RE: Comments on draft-ietf-bfd-generic-crypto-auth
"Nobo Akiya (nobo)" <nobo@cisco.com> Thu, 17 April 2014 13:02 UTC
Return-Path: <nobo@cisco.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63F4F1A02BE for <rtg-bfd@ietfa.amsl.com>; Thu, 17 Apr 2014 06:02:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -114.773
X-Spam-Level:
X-Spam-Status: No, score=-114.773 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1fGruT6I60xr for <rtg-bfd@ietfa.amsl.com>; Thu, 17 Apr 2014 06:02:16 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by ietfa.amsl.com (Postfix) with ESMTP id 97BC91A0146 for <rtg-bfd@ietf.org>; Thu, 17 Apr 2014 06:02:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1766; q=dns/txt; s=iport; t=1397739733; x=1398949333; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=EG2CFf3g64+dUBNc2ke79OmdwYDskHTpWdjmibHoDWE=; b=XhbHWX6+cTVx+eQ56KNqACpR3zERiVpinj9750pgFeOACrwCeb/8okR9 jZDddpwrR3kECkmUnWs87tFVl3xuu0+nARgJBd8sLIezGg611RTY56Jev JTKLHaR4yWwJk++182aXlwFMHNv1GN0Q88mNS1bxJFERnmYE4TRNizHoc A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgkFAGHQT1OtJA2H/2dsb2JhbABZgmUhgRLDX4ElFnSCJgEBBDo/EAIBCA4UFBAyJQIEDg2HdAHKeBeOMTEHgySBFAEDqzuDMYIr
X-IronPort-AV: E=Sophos;i="4.97,879,1389744000"; d="scan'208";a="318409792"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by rcdn-iport-2.cisco.com with ESMTP; 17 Apr 2014 13:02:02 +0000
Received: from xhc-aln-x09.cisco.com (xhc-aln-x09.cisco.com [173.36.12.83]) by alln-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id s3HD22qv024126 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 17 Apr 2014 13:02:02 GMT
Received: from xmb-aln-x01.cisco.com ([fe80::747b:83e1:9755:d453]) by xhc-aln-x09.cisco.com ([173.36.12.83]) with mapi id 14.03.0123.003; Thu, 17 Apr 2014 08:02:02 -0500
From: "Nobo Akiya (nobo)" <nobo@cisco.com>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
Subject: RE: Comments on draft-ietf-bfd-generic-crypto-auth
Thread-Topic: Comments on draft-ietf-bfd-generic-crypto-auth
Thread-Index: AQHPWgTUuOoYgkEaVkOvKIVTeBrAM5sVweNQ
Date: Thu, 17 Apr 2014 13:02:02 +0000
Message-ID: <CECE764681BE964CBE1DFF78F3CDD3941E10B249@xmb-aln-x01.cisco.com>
References: <CECE764681BE964CBE1DFF78F3CDD3941E107BCA@xmb-aln-x01.cisco.com> <E15C147B-0F20-4646-B552-84B39270D99F@gmail.com>
In-Reply-To: <E15C147B-0F20-4646-B552-84B39270D99F@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [161.44.212.138]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/rtg-bfd/-FnYDBg_OE_KJ_quf0kAeqf2G8E
Cc: "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>, "draft-ietf-bfd-generic-crypto-auth@tools.ietf.org" <draft-ietf-bfd-generic-crypto-auth@tools.ietf.org>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Apr 2014 13:02:18 -0000
Hi Mahesh, Thanks for considering my comments. > > (3) Section 3.3 > > > > [snip] > > The device MUST fill the Auth Type and the Auth Len fields before the > > authentication data is computed. The Sequence Number field MUST be > > set to bfd.XmitAuthSeq. > > [snip] > > > > The paragraph is slightly confusing wrt whether Sequence Number field > need to be set before or after authentication data is computed. It'll be good > to clarify this. > > > I was looking at RFC 5880 for guidance on this. It says "The Sequence > Number field MUST be set to bfd.XmitAuthSeq." Period. No mention of > before or after. > > How about this: > "The device MUST fill the Auth Type, the Auth Len fields and set the > Sequence Number field to bfd.XmitAuthSeq before the authentication data > is computed." That is much clearer. > > (6) Section 3.4, sixth paragraph > > > > [snip] > > In such a case, an error event SHOULD be logged. > > [snip] > > > > Such log could become DoS attack point? Rate limiting of such log is > outside the scope of this document, but it could be beneficial to explain this > in the Security Considerations section ... optional comment though. > > > > How about this: > > "In such a case, an error event SHOULD be logged. Rate limiting of such a log > to prevent a DoS attack is outside the scope of this document." Changes does imply that rate limiting should be applied. However, considering these logs could be generated for every BFD packet received by the system (which can be significant amount), it may be better to explicitly have a paragraph on this in the Security Consideration section. Perhaps this can be taken up as a next next revision? -Nobo
- Comments on draft-ietf-bfd-generic-crypto-auth Nobo Akiya (nobo)
- Re: Comments on draft-ietf-bfd-generic-crypto-auth Mahesh Jethanandani
- RE: Comments on draft-ietf-bfd-generic-crypto-auth Nobo Akiya (nobo)