IETF Logo Mail Archive

Re: I-D Action: draft-ietf-bfd-secure-sequence-numbers-08.txt

Mahesh Jethanandani <mjethanandani@gmail.com> Mon, 26 July 2021 04:26 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE4C23A1936; Sun, 25 Jul 2021 21:26:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zNMjL4H7v40g; Sun, 25 Jul 2021 21:26:51 -0700 (PDT)
Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB5B63A1933; Sun, 25 Jul 2021 21:26:50 -0700 (PDT)
Received: by mail-pl1-x62a.google.com with SMTP id e21so5598624pla.5; Sun, 25 Jul 2021 21:26:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=xzxLP36C1KzrcqgDK60y4vnuMLF23LXE1fas/ieG5e0=; b=Uhq4e8+dEkj3RWGgcEPMXC8fQMVblmSVaGWGaurf4yCg5YJMNhZQXwvQ08gMahA7Ud kiUaWDj5lQj2hus+U67db4QmCjGeJjcMbl8cLndXkfjXGo4iZ9k0wnDGcBQr6S7Xjz24 2jSStrMffSQfa8RbNbPiiARDkdTUnIdicnLh9adSIILb2uTDAvSZFZEnJSSiEoAwBrki Eyst32SqH+ykYNfLY4RhwDLcd+7xnlibUWwfi1mMgDRndpaQZ0KJaHm8bBBGP9g7Vy8b LPUIoFMzqSk0/dcDdX5dd6Ibg9hV0zwutZnnrB/BpraByxgY9v/4XoEsqAzaZHKvGlKN Dq5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=xzxLP36C1KzrcqgDK60y4vnuMLF23LXE1fas/ieG5e0=; b=NfgZPPtdXEpZhavCfq1igO2/COVIrVRjxPrwNykFHJnx1Vd3ZlR3hcOotzYowjCIhL IokVsg10lPiFRra5f42W3+clX0iYGCywKmnZzcfgi0YRTpoUJ5aKP8+W1rD/qn6QousR hg/dB5vPRfk+WJb6L7++bj/Od0cNLpXKXN98DYhGQk3nxB3UaxqCNBbh0f7plI2SXROW rkw341cn8AcmjexTRfVzdjb0BGd5yc1O6gOHcU/K8+mjTqN9LNJm4nGQoHDQvrkErGKw FpOERnkGnLzq+486grTZEk9VdjTPEdHMpi3qWJsYweH8tWwYCuAg9Q5mx2zZYTYSmrHA aekA==
X-Gm-Message-State: AOAM531/K0KfrNTQ5nFgtDfDHGk9kT5kJKfeJUgOnpJlx7/9MSqtfaXL 8vew45ZpyuproQlJWFBTmc4=
X-Google-Smtp-Source: ABdhPJxKCv+vBmItd2j0G0nuRM2op96MHtOJdvVkGZO1+JBk7tGTH1n66vaf4kLGb4KR+AuoBBKOag==
X-Received: by 2002:a05:6a00:aca:b029:392:9c79:3a39 with SMTP id c10-20020a056a000acab02903929c793a39mr6937696pfl.57.1627273608647; Sun, 25 Jul 2021 21:26:48 -0700 (PDT)
Received: from [192.168.1.133] ([76.21.92.206]) by smtp.gmail.com with ESMTPSA id c24sm41178585pfn.86.2021.07.25.21.26.47 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 25 Jul 2021 21:26:48 -0700 (PDT)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <D48909A0-D7E9-40DA-83DA-CB0327D2D586@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1DF158B6-1BD9-4B6E-9350-544A4CE26CD7"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
Subject: Re: I-D Action: draft-ietf-bfd-secure-sequence-numbers-08.txt
Date: Sun, 25 Jul 2021 21:26:46 -0700
In-Reply-To: <14A4DD6D-7002-45A9-8FE4-42B512E97318@freeradius.org>
Cc: draft-ietf-bfd-secure-sequence-numbers@ietf.org, Reshad Rehman <reshad@yahoo.com>, "rtg-bfd@ietf. org" <rtg-bfd@ietf.org>, Alan DeKok <aland@freeradius.org>
To: Jeffrey Haas <jhaas@pfrc.org>
References: <161523096352.2145.10949026299560929284@ietfa.amsl.com> <CAMMHi8gvfyQFwa6jnr7v-1u1GV-16QKdFBCtJ_R7oyXZeh3D7A@mail.gmail.com> <D057A636-3E75-4E44-BCCB-04280DF93B26@yahoo.com> <106C31C7-4118-4CEE-935A-D0F02183C987@gmail.com> <E9401488-FEE0-4DBD-9415-AA3A1A3B6B1E@yahoo.com> <20210405171412.GB12257@pfrc.org> <4831ADD8-6E8D-4CDD-966F-B273A3AF45C5@freeradius.org> <20210405184656.GE12257@pfrc.org> <468C7D1D-7BE2-4759-9D81-0E18725FCA90@freeradius.org> <20210405190821.GF12257@pfrc.org> <14A4DD6D-7002-45A9-8FE4-42B512E97318@freeradius.org>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/02J-N6BvAd90_4PVdYDb8LNIc4c>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jul 2021 04:26:56 -0000

[Putting the thread on the BFD mailing list]

Hi Jeff/Alan,

I wanted to understand the changes the authors need to make to move the draft forward.

On this thread <https://mailarchive.ietf.org/arch/msg/rtg-bfd/jw1aH07S363k41OCbBDUk2INmRE/>, @Jeff stated that you were looking for clarity on the following statement.

   Note: The first sequence number can
   be obtained using the same logic as used in determining Local
   Discriminator value for the session or by using a random number.
For which I believe the consensus is the suggestion from Alan below to add an authentication section in the first packet that carries the nonce. Right?

See inline for more.

> On Apr 6, 2021, at 3:09 AM, Alan DeKok <aland@freeradius.org> wrote:
> 
> On Apr 5, 2021, at 3:08 PM, Jeffrey Haas <jhaas@pfrc.org> wrote:
>> BFD needs an increasing sequencing number.  But we also are trying to
>> get replay protection.  What that means is that we likely don't want to
>> start at sequence 1 every time - or we need to have a nonce to make sure we
>> don't get a replay if we do.  
>> 
>> The protocol currently doesn't carry anything to use as a nonce.
> 
>  Maybe add an authentication section in the first packet, which can then carry a nonce?
> 
>> As written (see section 3), it's written as a reversible operation, which
>> would be reasonable from a symmetric bit of crypto.  But if we're using a
>> hash, I don't believe we get that property.  Instead, we have to know what
>> we're expecting in each side and have the next k values computed, where k is
>> in the window of the BFD Detect Multiplier (lost packets maximum).
> 
>  Yes.
> 
>> Somewhere in between draft-06 and -07, the text started moving toward
>> "symmetric key algorithm" from hash, probably as part of the clarification
>> requests for how the mechanism worked.  Likely my request, and I failed to
>> remember that we wanted fast hash rather than reversible.
> 
>  It depends on what the goals are, I guess.  A cryptographic random number generator is likely to be much faster than a reversible encryption method, especially on constrained CPUs.  But random number generators aren't reversible, which is also a useful property.
> 
>  The main issue with a strong hash function is that it's a hash, and isn't intended to generate sequences of numbers.

What I understand from this discussion is that the WG feels that rather than symmetric key algorithm, a hash should be used for computing the ciphertext (if that is the correct term for computed hash?) that will be inserted in the sequence number field, and the other end will compare the computed hash against the next k values it has computed on the expected sequence numbers within the window of BFD Detect Multiplier. Did I get that right?

Inserting this from the same thread.

> 
>>> If so, getting some text would help a bunch.
>> 
>>  I'll see what I can do.
> 
> That'd be great.

Alan, could you help us with the text here.

> 
>> That was my impression.  Complexity might be worthwhile as long as the memory
>> is constrained.  This is going onto linecards with the CPUs that would
>> embarass a lot of people, after all.
> 
>  The Blake3 code isn't trivial, and doesn't seem to have fixed-size memory requirements, unlike MD5 / SHA.
> 
>  Looking around, we also have https://tools.ietf.org/html/rfc8937, which recommends against directly using the output of a PRNG.  It recommends instead a fairly complex scheme, which isn't applicable here.  But perhaps we could do something similar.
> 
>  My suggestion would be to do something vaguely like what RFC 8937 suggests, but with weaker / faster algorithms.
> 
>  We could use ISAAC to securely generate a sequence of random numbers.  The first packets exchanged could contain an authentication section with a nonce.  ISAAC would be seeded with a secret key and a nonce, and would generate a stream of 32-bit cryptographically strong pseudo-random numbers.
> 
>  We could use this output directly, but we might want to go a step further.  We could add a fast hash function to further hide the output of the random number generator, and also get authentication of the packet contents.
> 
>  i.e. for a packet P, set My-Discriminator to zero, take the random number X from Isaac, and then calculate Hash(X, P).  The output is a 32-bit number which can go into the discriminator field.
> 
>  The other end can set the discriminator to zero, calculate the hash, and then see if the packet has been authenticated.  The benefit here is that it's authenticating not just the particular sequence from the random number generator.  It is also authenticating the packet.  And, because the packet contains Your-Discriminator, the has would authenticate the entire sequence of packets.  Which seems a desirable property.
> 
>  Either option would be imperfect, but fast and reasonably secure.

Not clear on whether we are now trying to define how the nonce should be calculated, and if that is not getting into implementation level details. 

Thanks.

> 
>  Alan DeKok.
> 

Mahesh Jethanandani
mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email