NITS ==

The DTLS document use the writing <"babel" port> while here it is .

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has completed its review of draft-ietf-babel-hmac-07. If any part of this review is inaccurate, please let us know.

The IANA Functions Operator understands that, upon approval of this document, there is a single action which we must complete.

In the Babel TLV Types registry on the Babel Routing Protocol registry page the four early registrations below will be made permanent and have their references changed to [ RFC-to-be ]:

Type Name
-----+------------------------
16 HMAC
17 PC
18 Challenge Request
19 Challenge Reply

The IANA Functions Operator understands that this is the only action required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

Thank you,

Sabrina Tanamal
Senior IANA Services Specialist

The following Last Call announcement was sent out (ends 2019-07-04):

From: The IESG
To: IETF-Announce
CC: babel-chairs@ietf.org, babel@ietf.org, draft-ietf-babel-hmac@ietf.org, Donald Eastlake , d3e3e3@gmail.com, martin.vigoureux@nokia.com
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (HMAC authentication for the Babel routing protocol) to Proposed Standard


The IESG has received a request from the Babel routing protocol WG (babel) to
consider the following document: - 'HMAC authentication for the Babel routing
protocol'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2019-07-04. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the beginning of
the Subject line to allow automated sorting.

Abstract


  This document describes a cryptographic authentication mechanism for
  the Babel routing protocol that has provisions for replay avoidance.
  This document obsoletes RFC 7298.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-babel-hmac/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-babel-hmac/ballot/


No IPR declarations have been submitted directly on this I-D.


The document contains these normative downward references.
See RFC 3967 for additional information:
    rfc7693: The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC) (Informational - Independent Submission Editor stream)

draft-ietf-babel-hmac-04

(1) What type of RFC is being requested (BCP, Proposed Standard,
    Internet Standard, Informational, Experimental, or Historic)?

Proposed Standard.

(2) The IESG approval announcement includes a Document Announcement
    Write-Up. Please provide such a Document Announcement Write-Up.
    Recent examples can be found in the "Action" announcements for
    approved documents. The approval announcement contains the
    following sections:

  Technical Summary:

This document describes a cryptographic authentication mechanism for
the Babel routing protocol that has provisions for replay avoidance.
It utilizes HMAC based message authentication codes (MACs).

  Working Group Summary:

The Babel WG was principally Chartered to produce a Standards Track
version of the Babel protocol which was originally documented in
Experimental RFCs including the basic protocol in RFC 6126 and HMAC
based authentication in RFC 7298. In working on this transition,
rfc6126bis and rfc7298bis drafts were created; however, while the
first was adopted by the WG, the WG declined to adopt the rfc7298bis
draft and an alternative babel-hmac draft was created and adopted as
draft-ietf-babel-hmac. There has been extensive discussion of hmac
security and this draft on the list and a clear consensus to approve
it.

  Document Quality:

There are multiple implementations of this draft. The document has
received multiple reviews and is of high quality.

  Personnel:
    Document Shepherd: Donald Eastlake, 3rd
    Responsible Area Director: Martin Vigoureux

(3) Briefly describe the review of this document that was performed
    by the Document Shepherd.

There were two thorough Shepherd reviews of this draft. The first is at
https://mailarchive.ietf.org/arch/msg/babel/qnkQJ4NZwy8etciKg3Dy3j7jzbU
Later issues and the passage of time lead to a second Shepherd review
which is at
https://mailarchive.ietf.org/arch/msg/babel/pFx85t7Qqh3QvNxVPYtWYCLpFpE

(4) Does the document Shepherd have any concerns about the depth or
    breadth of the reviews that have been performed?

No.

(5) Do portions of the document need review from a particular or from
    broader perspective, e.g., security, operational complexity, AAA,
    DNS, DHCP, XML, or internationalization? If so, describe the
    review that took place.

This document has been reviewed by the Security Directorate here
https://mailarchive.ietf.org/arch/msg/babel/96q20dMbQW2JjCzrQkzSWVJfUbY
and the by Routing Directorate
https://mailarchive.ietf.org/arch/msg/babel/xwNOtwxNd58P5O17y5TksS1j2cA

(6) Describe any specific concerns or issues that the Document
    Shepherd has with this document that the Responsible Area
    Director and/or the IESG should be aware of? For example, perhaps
    he or she is uncomfortable with certain parts of the document, or
    has concerns whether there really is a need for it. In any event,
    if the WG has discussed those issues and has indicated that it
    still wishes to advance the document, detail those concerns here.

No special concerns.

(7) Has each author confirmed that any and all appropriate IPR
    disclosures required for full conformance with the provisions of
    BCP 78 and BCP 79 have already been filed.

Yes
https://mailarchive.ietf.org/arch/msg/babel/7RYF9M-ileRP2yAstcQhAaOChM4
https://mailarchive.ietf.org/arch/msg/babel/eHtPPGRhGLCZp-ALe6_tjkAITk8
https://mailarchive.ietf.org/arch/msg/babel/hMC8Jg-hwrhAjd7UQQ65zdYDLDU

(8) Has an IPR disclosure been filed that references this document?
    If so, summarize any WG discussion and conclusion regarding the
    IPR disclosures.

No IPR disclosures.

(9) How solid is the WG consensus behind this document? Does it
    represent the strong concurrence of a few individuals, with
    others being silent, or does the WG as a whole understand and
    agree with it?

There was a solid consensus of the active WG participants.

(10) Has anyone threatened an appeal or otherwise indicated extreme
    discontent? If so, please summarize the areas of conflict in
    separate email messages to the Responsible Area Director.

Yes, separate message has been sent.

(11) Identify any ID nits the Document Shepherd has found in this
    document. (See http://www.ietf.org/tools/idnits/ and the
    Internet-Drafts Checklist). Boilerplate checks are not enough;
    this check needs to be thorough.

See Shepherd reviews at point 3 above. After those, the Shepherd also
noticed that the Intended Status on the title page should be changed
to "Proposed Standard" from "Standards Track".

(12) Describe how the document meets any required formal review
    criteria, such as the MIB Doctor, media type, and URI type
    reviews.

No such specialized formal review required.

(13) Have all references within this document been identified as
    either normative or informative?

Yes.

(14) Are there normative references to documents that are not ready
    for advancement or are otherwise in an unclear state? If such
    normative references exist, what is the plan for their
    completion?

No. However, there is a normative reference to
draft-ietf-babel-rfc6162bis.  That draft is in WG Last Call and
publication of it is expect to be requested within a few weeks.

(15) Are there downward normative references references (see RFC
    3967)? If so, list these downward references to support the Area
    Director in the Last Call procedure.

There are not 1, not 2, but 3 normative references in the document to
Informational RFCs. Specifically, to RFC 2104 "HMAC: Keyed-Hashing for
Message Authentication", RFC 6234 "US Secure Hash Algorithms (SHA and
SHA-based HMAC and HKDF)". and RFC 7693 "The BLAKE2 Cryptographic Hash
and Message Authentication Code (MAC)". These are all cryptographic
algorithm RFCs that are informational because they were not developed
within the IETF and are commonly used in IETF protocols.

(16) Will publication of this document change the status of any
    existing RFCs? Are those RFCs listed on the title page header,
    listed in the abstract, and discussed in the introduction?

This document updates the rfc6126bis draft as noted on the title page
and in the Abstract.

(17) Describe the Document Shepherd's review of the IANA
    considerations section, especially with regard to its consistency
    with the body of the document. Confirm that all protocol
    extensions that the document makes are associated with the
    appropriate reservations in IANA registries. Confirm that any
    referenced IANA registries have been clearly identified.

This document specifies 4 new Babel TLVs and properly documents that 4
types for these TLVs have been assigned by IANA.

(18) List any new IANA registries that require Expert Review for
    future allocations. Provide any public guidance that the IESG
    would find useful in selecting the IANA Experts for these new
    registries.

No new IANA registries created.

(19) Describe reviews and automated checks performed by the Document
    Shepherd to validate sections of the document written in a formal
    language, such as XML code, BNF rules, MIB definitions, etc.

No such formal language used in this document.

draft-ietf-babel-hmac-04

(1) What type of RFC is being requested (BCP, Proposed Standard,
    Internet Standard, Informational, Experimental, or Historic)?

Proposed Standard.

(2) The IESG approval announcement includes a Document Announcement
    Write-Up. Please provide such a Document Announcement Write-Up.
    Recent examples can be found in the "Action" announcements for
    approved documents. The approval announcement contains the
    following sections:

  Technical Summary:

This document describes a cryptographic authentication mechanism for
the Babel routing protocol that has provisions for replay avoidance.
It utilizes HMAC based message authentication codes (MACs).

  Working Group Summary:

The Babel WG was principally Chartered to produce a Standards Track
version of the Babel protocol which was originally documented in
Experimental RFCs including the basic protocol in RFC 6126 and HMAC
based authentication in RFC 7298. In working on this transition,
rfc6126bis and rfc7298bis drafts were created; however, while the
first was adopted by the WG, the WG declined to adopt the rfc7298bis
draft and an alternative babel-hmac draft was created and adopted as
draft-ietf-babel-hmac. There has been extensive discussion of hmac
security and this draft on the list and a clear consensus to approve
it.

  Document Quality:

There are multiple implementations of this draft. The document has
received multiple reviews and is of high quality.

  Personnel:
    Document Shepherd: Donald Eastlake, 3rd
    Responsible Area Director: Martin Vigoureux

(3) Briefly describe the review of this document that was performed
    by the Document Shepherd.

There were two thorough Shepherd reviews of this draft. The first is at
https://mailarchive.ietf.org/arch/msg/babel/qnkQJ4NZwy8etciKg3Dy3j7jzbU
Later issues and the passage of time lead to a second Shepherd review
which is at
https://mailarchive.ietf.org/arch/msg/babel/pFx85t7Qqh3QvNxVPYtWYCLpFpE

(4) Does the document Shepherd have any concerns about the depth or
    breadth of the reviews that have been performed?

No.

(5) Do portions of the document need review from a particular or from
    broader perspective, e.g., security, operational complexity, AAA,
    DNS, DHCP, XML, or internationalization? If so, describe the
    review that took place.

This document has been reviewed by the Security Directorate here
https://mailarchive.ietf.org/arch/msg/babel/96q20dMbQW2JjCzrQkzSWVJfUbY
and the by Routing Directorate
https://mailarchive.ietf.org/arch/msg/babel/xwNOtwxNd58P5O17y5TksS1j2cA

(6) Describe any specific concerns or issues that the Document
    Shepherd has with this document that the Responsible Area
    Director and/or the IESG should be aware of? For example, perhaps
    he or she is uncomfortable with certain parts of the document, or
    has concerns whether there really is a need for it. In any event,
    if the WG has discussed those issues and has indicated that it
    still wishes to advance the document, detail those concerns here.

No special concerns.

(7) Has each author confirmed that any and all appropriate IPR
    disclosures required for full conformance with the provisions of
    BCP 78 and BCP 79 have already been filed.

Yes
https://mailarchive.ietf.org/arch/msg/babel/7RYF9M-ileRP2yAstcQhAaOChM4
https://mailarchive.ietf.org/arch/msg/babel/eHtPPGRhGLCZp-ALe6_tjkAITk8
https://mailarchive.ietf.org/arch/msg/babel/hMC8Jg-hwrhAjd7UQQ65zdYDLDU

(8) Has an IPR disclosure been filed that references this document?
    If so, summarize any WG discussion and conclusion regarding the
    IPR disclosures.

No IPR disclosures.

(9) How solid is the WG consensus behind this document? Does it
    represent the strong concurrence of a few individuals, with
    others being silent, or does the WG as a whole understand and
    agree with it?

There was a solid consensus of the active WG participants.

(10) Has anyone threatened an appeal or otherwise indicated extreme
    discontent? If so, please summarize the areas of conflict in
    separate email messages to the Responsible Area Director.

Yes, separate message has been sent.

(11) Identify any ID nits the Document Shepherd has found in this
    document. (See http://www.ietf.org/tools/idnits/ and the
    Internet-Drafts Checklist). Boilerplate checks are not enough;
    this check needs to be thorough.

See Shepherd reviews at point 3 above. After those, the Shepherd also
noticed that the Intended Status on the title page should be changed
to "Proposed Standard" from "Standards Track".

(12) Describe how the document meets any required formal review
    criteria, such as the MIB Doctor, media type, and URI type
    reviews.

No such specialized formal review required.

(13) Have all references within this document been identified as
    either normative or informative?

Yes.

(14) Are there normative references to documents that are not ready
    for advancement or are otherwise in an unclear state? If such
    normative references exist, what is the plan for their
    completion?

No. However, there is a normative reference to
draft-ietf-babel-rfc6162bis.  That draft is in WG Last Call and
publication of it is expect to be requested within a few weeks.

(15) Are there downward normative references references (see RFC
    3967)? If so, list these downward references to support the Area
    Director in the Last Call procedure.

There are not 1, not 2, but 3 normative references in the document to
Informational RFCs. Specifically, to RFC 2104 "HMAC: Keyed-Hashing for
Message Authentication", RFC 6234 "US Secure Hash Algorithms (SHA and
SHA-based HMAC and HKDF)". and RFC 7693 "The BLAKE2 Cryptographic Hash
and Message Authentication Code (MAC)". These are all cryptographic
algorithm RFCs that are informational because they were not developed
within the IETF and are commonly used in IETF protocols.

(16) Will publication of this document change the status of any
    existing RFCs? Are those RFCs listed on the title page header,
    listed in the abstract, and discussed in the introduction?

This document updates the rfc6126bis draft as noted on the title page
and in the Abstract.

(17) Describe the Document Shepherd's review of the IANA
    considerations section, especially with regard to its consistency
    with the body of the document. Confirm that all protocol
    extensions that the document makes are associated with the
    appropriate reservations in IANA registries. Confirm that any
    referenced IANA registries have been clearly identified.

This document specifies 4 new Babel TLVs and properly documents that 4
types for these TLVs have been assigned by IANA.

(18) List any new IANA registries that require Expert Review for
    future allocations. Provide any public guidance that the IESG
    would find useful in selecting the IANA Experts for these new
    registries.

No new IANA registries created.

(19) Describe reviews and automated checks performed by the Document
    Shepherd to validate sections of the document written in a formal
    language, such as XML code, BNF rules, MIB definitions, etc.

No such formal language used in this document.

draft-ietf-babel-hmac-04

(1) What type of RFC is being requested (BCP, Proposed Standard,
    Internet Standard, Informational, Experimental, or Historic)?

Proposed Standard as noted on the title page.

(2) The IESG approval announcement includes a Document Announcement
    Write-Up. Please provide such a Document Announcement Write-Up.
    Recent examples can be found in the "Action" announcements for
    approved documents. The approval announcement contains the
    following sections:

  Technical Summary:

This document describes a cryptographic authentication mechanism for
the Babel routing protocol that has provisions for replay avoidance.
It utilizes HMAC based message authentication codes (MACs).

  Working Group Summary:

The Babel WG was principally Chartered to produce a Standards Track
version of the Babel protocol which was originally documented in
Experimental RFCs including the basic protocol in RFC 6126 and HMAC
based authentication in RFC 7298. In working on this transition,
rfc6126bis and rfc7298bis drafts were created; however, while the
first was adopted by the WG, the WG declined to adopt the rfc7298bis
draft and an alternative babel-hmac draft was created and adopted as
draft-ietf-babel-hmac. There has been extensive discussion of hmac
security and this draft on the list and a clear consensus to approve
it.

  Document Quality:

There are multiple implementations of this draft. The document has
received multiple reviews and is of high quality.

  Personnel:
    Document Shepherd: Donald Eastlake, 3rd
    Responsible Area Director: Martin Vigoureux

(3) Briefly describe the review of this document that was performed
    by the Document Shepherd.

There were two thorough Shepherd reviews of this draft. The first is at
https://mailarchive.ietf.org/arch/msg/babel/qnkQJ4NZwy8etciKg3Dy3j7jzbU
Later issues and the passage of time lead to a second Shepherd review
which is at
https://mailarchive.ietf.org/arch/msg/babel/pFx85t7Qqh3QvNxVPYtWYCLpFpE

(4) Does the document Shepherd have any concerns about the depth or
    breadth of the reviews that have been performed?

No.

(5) Do portions of the document need review from a particular or from
    broader perspective, e.g., security, operational complexity, AAA,
    DNS, DHCP, XML, or internationalization? If so, describe the
    review that took place.

This document has been reviewed by the Security Directorate here
https://mailarchive.ietf.org/arch/msg/babel/96q20dMbQW2JjCzrQkzSWVJfUbY
and the by Routing Directorate
https://mailarchive.ietf.org/arch/msg/babel/xwNOtwxNd58P5O17y5TksS1j2cA

(6) Describe any specific concerns or issues that the Document
    Shepherd has with this document that the Responsible Area
    Director and/or the IESG should be aware of? For example, perhaps
    he or she is uncomfortable with certain parts of the document, or
    has concerns whether there really is a need for it. In any event,
    if the WG has discussed those issues and has indicated that it
    still wishes to advance the document, detail those concerns here.

No special concerns.

(7) Has each author confirmed that any and all appropriate IPR
    disclosures required for full conformance with the provisions of
    BCP 78 and BCP 79 have already been filed.

Yes
https://mailarchive.ietf.org/arch/msg/babel/7RYF9M-ileRP2yAstcQhAaOChM4
https://mailarchive.ietf.org/arch/msg/babel/eHtPPGRhGLCZp-ALe6_tjkAITk8
https://mailarchive.ietf.org/arch/msg/babel/hMC8Jg-hwrhAjd7UQQ65zdYDLDU

(8) Has an IPR disclosure been filed that references this document?
    If so, summarize any WG discussion and conclusion regarding the
    IPR disclosures.

No IPR disclosures.

(9) How solid is the WG consensus behind this document? Does it
    represent the strong concurrence of a few individuals, with
    others being silent, or does the WG as a whole understand and
    agree with it?

There was a solid consensus of the active WG participants.

(10) Has anyone threatened an appeal or otherwise indicated extreme
    discontent? If so, please summarize the areas of conflict in
    separate email messages to the Responsible Area Director.

Yes, separate message has been sent.

(11) Identify any ID nits the Document Shepherd has found in this
    document. (See http://www.ietf.org/tools/idnits/ and the
    Internet-Drafts Checklist). Boilerplate checks are not enough;
    this check needs to be thorough.

See Shepherd reviews at point 3 above. After those, the Shepherd also
noticed that the Intended Status on the title page should be changed
to "Proposed Standard" from "Standards Track".

(12) Describe how the document meets any required formal review
    criteria, such as the MIB Doctor, media type, and URI type
    reviews.

No such specialized formal review required.

(13) Have all references within this document been identified as
    either normative or informative?

Yes.

(14) Are there normative references to documents that are not ready
    for advancement or are otherwise in an unclear state? If such
    normative references exist, what is the plan for their
    completion?

No. However, there is a normative reference to
draft-ietf-babel-rfc6162bis.  That draft is in WG Last Call and
publication of it is expect to be requested within a few weeks.

(15) Are there downward normative references references (see RFC
    3967)? If so, list these downward references to support the Area
    Director in the Last Call procedure.

There are not 1, not 2, but 3 normative references in the document to
Informational RFCs. Specifically, to RFC 2104 "HMAC: Keyed-Hashing for
Message Authentication", RFC 6234 "US Secure Hash Algorithms (SHA and
SHA-based HMAC and HKDF)". and RFC 7693 "The BLAKE2 Cryptographic Hash
and Message Authentication Code (MAC)". These are all cryptographic
algorithm RFCs that are informational because they were not developed
within the IETF and are commonly used in IETF protocols.

(16) Will publication of this document change the status of any
    existing RFCs? Are those RFCs listed on the title page header,
    listed in the abstract, and discussed in the introduction?

This document updates the rfc6126bis draft as noted on the title page
and in the Abstract.

(17) Describe the Document Shepherd's review of the IANA
    considerations section, especially with regard to its consistency
    with the body of the document. Confirm that all protocol
    extensions that the document makes are associated with the
    appropriate reservations in IANA registries. Confirm that any
    referenced IANA registries have been clearly identified.

This document specifies 4 new Babel TLVs and properly documents that 4
types for these TLVs have been assigned by IANA.

(18) List any new IANA registries that require Expert Review for
    future allocations. Provide any public guidance that the IESG
    would find useful in selecting the IANA Experts for these new
    registries.

No new IANA registries created.

(19) Describe reviews and automated checks performed by the Document
    Shepherd to validate sections of the document written in a formal
    language, such as XML code, BNF rules, MIB definitions, etc.

No such formal language used in this document.