We will update the security on our re6st networks. Here are the next steps to do this. Please read https://re6st.nexedi.com/Re6st-Design-Document.Understanding.Re6st for more information on re6st.
Please note that you need to upgrade re6st to version 0.623 before we introduce HMAC on your network.
10/06/2024 09:00 GMT: Introduce HMAC on trial network
At this date, we will start to ask the re6st nodes of the trial network to cipher all their Babel packets. The nodes will still accept the unsigned packets so nothing should happen on the network (except all the nodes will restart their babeld process so you can expect a few packet drops for 30 seconds max).
Please note that all re6st nodes should be able to sign their packets since we asked to upgrade your re6st node before last October. Unfortunately, in order to accept non ciphered packets from other nodes, they need to be at least version 0.623 (released in Oct 2023). Due to this, your re6st node will crash if you are not on version 0.623+. You need to upgrade before this date.
30/06/2024 09:00 GMT: Eject nodes not using HMAC on trial network
At this date, we will tell all the nodes of the trial network to refuse non signed Babeld packets. This will improve the security on the network. Also, there won't be any risk of 2 re6st networks inadvertently share their routes.
This will only trigger a restart of the babeld process of all nodes so you should expect only few packet drops (only 30 seconds max).
09/09/2024 09:00 GMT: Introduce HMAC on production networks
At this date, we will start to ask the re6st nodes of the 2 production networks to cipher all their Babel packets. The nodes will still accept the unsigned packets so nothing should happen on the network (except all the nodes will restart their babeld process so you expect a few packet drops for less than 15 seconds).
Please note that all re6st nodes should be able to sign their packets since we asked to upgrade your re6st node before last October. Unfortunately, in order to accept non ciphered packets from other nodes, they need to be at least version 0.623 (released in Oct 2023). Due to this, your re6st node will crash if you are not on version 0.623+. You need to upgrade before this date.
28/10/2024 09:00 GMT: Eject nodes not using HMAC on production networks
At this date, we will tell all the nodes of the 2 production networks to refuse non signed Babeld packets. This will improve the security on the network. Also, there won't be any risk of 2 re6st networks inadvertently share their routes.
This will only trigger a restart of the babeld process of all nodes so you should expect only few packet drops (only 30 seconds max).