new ts spec implementation

fix tests

control/config/drkey.go

@@ -31,6 +31,15 @@ const (
 	DefaultEpochDuration   = 24 * time.Hour
 	DefaultPrefetchEntries = 10000
 	EnvVarEpochDuration    = "SCION_TESTING_DRKEY_EPOCH_DURATION"
+	// DefaultAcceptanceWindowOffset is the time width for accepting incoming packets. The
+	// acceptance widown is then compute as:
+	// aw := [T-a, T+a)
+	// where aw:= acceptance window, T := time instant and a := acceptanceWindowOffset
+	//
+	// Picking the value equal or shorter than half of the drkey Grace Period ensures
+	// that we accept packets for active keys only.
+	DefaultAcceptanceWindowOffset = 2*time.Second + 500*time.Millisecond
+	EnvVarAccpetanceWindow        = "SCION_TESTING_ACCEPTANCE_WINDOW"
 )
 
 var _ (config.Config) = (*DRKeyConfig)(nil)

pkg/slayers/pkt_auth.go

@@ -21,9 +21,9 @@
 // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 // |                   Security Parameter Index                    |
 // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-// |    Algorithm  |                    Timestamp                  |
-// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-// |      RSV      |                  Sequence Number              |
+// |    Algorithm  |      RSV      |                               |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+							   |
+// |                   Timestamp / Sequence Number                 |
 // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 // |                                                               |
 // +                                                               +
@@ -52,17 +52,12 @@ const (
 	PacketAuthReceiverSide
 )
 
-const (
-	PacketAuthLater uint8 = iota
-	PacketAuthEarlier
-)
-
 const (
 	// PacketAuthOptionMetadataLen is the size of the SPAO Metadata and
 	// corresponds the minimum size of the SPAO OptData.
 	// The SPAO header contains the following fixed-length fields:
-	// SPI (4 Bytes), Algorithm (1 Byte), Timestamp (3 Bytes),
-	// RSV (1 Byte) and Sequence Number (3 Bytes).
+	// SPI (4 Bytes), Algorithm (1 Byte), RSV (1 Byte) and
+	// Timestamp / Sequence Number (6 Bytes).
 	PacketAuthOptionMetadataLen = 12
 )
 
@@ -72,26 +67,19 @@ const (
 type PacketAuthSPI uint32
 
 func (p PacketAuthSPI) Type() uint8 {
-	if p&(1<<18) == 0 {
+	if p&(1<<17) == 0 {
 		return PacketAuthASHost
 	}
 	return PacketAuthHostHost
 }
 
 func (p PacketAuthSPI) Direction() uint8 {
-	if p&(1<<17) == 0 {
+	if p&(1<<16) == 0 {
 		return PacketAuthSenderSide
 	}
 	return PacketAuthReceiverSide
 }
 
-func (p PacketAuthSPI) Epoch() uint8 {
-	if p&(1<<16) == 0 {
-		return PacketAuthLater
-	}
-	return PacketAuthEarlier
-}
-
 func (p PacketAuthSPI) DRKeyProto() uint16 {
 	return uint16(p)
 }
@@ -104,7 +92,6 @@ func MakePacketAuthSPIDRKey(
 	proto uint16,
 	drkeyType uint8,
 	dir uint8,
-	epoch uint8,
 ) (PacketAuthSPI, error) {
 
 	if proto < 1 {
@@ -116,12 +103,8 @@ func MakePacketAuthSPIDRKey(
 	if dir > 1 {
 		return 0, serrors.New("Invalid DRKeyDirection value")
 	}
-	if epoch > 1 {
-		return 0, serrors.New("Invalid DRKeyEpochType value")
-	}
-	spi := uint32((drkeyType & 0x1)) << 18
-	spi |= uint32((dir & 0x1)) << 17
-	spi |= uint32((epoch & 0x1)) << 16
+	spi := uint32((drkeyType & 0x1)) << 17
+	spi |= uint32((dir & 0x1)) << 16
 	spi |= uint32(proto)
 
 	return PacketAuthSPI(spi), nil
@@ -137,11 +120,10 @@ const (
 )
 
 type PacketAuthOptionParams struct {
-	SPI            PacketAuthSPI
-	Algorithm      PacketAuthAlg
-	Timestamp      uint32
-	SequenceNumber uint32
-	Auth           []byte
+	SPI         PacketAuthSPI
+	Algorithm   PacketAuthAlg
+	TimestampSN uint64
+	Auth        []byte
 }
 
 // PacketAuthOption wraps an EndToEndOption of OptTypeAuthenticator.
@@ -185,12 +167,9 @@ func (o PacketAuthOption) Reset(
 	p PacketAuthOptionParams,
 ) error {
 
-	if p.Timestamp >= (1 << 24) {
+	if p.TimestampSN >= (1 << 48) {
 		return serrors.New("Timestamp value should be smaller than 2^24")
 	}
-	if p.SequenceNumber >= (1 << 24) {
-		return serrors.New("Sequence number should be smaller than 2^24")
-	}
 
 	o.OptType = OptTypeAuthenticator
 
@@ -202,13 +181,10 @@ func (o PacketAuthOption) Reset(
 	}
 	binary.BigEndian.PutUint32(o.OptData[:4], uint32(p.SPI))
 	o.OptData[4] = byte(p.Algorithm)
-	o.OptData[5] = byte(p.Timestamp >> 16)
-	o.OptData[6] = byte(p.Timestamp >> 8)
-	o.OptData[7] = byte(p.Timestamp)
-	o.OptData[8] = byte(0)
-	o.OptData[9] = byte(p.SequenceNumber >> 16)
-	o.OptData[10] = byte(p.SequenceNumber >> 8)
-	o.OptData[11] = byte(p.SequenceNumber)
+	o.OptData[5] = byte(0)
+	o.OptData[6] = byte(p.TimestampSN >> 40)
+	o.OptData[7] = byte(p.TimestampSN >> 32)
+	binary.BigEndian.PutUint32(o.OptData[8:12], uint32(p.TimestampSN))
 	copy(o.OptData[12:], p.Auth)
 
 	o.OptAlign = [2]uint8{4, 2}
@@ -229,13 +205,8 @@ func (o PacketAuthOption) Algorithm() PacketAuthAlg {
 }
 
 // Timestamp returns the value set in the homonym field in the extension.
-func (o PacketAuthOption) Timestamp() uint32 {
-	return uint32(o.OptData[5])<<16 + uint32(o.OptData[6])<<8 + uint32(o.OptData[7])
-}
-
-// SequenceNumber returns the value set in the homonym field in the extension.
-func (o PacketAuthOption) SequenceNumber() uint32 {
-	return uint32(o.OptData[9])<<16 + uint32(o.OptData[10])<<8 + uint32(o.OptData[11])
+func (o PacketAuthOption) TimestampSN() uint64 {
+	return uint64(o.OptData[6])<<40 + uint64(o.OptData[7])<<32 + uint64(binary.BigEndian.Uint32(o.OptData[8:12]))
 }
 
 // Authenticator returns slice of the underlying auth buffer.

pkg/slayers/pkt_auth_test.go

@@ -27,17 +27,16 @@ import (
 
 var (
 	algo       = slayers.PacketAuthSHA1_AES_CBC
-	ts         = uint32(0x030201)
-	sn         = uint32(0x060504)
+	ts         = uint64(0x060504030201)
 	optAuthMAC = []byte("16byte_mac_foooo")
 )
 
 var rawE2EOptAuth = append(
 	[]byte{
 		0x11, 0x7, 0x2, 0x1c,
-		0x0, 0x2, 0x0, 0x1,
-		0x1, 0x3, 0x2, 0x1,
-		0x0, 0x6, 0x5, 0x4,
+		0x0, 0x1, 0x0, 0x1,
+		0x1, 0x0, 0x6, 0x5,
+		0x4, 0x3, 0x2, 0x1,
 	},
 	optAuthMAC...,
 )
@@ -47,8 +46,7 @@ func TestOptAuthenticatorSerialize(t *testing.T) {
 		name      string
 		spiFunc   func(t *testing.T) slayers.PacketAuthSPI
 		algo      slayers.PacketAuthAlg
-		ts        uint32
-		sn        uint32
+		ts        uint64
 		optAuth   []byte
 		errorFunc assert.ErrorAssertionFunc
 	}{
@@ -57,25 +55,16 @@ func TestOptAuthenticatorSerialize(t *testing.T) {
 			spiFunc:   initSPI,
 			algo:      algo,
 			ts:        ts,
-			sn:        sn,
 			optAuth:   optAuthMAC,
 			errorFunc: assert.NoError,
 		},
 		{
-			name:      "bad_ts",
-			spiFunc:   initSPI,
-			algo:      algo,
-			ts:        binary.LittleEndian.Uint32([]byte{0, 0, 0, 1}),
-			sn:        sn,
-			optAuth:   optAuthMAC,
-			errorFunc: assert.Error,
-		},
-		{
-			name:      "bad_sn",
-			spiFunc:   initSPI,
-			algo:      algo,
-			ts:        ts,
-			sn:        binary.LittleEndian.Uint32([]byte{0, 0, 0, 1}),
+			name:    "bad_ts",
+			spiFunc: initSPI,
+			algo:    algo,
+			ts: binary.LittleEndian.Uint64(
+				[]byte{0, 0, 0, 0, 0, 0, 0, 1},
+			),
 			optAuth:   optAuthMAC,
 			errorFunc: assert.Error,
 		},
@@ -84,11 +73,10 @@ func TestOptAuthenticatorSerialize(t *testing.T) {
 		t.Run(c.name, func(t *testing.T) {
 
 			spao, err := slayers.NewPacketAuthOption(slayers.PacketAuthOptionParams{
-				SPI:            c.spiFunc(t),
-				Algorithm:      c.algo,
-				Timestamp:      c.ts,
-				SequenceNumber: c.sn,
-				Auth:           c.optAuth,
+				SPI:         c.spiFunc(t),
+				Algorithm:   c.algo,
+				TimestampSN: c.ts,
+				Auth:        c.optAuth,
 			})
 			c.errorFunc(t, err)
 			if err != nil {
@@ -122,17 +110,15 @@ func TestOptAuthenticatorDeserialize(t *testing.T) {
 	assert.Equal(t, initSPI(t), auth.SPI(), "SPI")
 	assert.Equal(t, slayers.PacketAuthASHost, auth.SPI().Type())
 	assert.Equal(t, slayers.PacketAuthReceiverSide, auth.SPI().Direction())
-	assert.Equal(t, slayers.PacketAuthLater, auth.SPI().Epoch())
 	assert.Equal(t, true, auth.SPI().IsDRKey())
 	assert.Equal(t, algo, auth.Algorithm(), "Algorithm Type")
-	assert.Equal(t, ts, auth.Timestamp(), "Timestamp")
-	assert.Equal(t, sn, auth.SequenceNumber(), "Sequence Number")
+	assert.Equal(t, ts, auth.TimestampSN(), "TimestampSN")
 	assert.Equal(t, optAuthMAC, auth.Authenticator(), "Authenticator data (MAC)")
 }
 
 func TestMakePacketAuthSPIDrkey(t *testing.T) {
 	spi := initSPI(t)
-	assert.EqualValues(t, binary.BigEndian.Uint32([]byte{0, 2, 0, 1}), spi)
+	assert.EqualValues(t, binary.BigEndian.Uint32([]byte{0, 1, 0, 1}), spi)
 }
 
 func TestOptAuthenticatorDeserializeCorrupt(t *testing.T) {
@@ -159,8 +145,7 @@ func initSPI(t *testing.T) slayers.PacketAuthSPI {
 	spi, err := slayers.MakePacketAuthSPIDRKey(
 		1,
 		slayers.PacketAuthASHost,
-		slayers.PacketAuthReceiverSide,
-		slayers.PacketAuthLater)
+		slayers.PacketAuthReceiverSide)
 	require.NoError(t, err)
 	return spi
 }

pkg/spao/BUILD.bazel

@@ -10,8 +10,8 @@ go_library(
     importpath = "github.com/scionproto/scion/pkg/spao",
     visibility = ["//visibility:public"],
     deps = [
+        "//pkg/drkey:go_default_library",
         "//pkg/private/serrors:go_default_library",
-        "//pkg/private/util:go_default_library",
         "//pkg/slayers:go_default_library",
         "//pkg/slayers/path:go_default_library",
         "//pkg/slayers/path/empty:go_default_library",

pkg/spao/mac.go

@@ -127,13 +127,10 @@ func serializeAuthenticatedData(
 	buf[1] = byte(pldType)
 	binary.BigEndian.PutUint16(buf[2:], uint16(len(pld)))
 	buf[4] = byte(opt.Algorithm())
-	buf[5] = byte(opt.Timestamp() >> 16)
-	buf[6] = byte(opt.Timestamp() >> 8)
-	buf[7] = byte(opt.Timestamp())
-	buf[8] = byte(0)
-	buf[9] = byte(opt.SequenceNumber() >> 16)
-	buf[10] = byte(opt.SequenceNumber() >> 8)
-	buf[11] = byte(opt.SequenceNumber())
+	buf[5] = byte(0)
+	buf[6] = byte(opt.TimestampSN() >> 40)
+	buf[7] = byte(opt.TimestampSN() >> 32)
+	binary.BigEndian.PutUint32(buf[8:12], uint32(opt.TimestampSN()))
 	firstHdrLine := uint32(s.Version&0xF)<<28 | uint32(s.TrafficClass&0x3f)<<20 | s.FlowID&0xFFFFF
 	binary.BigEndian.PutUint32(buf[12:], firstHdrLine)
 	buf[16] = byte(s.PathType)