IETF Logo Mail Archive

Re: draft-ietf-bfd-optimizing-authentication-13 nits

Mahesh Jethanandani <mjethanandani@gmail.com> Fri, 19 January 2024 00:26 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 335F5C14F615; Thu, 18 Jan 2024 16:26:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zTJrV4FksquK; Thu, 18 Jan 2024 16:26:05 -0800 (PST)
Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 413A0C14F60F; Thu, 18 Jan 2024 16:26:05 -0800 (PST)
Received: by mail-pl1-x634.google.com with SMTP id d9443c01a7336-1d7164aeac1so1710845ad.1; Thu, 18 Jan 2024 16:26:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705623964; x=1706228764; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=nv65IWvGVXx3dFBAWeH29V2vV6EaeTeKG00WLf5Ky7k=; b=W4768xZjBBBgEIzMgJTLTDtuXUH9qqL1pjoMpFv/rcIoYp/3BzXIJU81yH6TCESYan RNE6xo6yM68T/dmXq0aeww0R1UyJcYJN3cSCQR8s7Rw5zfkElAsDFu3JXhI4IjFJWRNL 9b9e+CvxTRIkR465Dhvk2euQzBFCb1RzEDsVxgkGuYD8pXcRTdG+DihqxsBpYb6cPTYZ EBqEA0ZUJLYT0TlSJaWewfIS6wgfxURQgI4IxZwvUpNlkzRHmSSFeTXzW00vm6T2icmx 6e0i8W4EgnmuZwbJtFmCk4TSRXhitR/ka+JmJplXwqkqJGPsSfvSsdjKyWKygjgUVSnP 57IQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705623964; x=1706228764; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=nv65IWvGVXx3dFBAWeH29V2vV6EaeTeKG00WLf5Ky7k=; b=FcLiURNUTikyfwsEpD+SNVKO9Y3+5NWYSGiQeMsQI2y7RVUCAIyvDlEpAEaynGytLR i7Y4TM4rR6py9T21LhCzFpXfvuWlaAdq2UmLQANCbBOp1X77p0ArpAGpZ4AozDzFxCJ9 1cX4nH+e4nCApyEFSD/9g2L0wI4hlWT1bTw6xx7LC1ankGQrBsEX7fJbVJpXkPksxb4Q xCi0VcB9823ALDCsD9hsfXyhAWmP6XMs5oXIaz3Et49MVQNRD8Bv7lqVtZcl6WCsUDT3 pGCb9pIRpvrnewbNtLhZ9kzz70v4beUCBG1NlSRrzW9f6mC9OY2tx91Q35cPfHGds5EC +Oxg==
X-Gm-Message-State: AOJu0Yx+FKvM5jUuWyGR7Q0cyrILr54VwQXbeJJg+8sGhNy44gZu6UCh L5qW6Q5BmrlUhBfIW9TgTIxxGZog+gnqULfxbfzIh1hKoFe/g/GKq+3Ca1q2ghk=
X-Google-Smtp-Source: AGHT+IFbWiEi/ZSWtqE2Zk7VJetOe2nMIFehGCbIqlzhudU69IzjwZqeVTNhJbMS5RK/aTDJQf5Dow==
X-Received: by 2002:a17:903:2286:b0:1d7:2004:67f5 with SMTP id b6-20020a170903228600b001d7200467f5mr100584plh.58.1705623964485; Thu, 18 Jan 2024 16:26:04 -0800 (PST)
Received: from smtpclient.apple ([70.234.233.187]) by smtp.gmail.com with ESMTPSA id kg6-20020a170903060600b001d6fff34728sm1930967plb.170.2024.01.18.16.26.03 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 18 Jan 2024 16:26:03 -0800 (PST)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <A8D0BCD4-15FA-4061-A7F0-6D888158F5A3@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3C3FD503-41CA-4B48-AC0C-81489BF17D47"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.15\))
Subject: Re: draft-ietf-bfd-optimizing-authentication-13 nits
Date: Thu, 18 Jan 2024 16:26:02 -0800
In-Reply-To: <4F3695C8-3736-4E55-B5BB-84671FDC367E@pfrc.org>
Cc: draft-ietf-bfd-optimizing-authentication@ietf.org, "rtg-bfd@ietf. org" <rtg-bfd@ietf.org>, Manav Bhatia <manavbhatia@gmail.com>, Ashesh Mishra <mishra.ashesh@gmail.com>
To: Jeffrey Haas <jhaas@pfrc.org>
References: <4F3695C8-3736-4E55-B5BB-84671FDC367E@pfrc.org>
X-Mailer: Apple Mail (2.3654.120.0.1.15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/0QbSoadrkmNrDxPWTN_vlgE3w5I>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jan 2024 00:26:07 -0000

[Adding Ashesh and Manav’s explicitly till we update their e-mail address in the draft]

Hi Jeff,

Thanks for picking this up.

> On Jan 17, 2024, at 5:05 PM, Jeffrey Haas <jhaas@pfrc.org> wrote:
> 
> Authors,
> 
> Since secure sequence numbers is heading toward WGLC, it's time to refresh this document and review it vs. secure sequence numbers, and bfd stability.
> 
> -----
> 
> From Introduction and some confusion about configuration and operational state:
> 
> "This document also proposes that all BFD control packets which signal a significant change MUST be authenticated if the session's bfd.AuthType is non-zero. Other BFD control packets MAY be transmitted and received without the A bit set."
> 
> There's a bit of semantic confusion here.  bfd.AuthType is what we use as our state and what we put in our packet.  And similarly, we're trying to say here that "authentication may not be required for some packets".
> 
> Part of where this is potentially confusing is that these mechanisms are documenting changes from one auth type to the other.
> 
> This means we have, leveraging management framework terminology, configuration state that represents "start with authentication X, which will use method 1 that goes into bfd.AuthType and user method 2 which also goes into bfd.AuthType".  This also has implications when we have this bit of composite configuration with regards to authentication that isn't expected (i.e. NULL when secure seq is configured) needs to be addressed.
> 
> For operational state, reflecting the active type may be fine, but reflecting the hybrid configuration state is also necessary.

That is a good point. However, and thinking of this from a management perspective, the operator can signal a they want optimized auth. It will up to the implementation to update the bfd.AuthType field as it toggles through the different authentication types. For example, if optimized-auth is set to true, the session could start with no auth, transition to bfd.AuthType=5 as the session is coming up, and then transition to bfd.AuthType=0 after it has reached UP state. 

Orthogonally, the operator can indicate whether they want to secure the sequence numbers that are included in the BFD packet. It will be up to implementation to decide whether they want to use it when bfd.AuthType is set to a non-zero value, or only use it when bfd.AuthType is set to 0.

In summary, two new leafs in the YANG model, one boolean leaf for “optimized-auth” and one boolean leaf for “secure-seq-num”.

If this sounds kosher, I will add text to that effect in the draft.

> 
> 
> 
> One way to work through how to adjust the text is consider what the updates to the YANG module might look like.

;-)

> 
> 1.2:
> s/a demand model/a demand mode/

Fixed.

> 
> "configured interval" probably needs to be more specific to this mechanism.  In particular, this is the interval for how long before we retry strong authentication.

There is no “strong” vs “weak” authentication, unless I am missing something.

I have rephrased it to:

“ Interval at which BFD control packets are retried for authentication”

> 
> 2. Authentication Mode:
> 
> The text in this section indicates that there are circumstances where no authentication (a-bit is off) is permissible.  However, the text then moves to discuss NULL authentication, which is authentication that still carries an a-bit, and has contents. This is likely from earlier work prior to realizing we want some form of anti-replay attack.
> 
> I suspect the correct thing to do here is move all text toward discussing the "non-authenticated" mode as the less encumbered authentication, of which this document defines the NULL method. 

Ok. I have changed the text to talk about the value of bfd.AuthType as either a non-zero value or using a zero (NULL) value, even as A-bit is set.

> 
> The text for secure sequence numbers also is now incorrect since the mechanism has evolved.

> 
> 3. NULL Auth Type.
> 
> The main text here in need of updating is the sequence numbers.  As we've worked through in the discussions for secure sequence numbers, we want the sequence numbers to be preserved across authentication mechanisms.
> 
> Is the answer to take the text we have in secure sequence numbers covering this detail and move them to this document?

Most the text in this document defers to the I-D.ietf-bfd-secure-sequence-numbers draft, and I would not duplicate any text from there in this document.

Thanks

> 
> -- Jeff
> 
> 
> 


Mahesh Jethanandani
mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email