IETF Logo Mail Archive

Re: WGLC BFD Authentication Drafts

Greg Mirsky <gregimirsky@gmail.com> Mon, 02 July 2018 18:46 UTC

Return-Path: <gregimirsky@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A905130F56 for <rtg-bfd@ietfa.amsl.com>; Mon, 2 Jul 2018 11:46:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.998
X-Spam-Level:
X-Spam-Status: No, score=-0.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BR3AiggPDd1g for <rtg-bfd@ietfa.amsl.com>; Mon, 2 Jul 2018 11:46:00 -0700 (PDT)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFB62130E5B for <rtg-bfd@ietf.org>; Mon, 2 Jul 2018 11:45:59 -0700 (PDT)
Received: by mail-lj1-x22b.google.com with SMTP id i125-v6so13284732lji.2 for <rtg-bfd@ietf.org>; Mon, 02 Jul 2018 11:45:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=MnCZXhYi0GkkWLwj1S6pxTzsZWPoOS6oD4IaY9L+K18=; b=uptNi0S1Z8o+dzRWQitIHoclizUOy5uRi8+5JEY3l9P7zpVi6+phTkHrn6lwUMi867 1SiEUY3eJTFy3DTp1R+NjdWMnngwkd2dkt/CK5UxfQJ2VcqFIf2vv8Lin5fbKqoC29+C iaQpQgvkbXqr6sV9YoLvHSusrw5Mfzn2OEQHowXkr/4f6eXfLRCrdtzV86ZaDwq4hjWL Ebq/pI+CxMnXLB4FfTEKRot9TNVse4O49c2lQ7dZB0sp7yHOq/2Lj/AdawoorBBzqIh8 OdUnQql9CI9IFzC8ZtKryXxgYjqoLUeaLaQx/aVl6gXC9dEyp20pxpDm8Yc7086VkU9V ixbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=MnCZXhYi0GkkWLwj1S6pxTzsZWPoOS6oD4IaY9L+K18=; b=cn2YyImYs+vJyDpFyPsT2N6vPSCN8mhmO8XtDWYgEPOzDM/1SYobolS+QC3Y94igo0 rL7aqXJ2PBchMiVhw8NhLB3IRSgaAAAkzKS2MweJc7/t3IHFTuGX/UTohn9+uuN+w00I CzZ84xbEjYawCemzPeYWtlQEBkGTNVuPh8AerT6Va3qGYWlhHPzFjRlxjc8LmjClJj6O 0JvRM8AJ/FhNrVdsm0mc1Vd5phhCL6cCH2FKbbBTubAegkXYshyaDQhfUxf3t/DwTPHT h0jTvku4e4LC3iArpZcAJMLI7aMrN+2vUTHeYm/qiJGKwhk2Dt1BveX+gtG94kHtB5hv BrEA==
X-Gm-Message-State: APt69E0qD2B6tvuHIOZkxRJOZXAfrL4V7iptud69mRRL5hy+NOxNqgMt XiCoDQxthhAwbj9PwaWhRfFrBSeeOY4fF6cCSC8=
X-Google-Smtp-Source: ADUXVKK/JEdMEo8IFJMDtdCTuNzmZqzO5JRMDpRPG5rb4xcnQBCvZB9nQ1panWsZ3wzt0ArpVcA62ym6zg8VI6w9TCo=
X-Received: by 2002:a2e:534e:: with SMTP id t14-v6mr16773615ljd.73.1530557158052; Mon, 02 Jul 2018 11:45:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a2e:6e08:0:0:0:0:0 with HTTP; Mon, 2 Jul 2018 11:45:57 -0700 (PDT)
In-Reply-To: <6434EAB4-389D-4D1D-BCC6-E527FE187D11@gmail.com>
References: <20180328163856.GB3126@pfrc.org> <CA+RyBmVLPBKq1wthriY44FQN51bq85w3LfSR4K6WuRi=Kr1L9w@mail.gmail.com> <BL0PR0102MB33454D88A214B8EFFDD242B5FAA70@BL0PR0102MB3345.prod.exchangelabs.com> <CA+RyBmWh+_nKd-pvyg7W2xtdOFE9BkXEqTM3W48K_rifaUAYXw@mail.gmail.com> <36BBC371-54A2-43B0-8597-69782CFFD5E9@outlook.com> <CA+RyBmWue4iM9a2gazuTu=h-7yFN+YKEGMY8=_2C3gsj3yxekw@mail.gmail.com> <350B7795-76FC-4E7A-9532-2F3CF0577C31@outlook.com> <CA+RyBmVXzaHo1_AjkuYdGCJ2MUOPdobXS8awA0Fn9O8+JMFVQQ@mail.gmail.com> <CC7A767C-DE45-4349-8C65-BA28A4746830@gmail.com> <CA+RyBmUN=-rx9rhtR-Rs9StCa4s3Jbs5-nkY7Crz-x9CF8cU-Q@mail.gmail.com> <6434EAB4-389D-4D1D-BCC6-E527FE187D11@gmail.com>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Mon, 02 Jul 2018 11:45:57 -0700
Message-ID: <CA+RyBmXCny8Qe8wNe54z-akoxHD5XDrBq8bNg4_4bKbkLvWX4w@mail.gmail.com>
Subject: Re: WGLC BFD Authentication Drafts
To: Mahesh Jethanandani <mjethanandani@gmail.com>
Cc: Ashesh Mishra <mishra.ashesh@outlook.com>, "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b6d63b0570089b92"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/4Ixv13eOqvqD2KPZa_tjgVDYKWg>
X-Mailman-Approved-At: Tue, 03 Jul 2018 07:09:36 -0700
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jul 2018 18:46:03 -0000

Hi Mahesh,
thank you for sharing the history of this mode. Are you proposing to remove
it from the specification?

Regards,
Greg

On Mon, Jul 2, 2018 at 11:41 AM, Mahesh Jethanandani <
mjethanandani@gmail.com> wrote:

> Hi Greg,
>
> The suggestion to authenticate every Nth frame came to us when we
> initially presented the draft. It was not part of the original draft. If I
> remember, the reason given was that if a MITM had taken over the session,
> then authenticating an occasional frame would help detect that. Note,
> however, a MITM cannot change the state of the session, because a change in
> the state of the session requires those frames to be authenticated by the
> sender, and for those frames to be marked valid by the receiver.
>
> Cheers.
>
>
> On Jul 2, 2018, at 11:06 AM, Greg Mirsky <gregimirsky@gmail.com> wrote:
>
> Hi Mahesh,
> you've said:
>
>
> If three or more frames are discarded because one or all three of them
> were marked with NULL Auth TLV, and all of them fail authentication, the
> receiver brings the session down. Again, this is no different from three or
> more unauthenticated or meticulously authenticated frames being discarded,
> causing the receiver to bring the session down.
>
>
> My understanding of periodic mode is that when the BFD session is in Up
> state every Nth BFD Control packet is authenticated while rest of packets
> are not. Consider the scenario when each authenticated packet fails
> validation while unauthenticated packet pass. Would the state of the
> session remain Up? If so, what is the purpose of authentication? If not, if
> the session transitions to Down state, then it is, in my opinion, the
> change to BFD state machine per RFC 5880.
>
> Regards,
> Greg
>
> On Mon, Jul 2, 2018 at 9:58 AM, Mahesh Jethanandani <
> mjethanandani@gmail.com> wrote:
>
>> Picking up on this thread.
>>
>> The way to look at this draft is, that it suggests which frames will
>> undergo authentication. This draft does not suggest any change to the state
>> machine, or believe it causes a change in it. Frames that need
>> authentication will carry the NULL Auth TLV. If they are not authenticated
>> or do not need authentication they will not have the TLV.
>>
>> If a BFD session is down, and it is going through a P/F sequence the
>> frames need to be authenticated, since these frames *cause* a state
>> machine transition. If authentication fails, frames are discarded and the
>> session remains down. This is no different from a unauthenticated or a
>> meticulously authenticated P/F frame getting discarded, keeping the session
>> down.
>>
>> If the session is up, and it needs to be brought down, then the frame to
>> bring it down needs to be authenticated, again because these frames
>> *cause* a change in state machine. If it fails authentication, the frame
>> is discarded and the session remains up. Again, this is no different from a
>> unauthenticated frame or a meticulously authenticated frame being
>> discarded, keeping the session up.
>>
>> If three or more frames are discarded because one or all three of them
>> were marked with NULL Auth TLV, and all of them fail authentication, the
>> receiver brings the session down. Again, this is no different from three or
>> more unauthenticated or meticulously authenticated frames being discarded,
>> causing the receiver to bring the session down.
>>
>> Cheers.
>>
>> On Apr 9, 2018, at 12:39 PM, Greg Mirsky <gregimirsky@gmail.com> wrote:
>>
>> Hi Ashesh,
>> thank you for your response to my questions.. I think I need some more of
>> your help to locate the text in RFC 5880 that, as you've stated, mandates
>> that the single failure to authenticate a BFD control packet in Up
>> state triggers the transition to Down state. I only see section 6.7 that
>> describes authentication validation and when the received control packet
>> must be discarded because of validation failure and the following text:
>>       If the A bit is set, the packet MUST be authenticated under the
>>       rules of section 6.7, based on the authentication type in use
>>       (bfd.AuthType).  This may cause the packet to be discarded.
>> But I don't find any text that states that if authentication is in use,
>> then Detect Time calculated regardless of the value of the Detect Mult
>> field. Perhaps I will extend the description of the scenario:
>>
>>    - authentication is in use and every, for example, the fourth packet
>>    to be authenticated, i.e. three control packets with NULL Auth TLV followed
>>    by "real" authenticated control packet;
>>    - initial packets, three-way handshake, pass authentication
>>    verification and the session is Up;
>>    - at some point, the verification of the "real" authenticated packets
>>    fails and it is discarded;
>>    - packets with NUL Auth TLV pass the validation.
>>
>> Appreciate your consideration and help.
>>
>> Regards,
>> Greg
>>
>> On Mon, Apr 9, 2018 at 10:51 AM, Ashesh Mishra <mishra.ashesh@outlook.com
>> > wrote:
>>
>>> Hi Greg,
>>>
>>>
>>>
>>> What I meant to say was that the state machine remains the same as in
>>> the case of 5880 authentication. If an authentication frame fails
>>> validation then the session goes down regardless of good OPER-UP frames
>>> (authentication or normal) before or after that frame. Since the behavior
>>> in 5880 does not require any more than 1 frame to fail validation, the
>>> mechanism works as-is in the new proposal. Once the session is down, all
>>> frames need to be authenticated to bring the session up so again, the
>>> session can’t come back up just because the frame that failed validation is
>>> followed by a stream of unauthenticated frames.
>>>
>>>
>>>
>>> Hope that addresses the gap that you presented.
>>>
>>>
>>>
>>> Ashesh
>>>
>>>
>>>
>>> *From: *Greg Mirsky <gregimirsky@gmail..com <gregimirsky@gmail.com>>
>>>
>>> *Date: *Tuesday, April 3, 2018 at 8:35 PM
>>>
>>>
>>> *To: *Ashesh Mishra <mishra.ashesh@outlook.com>
>>> *Cc: *Jeffrey Haas <jhaas@pfrc.org>, "rtg-bfd@ietf.org" <
>>> rtg-bfd@ietf.org <rtg-bfd@ietf..org>>
>>> *Subject: *Re: WGLC BFD Authentication Drafts
>>>
>>>
>>>
>>> Hi Asheh,
>>>
>>> thank you for the detailed response to my questions and consideration of
>>> my comments.
>>>
>>> I think I cannot agree that the BFD state machine remains unchanged if
>>> optimized BFD authentication is in periodic mode. Let's consider case when
>>> only every 5th BFD control packet is authenticated when the session is in
>>> Up state. What happens if from some moment every authenticated packet fails
>>> to be validated? Would the session go to Down state? But all
>>> unauthenticated BFD control packets pass the validation check and since
>>> only one packet seems to miss validation the session, if the state machine
>>> remains unchanged, will stay Up.
>>>
>>>
>>>
>>> Do you see this as plausible scenario?
>>>
>>>
>>>
>>> Regards,
>>>
>>> Greg
>>>
>>>
>>>
>>> On Tue, Apr 3, 2018 at 11:03 AM, Ashesh Mishra <
>>> mishra.ashesh@outlook.com> wrote:
>>>
>>> Thanks for the clarification, Greg.
>>>
>>>
>>>
>>> Here are my thoughts on the issues:
>>>
>>>
>>>
>>> *I'd break it into couple more specific questions: *
>>>
>>> ·         *can the periodic Optimized Authentication mode be used
>>> without authorization o state changes;*
>>>
>>> ·         *if the answer to the previous question "yes", then when the
>>> first authorized BFD control packet must be transmitted by the system;*
>>>
>>> ·         *does the BFD state machine (section 6.2 RFC 5880) changes
>>> resulting from introduction of periodic optimized authentication mode;*
>>>
>>> *[AM] The optimized authentication can be used without state changes and
>>> the first auth packet will be the DOWN state frame to kick-off the session
>>> negotiation as the proposal suggests that all DOWN state frames are
>>> authenticated. The state machine does not change in this proposal but it
>>> only indicates which frames should be authenticated and which ones can use
>>> NULL-AUTH TLV (un-authenticated frames). *
>>>
>>> *And additional comments:*
>>>
>>> ·         *"For example, the two ends can decide that BFD frames that
>>> indicate a state change should be authenticated and enable authentication
>>> on those frames only."*
>>>
>>> *I don't think that nodes "decide" anything but are configured to do
>>> something.*
>>>
>>>
>>>
>>> *[AM] I agree that the language is not accurate. We’ll change it in the
>>> next revision. The intention is to use indicate configuration rather than
>>> negotiation. *
>>>
>>> ·         *"If the two ends have not previously negotiated which frames
>>> they will transmit or receive with authentication enabled ..."*
>>>
>>> *I couldn't find the negotiation procedure being described in the
>>> document. Is it out-of-band, i.e. by control or management plane, not part
>>> of this BFD enhancement?*
>>>
>>>
>>>
>>> *[AM] The language should indicate configuration instead of negotiation.
>>> *
>>>
>>> ·         *"The configuration of the periodic authentication interval
>>> for BFD CC UP frames is an open issue."*
>>>
>>> *I believe that this open issue must be resolved in the definitive
>>> manner before the draft moved to WGLC.*
>>>
>>>
>>>
>>> *[AM] This line should be removed and the preceding text should indicate
>>> that the parameters for authentication should be configured on the session
>>> end-points. *
>>>
>>>
>>>
>>> Regards,
>>> Ashesh
>>>
>>>
>>>
>>> *From: *Greg Mirsky <gregimirsky@gmail.com>
>>> *Date: *Monday, April 2, 2018 at 12:34 PM
>>> *To: *Ashesh Mishra <mishra.ashesh@outlook.com>
>>> *Cc: *Jeffrey Haas <jhaas@pfrc.org>, "rtg-bfd@ietf.org" <
>>> rtg-bfd@ietf.org>
>>>
>>>
>>> *Subject: *Re: WGLC BFD Authentication Drafts
>>>
>>>
>>>
>>> Hi Asheh,
>>>
>>> thank you for taking time to review the minutes from BFD WG meeting at
>>> IETF-98. I don't think that we had enough time to discuss in details my
>>> question:
>>>
>>> Greg Mirsky: One of the possible modes when the session is up is to use
>>> authentication with periodic timer trigger?
>>>
>>> I'd break it into couple more specific questions:
>>>
>>>    - can the periodic Optimized Authentication mode be used without
>>>    authorization o state changes;
>>>    - if the answer to the previous question "yes", then when the first
>>>    authorized BFD control packet must be transmitted by the system;
>>>    - does the BFD state machine (section 6.2 RFC 5880) changes
>>>    resulting from introduction of periodic optimized authentication mode;
>>>
>>> And additional comments:
>>>
>>>    - "For example, the two ends can decide that BFD frames that
>>>    indicate a state change should be authenticated and enable authentication
>>>    on those frames only."
>>>
>>> I don't think that nodes "decide" anything but are configured to do
>>> something.
>>>
>>>
>>>    - "If the two ends have not previously negotiated which frames they
>>>    will transmit or receive with authentication enabled ..."
>>>
>>> I couldn't find the negotiation procedure being described in the
>>> document. Is it out-of-band, i.e. by control or management plane, not part
>>> of this BFD enhancement?
>>>
>>>
>>>    - "The configuration of the periodic authentication interval for BFD
>>>    CC UP frames is an open issue."
>>>
>>> I believe that this open issue must be resolved in the definitive manner
>>> before the draft moved to WGLC.
>>>
>>>
>>>
>>> Regards,
>>>
>>> Greg
>>>
>>>
>>>
>>>
>>>
>>> On Sun, Apr 1, 2018 at 6:11 PM, Ashesh Mishra <mishra.ashesh@outlook.com>
>>> wrote:
>>>
>>> Hi Greg,
>>>
>>> Your questions in the IETF-98 meeting seemed to stem from the challenges
>>> of authentication in fast BFD sessions at high scale.
>>>
>>> I'll address the issue in two parts -
>>>
>>> "Is there a need for authenticated BFD sessions?" - I believe we can all
>>> agree that there is a clear market need for BFD authentication. So we
>>> should direct the conversation to the way in which we can address this
>>> requirement.
>>>
>>> "How can authentication work at scale?" - BFD authentication puts
>>> significant stress on the system and a non-meticulous method alleviates
>>> this computation pressure. That's the premise of this draft as it presents
>>> a way to relieve the BFD authentication requirement based on the capability
>>> of the system to handle the additional stress which maintaining the
>>> session scale.
>>>
>>> There are some BFD systems in the market, which are not conducive to
>>> authentication (even the optimized method), where the impediment to
>>> authentication is due to the implementation details specific to that vendor
>>> or system.
>>>
>>> I believe all these issues were address during the meeting. Are there
>>> any specific questions that I missed or any recommendations for the method
>>> in which the requirements can be addressed?
>>>
>>> Thanks,
>>> Ashesh
>>> ------------------------------
>>>
>>> *From:* Rtg-bfd <rtg-bfd-bounces@ietf.org> on behalf of Greg Mirsky <
>>> gregimirsky@gmail.com>
>>> *Sent:* Thursday, March 29, 2018 4:09:32 AM
>>> *To:* Jeffrey Haas
>>> *Cc:* rtg-bfd@ietf.org
>>> *Subject:* Re: WGLC BFD Authentication Drafts
>>>
>>>
>>>
>>> Dear WG Chairs, et. al,
>>>
>>> I cannot support WG LC for draft-ietf-bfd-optimizing-authentication as
>>> my comments at BFD WG meeting dating back to IETF-98
>>> <https://datatracker.ietf.org/meeting/98/materials/minutes-98-bfd-00> still
>>> not have been addressed nor even there was an attempt to address. As I've
>>> asked to clarify impact of the proposed mechanism, particularly periodic
>>> authentication, on the BFD State Machine, I'd point that the proposed
>>> mechanism directly affects BFD security as discussed in RFC 5880 and the
>>> section Security Considerations in the document, in my view, does not
>>> adequately reflects that and doesn't explain how the security of the BFD
>>> session maintained when the periodic authentication is in use.
>>>
>>>
>>>
>>> Regards,
>>>
>>> Greg
>>>
>>>
>>>
>>> On Wed, Mar 28, 2018 at 7:38 PM, Jeffrey Haas <jhaas@pfrc.org> wrote:
>>>
>>> Working Group,
>>>
>>> The authors of the following Working Group drafts have requested
>>> Working Group Last Call on the following documents:
>>>
>>> https://tools.ietf.org/html/draft-ietf-bfd-secure-sequence-numbers-01
>>> https://tools.ietf.org/html/draft-ietf-bfd-optimizing-authentication-04
>>> https://tools.ietf.org/html/draft-ietf-bfd-stability-01
>>>
>>> Given the overlap of functionality, WGLC will conclude for the bundle
>>> simultaneously.
>>>
>>> Authors, please positively acknowledge whether or not you know about any
>>> IPR
>>> for your documents.  Progression of the document will not be done without
>>> that statement.
>>>
>>> Last call will complete on April 20.
>>>
>>> -- Jeff
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> Mahesh Jethanandani
>> mjethanandani@gmail.com
>>
>>
>
> Mahesh Jethanandani
> mjethanandani@gmail.com
>
>

v2.23.0 | Report a Bug | By Email