Re: WGLC BFD Authentication Drafts

Ashesh Mishra <> Sun, 01 April 2018 15:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C8F69124C27 for <>; Sun, 1 Apr 2018 08:11:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hH5TazpTQcth for <>; Sun, 1 Apr 2018 08:11:23 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 48E811200B9 for <>; Sun, 1 Apr 2018 08:11:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=DsCaFzbAwyyTi7LbXn/RwIeN8XbESZTJHWE7nA6g2UM=; b=KOmK1D43afjU6X7gBPkq0Z7Jjy1Vg6gIcacOhA5LC+48Zc8TzmuswqJ9ikPOcxzyyiKvHdFj75GKMeA/5d+CN/27NIlcTHSZmiN0Is4PhaoiHleJZoMqFx9Ul3S/2qpZzC8ComVg1axmqjuWucZ6ghel/3xDEdTOo2zhZS6uS5iyfPtiVU3XluA8PR9bTvzmFAUFz7aNi8VhlDudNedRQMlbPn7TWB4t3SK6s2UABbAZrKAItBIJnUuxLgT2SHtVJSElG2wNtLfi33ZJ4OurH1Ez4VrHcDBGfn+K7rrImt5R6+NNMA10h8bl0xXBM5hXGnR3GWlCzpZb4z2TGWk3Ig==
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.631.7; Sun, 1 Apr 2018 15:11:21 +0000
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.20.631.7 via Frontend Transport; Sun, 1 Apr 2018 15:11:21 +0000
Received: from ([fe80::a5f3:348:c9a1:1754]) by ([fe80::a5f3:348:c9a1:1754%3]) with mapi id 15.20.0631.013; Sun, 1 Apr 2018 15:11:21 +0000
From: Ashesh Mishra <>
To: Greg Mirsky <>, Jeffrey Haas <>
CC: "" <>
Subject: Re: WGLC BFD Authentication Drafts
Thread-Topic: WGLC BFD Authentication Drafts
Thread-Index: AQHTxrM8j4pe2ek2RUW1GIkZ+QU4DqPnD20AgAT20DI=
Date: Sun, 01 Apr 2018 15:11:21 +0000
Message-ID: <>
References: <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-incomingtopheadermarker: OriginalChecksum:ECA0F19FD515576C923BA3EE2471C77FA31B7F4A85CDB0A0F3498D52958926F9; UpperCasedChecksum:A3E5E89678C09E2B9D4E813F00CEB3EA81EBE46D56CCC1891D6A0FA012BF9D32; SizeAsReceived:7133; Count:47
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [ql2vzvtok0Szx8SKuZ3AsU2zdc7ER5i9]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BY2NAM01HT027; 7:cyuXrmnwY0fs01ZKSLJCu4ShOaNkBy7NvRUOvdwypdfsRNvyFsawwNXOquCHmTp6tQ6CQdUk79k4+0083/1F0rUki96mWZUQKOIUvI3lbs7Ym+2GXo1cOObuve4caze31GzwaUgkwjXt9l3myP7MTN/l/2GxIH10d5q4Ja3E9JLrg+1ioIporD95cRScKxLybGxa8V7qsufTXgvJA2OO5/LC4gor2Xu/UBR38DiQcgnhXc7f9kxV42K2S4neexTY
x-incomingheadercount: 47
x-eopattributedmessage: 0
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1601125374)(1603101448)(1701031045); SRVR:BY2NAM01HT027;
x-ms-traffictypediagnostic: BY2NAM01HT027:
x-ms-office365-filtering-correlation-id: 1010dd5f-0121-4c03-5fdd-08d597e2d39a
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(444000031); SRVR:BY2NAM01HT027; BCL:0; PCL:0; RULEID:; SRVR:BY2NAM01HT027;
x-forefront-prvs: 06290ECA9D
x-forefront-antispam-report: SFV:NSPM; SFS:(7070007)(98901004); DIR:OUT; SFP:1901; SCL:1; SRVR:BY2NAM01HT027;; FPR:; SPF:None; LANG:;
x-microsoft-antispam-message-info: eyecwTich0GyrvQkpCCydoHQEhZI940NgBY+jChhBMv0PJ3+iYEogpjZgmnfsQbPaYI1Y6FB0z5rs5Ky0oYyEqOJwwt1VarvXZYdOWONgZEZ30LPGTLFCYQfUfvaVEoCQO7f4j+MjilP1TBwI7nqn+c3znlawiOal7A9KmEn//iMIDJUu0jmZ0qNr693kdnX
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BL0PR0102MB33454D88A214B8EFFDD242B5FAA70BL0PR0102MB3345_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 1010dd5f-0121-4c03-5fdd-08d597e2d39a
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Apr 2018 15:11:21.0680 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2NAM01HT027
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 01 Apr 2018 15:11:26 -0000

Hi Greg,

Your questions in the IETF-98 meeting seemed to stem from the challenges of authentication in fast BFD sessions at high scale.

I'll address the issue in two parts -

"Is there a need for authenticated BFD sessions?" - I believe we can all agree that there is a clear market need for BFD authentication. So we should direct the conversation to the way in which we can address this requirement.

"How can authentication work at scale?" - BFD authentication puts significant stress on the system and a non-meticulous method alleviates this computation pressure. That's the premise of this draft as it presents a way to relieve the BFD authentication requirement based on the capability of the system to handle the additional stress which maintaining the session scale.

There are some BFD systems in the market, which are not conducive to authentication (even the optimized method), where the impediment to authentication is due to the implementation details specific to that vendor or system.

I believe all these issues were address during the meeting. Are there any specific questions that I missed or any recommendations for the method in which the requirements can be addressed?



From: Rtg-bfd <> on behalf of Greg Mirsky <>
Sent: Thursday, March 29, 2018 4:09:32 AM
To: Jeffrey Haas
Subject: Re: WGLC BFD Authentication Drafts

Dear WG Chairs, et. al,
I cannot support WG LC for draft-ietf-bfd-optimizing-authentication as my comments at BFD WG meeting dating back to IETF-98<> still not have been addressed nor even there was an attempt to address. As I've asked to clarify impact of the proposed mechanism, particularly periodic authentication, on the BFD State Machine, I'd point that the proposed mechanism directly affects BFD security as discussed in RFC 5880 and the section Security Considerations in the document, in my view, does not adequately reflects that and doesn't explain how the security of the BFD session maintained when the periodic authentication is in use.


On Wed, Mar 28, 2018 at 7:38 PM, Jeffrey Haas <<>> wrote:
Working Group,

The authors of the following Working Group drafts have requested
Working Group Last Call on the following documents:

Given the overlap of functionality, WGLC will conclude for the bundle

Authors, please positively acknowledge whether or not you know about any IPR
for your documents.  Progression of the document will not be done without
that statement.

Last call will complete on April 20.

-- Jeff