IETF Logo Mail Archive

RE: AD review of draft-ietf-bfd-intervals

"Nobo Akiya (nobo)" <nobo@cisco.com> Tue, 12 August 2014 16:57 UTC

Return-Path: <nobo@cisco.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E14061A0354 for <rtg-bfd@ietfa.amsl.com>; Tue, 12 Aug 2014 09:57:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -115.169
X-Spam-Level:
X-Spam-Status: No, score=-115.169 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H7BcuIHEwGhH for <rtg-bfd@ietfa.amsl.com>; Tue, 12 Aug 2014 09:57:38 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BD271A034A for <rtg-bfd@ietf.org>; Tue, 12 Aug 2014 09:57:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1786; q=dns/txt; s=iport; t=1407862658; x=1409072258; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=gaTwX4MhP+76OjZnoRVsfu3QTLCpcSYh/ysJFLSSuwE=; b=D51iI78URePYIbs9yNnXWMmhNBI6bCDywy6zTHBwmb8uXZr/xhRti0ny jvBsXXoPFEMFGwcOxg/j4AR+Hie7JCOutA1WsZTx527NXFuOnz0P71axM LIcBhVs2A+pDsFqSdzB4H8fU6jGjUpLYXBDbaKafIHX8GBy81Yboz6ULm M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgQFAIJG6lOtJA2G/2dsb2JhbABagmojgS3UdAGBEhZ3hAQBAQMBOj8QAgEIIhQQMiUBAQQBDQ2IMggBxRsXjxsxB4MvgR0BBI8KghOgGoNcgjQ
X-IronPort-AV: E=Sophos;i="5.01,850,1400025600"; d="scan'208";a="346928505"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by rcdn-iport-2.cisco.com with ESMTP; 12 Aug 2014 16:57:37 +0000
Received: from xhc-rcd-x02.cisco.com (xhc-rcd-x02.cisco.com [173.37.183.76]) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id s7CGvbpI001340 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 12 Aug 2014 16:57:37 GMT
Received: from xmb-aln-x01.cisco.com ([fe80::747b:83e1:9755:d453]) by xhc-rcd-x02.cisco.com ([173.37.183.76]) with mapi id 14.03.0195.001; Tue, 12 Aug 2014 11:57:37 -0500
From: "Nobo Akiya (nobo)" <nobo@cisco.com>
To: Marc Binderberger <marc@sniff.de>, "adrian@olddog.co.uk" <adrian@olddog.co.uk>
Subject: RE: AD review of draft-ietf-bfd-intervals
Thread-Topic: AD review of draft-ietf-bfd-intervals
Thread-Index: Ac+zOz3k9ZAze7soSd2QofDV+HM0cQC7oqSAAAi4xFA=
Date: Tue, 12 Aug 2014 16:57:36 +0000
Message-ID: <CECE764681BE964CBE1DFF78F3CDD3943A3A54CB@xmb-aln-x01.cisco.com>
References: <03dd01cfb33b$40a2d7d0$c1e88770$@olddog.co.uk> <20140812003439717481.408f4350@sniff.de>
In-Reply-To: <20140812003439717481.408f4350@sniff.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [161.44.212.92]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/rtg-bfd/0FRUd9fxzdC4yulC6T2VdSDjFQI
Cc: "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>, "draft-ietf-bfd-intervals.all@tools.ietf.org" <draft-ietf-bfd-intervals.all@tools.ietf.org>, "Marc Binderberger (mbinderb)" <mbinderb@cisco.com>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Aug 2014 16:57:46 -0000

Hi Marc, Adrian,

> > This is rally to check with you. Can influencing the interval value used
> > by a BFD session be used as part of an attack? For example, can forcing
> > the transmission time to be slower make it harder to detect naughtiness?
> > And can forcing the interval to be faster help cause DoS? If so, does
> > limiting the set of available values make attacks easier?
> 
> okay, the sentence in section 5 is short I admit :-) But this draft is not
> introducing any new mechanism how to negotiate the interval; it only
> shows
> how the mechanism of RFC5880 can be used to build a negotiation-
> sequence.
> We do not force faster intervals, the adjustment is to slower intervals when
> the negotiation fails.
> There is a risk - although I don't see an attack vector - with the fact that
> the final interval may be slower than the initial request, i.e.you don't get
> the service requested. What the draft contributes is it helps to find a
> common interval and sessions go up where otherwise they may stay down.

I've spent some time thinking about this, but my conclusion is still the same: this document does not introduce any new security concerns. Attackers knowing or not knowing the common intervals won't result in any additional security concerns to devices implementing the common intervals. Perhaps we can expand the Security Considerations section a bit to make it more obvious on what we mean.

   This document does not introduce any additional security concerns.
   The security considerations described in the BFD documents, [RFC5880]
   and others, apply to devices implementing the BFD protocol,
   regardless of whether or not the common interval set is implemented.

 Thanks!

-Nobo

v2.23.0 | Report a Bug | By Email