Re: Resolving lingering issues with BFD authentication drafts
Reshad Rahman <reshad@yahoo.com> Thu, 29 February 2024 19:36 UTC
Return-Path: <reshad@yahoo.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9C4CC14F602 for <rtg-bfd@ietfa.amsl.com>; Thu, 29 Feb 2024 11:36:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oYdp3u-HdTUc for <rtg-bfd@ietfa.amsl.com>; Thu, 29 Feb 2024 11:36:11 -0800 (PST)
Received: from sonic309-14.consmr.mail.bf2.yahoo.com (sonic309-14.consmr.mail.bf2.yahoo.com [74.6.129.124]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE3DFC14F5FF for <rtg-bfd@ietf.org>; Thu, 29 Feb 2024 11:36:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1709235369; bh=4xhBPt6i+3VgR1Az5GJyuD9Tet0m0bduiIJUX/MHU+g=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject:Reply-To; b=O7sv/oxEk0j2gw+Uksy3u1fyjqDXR+1IGvWVrMbSgEZkwGzthLGYtRV7tW+Yqalp9V0a7Eoll+F34QXzV0OgdEY9XlB1d3PnbIZMLkjAq1N3wkzVZOETO3P+9CnZhczzevZo/C4fDg9AUu1tx13pD8jDuV47CeU3Abx4+RueyzJS0ta3mtu7AZST7psXOXWcynj7O1lZ4Rcg6sq8DNnRz+52GRm3pSSgCN0WoQRhTDCJKmAm6ywmE46odL9v3h02xOj0L18ZzXTAD2ww69KNVwi9qwUSOoQBCDk1wev/d/r+iPYsgZ+UXk0cu3gdmgvghda94AG+i9n2I8zcJgw8dA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1709235369; bh=TPvJn4cKyyt+D532UAYMCVnNSjySsXx+RcFVM+0l+0M=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=UV+evz+dtP6S/E5sbb/3UuaDG9h0rZW8hG5/wdNRWmPXwP7lwkGAM827tvbsumpn1IY4OrtH3SLw5oKk2Q+j+l0TovrwDJ/bOmhwAesEAkk5nCB0IwhJJ1LSS5JDLWlZNtMOcSgYPgAA7O8T/SBiVExys/HUGtAbbbAldsEdU7yANH0FIMOe+jgwMw3QJMnHAACH4Yh2whWsDJGdOq0ep0Ovq7pISa4MQg7E7eKiy9KITOTscpOoZEZn7N30uzWZWIeRJnupa7nZ7epRfu2e16aUcJJuF4QZLNyVsOWYrlFEc9lNzUfOhpPdSRROx+qx7UByJKH54nV+k1cGJlUE+w==
X-YMail-OSG: atR_M1UVM1lpGeK6U4PQrrcEHkmVeuHXLRmxgHzEEGhybSaibA0UNQCA.dc81id YnQTxnszCDAY.Wf4O5tYn.IQpoKa7bGsqUFP8JaLWvvoCqc0hTRFa.yJw6mJj9IURiPLeapIHpM8 iO2PzEQQGPjnA3msBp.KhlNqcSnbXJM13ZG9EZ9MCiMbYLREXrChxdwgVioCaIkWLvo0GaWfwLoY XswHr4ZCYvCb_BGH_D4jSEsi_4J_cYYRPIemZsDS3pmcUx.0xo3ng7OE97GbcInR2f36ApmUf4Jd SVY8QfbKmYJMkUGtzj7YCtaEJyZg2XmHNQfz0FsDicCs9W1G53bmPSjkZLCNHVlxgLmTq5o_3dF_ 00tPDWQOUDOdvoRIALhUSUHeuCKU5DcPk_iOCX1._LHiJQCUdrnlfCaTul9JBVRsA9PFtuxIYKcd .hBxep4rTYx4ge1DeWwLrFGfHjCG.3_yRdYUFyrjhTxBRfpkWpLEffd8W7tq_VYKKNe3X5AKUkWK 7cmEbX10exwGB2FKsNPeulpAwO17tsdH48Ph3.kBId0_qN1c1AO25.NIudLO6Vj8wCH9qQiKm2WT wviJMo7sNqMhdJqYI1ugybOONgXCL3pHoa5cH6Im6e7OCZpjJI4eaylM4N0OOAdI4ApZvxXuLsyx 5B3ykhgb9ogTURd.C5PfHsNAAS29SNqZu3ZR5bbfMcPqCG_rr9uM24MxwxS3DlYBoCOXNjFHYPLb iugzzSLNP763OJdU.8sW56Ix0QRrgRJGnO8p0Tn1Kntrk8n2tDXrtKdPh_M3fTpfosgEs9BGksTA _SjIlSEaTIvaOruYJmHPd.f7MY5E25CtwTRo1PtdWV3fTpHluButEyY1Xvi4LPDngMO4CuamM2ta JiYQ8Kl7VnGzSdkgBvZ5iAXLYpQ.cFL_m3fU3CKnKmwuRNQwDs8ypZkdB8S96xn3w9jpGrYGKpiR LcDpBHyLeK_.TJYlKgYLb4DGksYfTqRr.qWc8JRjv9ycmKTAiimGI6CO0MrXnR17U9.ve0E9om24 cgcbZsiFI8GT1.yZHGlwkaf_In1l25Y0_bcEQNOuAQDkuWU.FtnXd7gtpsT72fH33YLsh5wpqRHZ x3QdT8Ia71jZ_KCjB2NCOBg2zWZa0TxBD_xxxfPmykQ7oa4TatmMwES.fTWkS1XZrDm_KxGeySiT o3fFbF9D09p4o2Usl.yXJL5FLvQYzil8D9Nc43Ay5jPfw61ofB6cGcDimwWqEWepIqq9DJ9TBgQK iHAKtmp_G6Rn0WegvgLnyv.3MfYkKZsV6dbCh6NgkKSU5Z8X9DxYauJR5b3y6xZzfxbhzYfhdcGF ZIfOH7hu7s4WEFF8ln_P8Tb7sOe2LIrfsqNKx7s9ZE7nqrk7CCgfhGlU4bihtaU5JMmrT1xhMLQe 6zvO31Kfk11RKj8szayXKkS5gq9V9XSssjFwzHixWyEajkziMWUcEKS62YTKQl5W8fYyYynGSSsh CyoNt_g_0XF_O80AY_evH5t3ZGZogfL72VianQAPvIWQOB2xC4Pg1Oq_4J8m1DX.JxByJQ9_YAPr KKkzVmvkFXNIwDSuiDobcURKNIjRAFKR7IpjGmtBFoVBZHl.BMxbFrJx4rUknqpL2LHjBN4_W1cZ bUV6q2F_ON48pFtIQ030zFPkUUlvzPPxjVdW32ahOZUotrTS3IpvztyV_SP3g65yQufRFIRBYMRJ TX8DszE4rfdvpamfOoA_JkzauVPsEhETik0dYsNM6UPFM0fgRp0qmw1dEnCg6Zy5h267VPdy_sam urhaKb4MNRSz3v7Ij0dlZCeavMjJZkSEeMP3wA26_TGOR6KzCF2RnbHMK.x163XrGQ9rLuWi75KJ yk0EVebnqikayADPCf4fYlh5p_aJv72zZAVXqoH2xVhzojRTfs7VyDSRr.TLzw7nqVBaOm6.2zYq v6SNu0U7nCSg17WB1xQPObSJcVUJEB9BV2Y1Ox3nr6hvgfys3cVxQUQIFBPDWnh9bLallpGe0tWK x31VIZEUFAV2CnZuDdhQ4DAIPDQlrlZAHBY5Kwvp_Sh7TD8LlzrJVcQc9W2IA3s6ai1RRFvGspRO S2.zoHRFAbwF08hBTjsVMBJ6lyV7b0d8RsPoeJQi.jxWi4wg0jJGncu5vVLZWV9q6icJq9rAr9UP cVo8XiGqdLgRmuMa0m9WGKdnIHHubMvCnRvS01Fza3uQKuSMtgmrfu4mPkP43sRpqtE3RwzU5zgs cTZltDywTjzxDVkejH_VPoVY0.Ljy3J6WItGFgPWzVZDOx13c7VCPNgzKpa9Mcq3KyooRC4Kv2tf S6XZts_B1JoewVQhDdWrtdl9JaIeupY6VKaAG_jUKW6yzuYrBF3b5D7KJNuiAp4P1Jk.o1aJqADQ _XA--
X-Sonic-MF: <reshad@yahoo.com>
X-Sonic-ID: 11e0a2be-a33b-4c74-807f-652460e8a53e
Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.bf2.yahoo.com with HTTP; Thu, 29 Feb 2024 19:36:09 +0000
Date: Thu, 29 Feb 2024 19:36:09 +0000
From: Reshad Rahman <reshad@yahoo.com>
Reply-To: Reshad Rahman <reshad@yahoo.com>
To: Jeffrey Haas <jhaas@pfrc.org>
Cc: "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>
Message-ID: <1930332684.1428630.1709235369243@mail.yahoo.com>
In-Reply-To: <845A6BC6-DC4D-4637-9FF0-909261803845@pfrc.org>
References: <20240223213246.GA15208@pfrc.org> <1596993238.316567.1708900303895@mail.yahoo.com> <845A6BC6-DC4D-4637-9FF0-909261803845@pfrc.org>
Subject: Re: Resolving lingering issues with BFD authentication drafts
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_1428629_641874619.1709235369241"
X-Mailer: WebService/1.1.22103 YMailNorrin
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/1Pdab_8KCBj5PLc85kn-G6TGUVQ>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Feb 2024 19:36:12 -0000
Jeff,
The only thing I am still a bit hesitant about is delaying the notification to the BFD clients (that the session is up) until we've successfully moved to the optimized mode. It's not the actual delay, which should be short, but the fact that it's changing the BFD state machine a bit. But I don't see any other way to do this without the risk of bouncing the BFD session.
Regarding "until we've successfully switched over to the optimized mechanism", what does a successful switch mean? Does it mean sending detect mult packets with optimized auth?
Regards,Reshad.
On Sunday, February 25, 2024, 06:53:52 PM EST, Jeffrey Haas <jhaas@pfrc.org> wrote:
Reshad,
On Feb 25, 2024, at 5:31 PM, Reshad Rahman <reshad@yahoo.com> wrote:
Jeff, overall this looks to be a good way forward, it addresses the main concern I had expressed.
Excellent.
On Friday, February 23, 2024, 04:32:55 PM EST, Jeffrey Haas <jhaas@pfrc.org> wrote: - The optimization procedures currently can have BFD go Up with the initial stronger authentication, then go down once the optimized mode kicks in.
<RR> That's the scenario where only 1 end supports optimized procedures?
In the current version of the document, yes. That's an item the suggested changes are intended to address.
Possible ways to address these:
For BFD optimization:
[...]
- Optimized authentication should kick in ASAP when we are in the Up state.
I believe this means that we send out at least Detect Mult packets in the
strong mechanism and then switch to the optimized mechanism. This bounds
the amount of time when we're not running in optimized mode.
<RR> Why does optimized procedures need to kick in asap? Is this in case there's an issue with the optimized procedures?
The general concern is not overly delaying the client's idea of when BFD transitions to Up.
The suggested changes take us from Up to an internal "pending" state waiting for the optimized mode to kick in. We can theoretically linger there however long we like since we've signaled that this change is coming, but it's not helpful to the client to linger there longer than necessary.
The suggestion above is really the lowest bound on time we can take for such a transition to ensure we can safely transition to ISAAC mode and entrain the sequence numbers for the ISAAC algorithm.
- BFD clients that are expecting optimized authentication SHOULD NOT convey<RR> BFD sessions (not clients)?
Session on a client. :-)
to their clients that the session is in the Up state until we've
successfully switched over to the optimized mechanism. While this seems
contrary to BFD behavior, it's no different than any of the existing
"holddown" procedures clients like BGP can implement to ensure that BFD is
stable for long enough before using the session.
<RR> Is this in case there's an issue with the optimized procedures?If yes, do we also need some text for the case where optimized procedures fail? e.g., at a certain point we have to stick to strong auth but do we retry eventually (that could cause the session to go down if we do)?
>From the client's session perspective, BFD simply is Up/Down as normal.
>From the protocol perspective, lingering forever waiting for the optimized mode kicking in isn't what we'd want. So, yes, we need some form of default timeout recommended for implementors.
If we repeatedly bounce the BFD session from Up to Down only at the transition to the optimized mode, we likely want to dampen that behavior. At least with the new code points we have a sense that this transition to the optimized mode is the actual problem between devices that have agreed to use that authentication type.
Thoughts?<RR> When transitioning from strong auth to optimized procedures, could we send both types of packets when attempting the transition? The aim being to avoid the BFD session from going down. I haven't thought this through so this may well not hold water.
For the ISAAC procedures, the only requirement is that we believe the other side of the session has seen at least one Up packet out of the expected Detect Mult packets. That's sufficient for the entraining procedure.
Once we have entrained the ISAAC session, we should be able to flip in and out of the optimized mode at will.
The idea I think you're trying to convey is similar to how other protocols handle a graceful rollover for key. That's normally done by having the rollover timeframe being willing to authenticate with both old and new key, not having the side generating the packets sending it twice.
For BFD in particular, sending the same PDU with different auth types would probably play havoc with the meticulously increasing sequence number requirements. Further, there's no mechanism we have to convey that we've successfully processed the rollover.
-- Jeff
- Resolving lingering issues with BFD authenticatio… Jeffrey Haas
- Re: Resolving lingering issues with BFD authentic… Reshad Rahman
- Re: Resolving lingering issues with BFD authentic… Jeffrey Haas
- Re: Resolving lingering issues with BFD authentic… Reshad Rahman
- Re: Resolving lingering issues with BFD authentic… Jeffrey Haas