Re: I-D Action: draft-ietf-bfd-optimizing-authentication-14.txt
Jeffrey Haas <jhaas@pfrc.org> Tue, 06 February 2024 13:41 UTC
Return-Path: <jhaas@pfrc.org>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32FDAC14F602; Tue, 6 Feb 2024 05:41:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cIUoRsawzug1; Tue, 6 Feb 2024 05:41:01 -0800 (PST)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 00C83C14F5E5; Tue, 6 Feb 2024 05:41:00 -0800 (PST)
Received: from smtpclient.apple (172-125-100-52.lightspeed.livnmi.sbcglobal.net [172.125.100.52]) by slice.pfrc.org (Postfix) with ESMTPSA id 28FE81E039; Tue, 6 Feb 2024 08:41:00 -0500 (EST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_4D1BEAB6-A00B-4AB9-9DDF-A1106FC35A87"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.4\))
Subject: Re: I-D Action: draft-ietf-bfd-optimizing-authentication-14.txt
From: Jeffrey Haas <jhaas@pfrc.org>
In-Reply-To: <1703157988.3118868.1707167897162@mail.yahoo.com>
Date: Tue, 06 Feb 2024 08:40:59 -0500
Cc: "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>, "draft-ietf-bfd-optimizing-authentication@ietf.org" <draft-ietf-bfd-optimizing-authentication@ietf.org>
Message-Id: <307EE080-C45B-43F0-8A25-CF6968AD95B6@pfrc.org>
References: <170715329090.58811.17747021549116181763@ietfa.amsl.com> <1703157988.3118868.1707167897162@mail.yahoo.com>
To: Reshad Rahman <reshad@yahoo.com>
X-Mailer: Apple Mail (2.3696.120.41.1.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/8s5Xvm0iHXVywoshq9ac2v-1E7k>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2024 13:41:05 -0000
Reshad, > On Feb 5, 2024, at 4:18 PM, Reshad Rahman <reshad=40yahoo.com@dmarc.ietf.org> wrote: > > Hi, > > I've provided some comments to the authors privately, sharing them here to restart/continue the discussion on the WG alias. > > My main technical concern is in the changes to BFD auth mode: when transitioning to No auth for up packets, we don't know if the other end supports procedure changes from this document. So the other end could just drop the unauthenticated UP packets and the session will go down, eventually go back up, in a loop. The counter-argument which has been made is that this issue isn't new e.g. if one end is misconfigured for BFD auth, the session will not come up, so this boils down to being a typical config issue. I do agree partially, but I think the changes in this document can make things worse than usual in that the session will come up, go down very quickly and keep on ding that. We don't have any room left in the BFD header to indicate the desired behaviour. The only thing I could think of is to use Poll sequence with A=0 (on top of the expected A=1 packets), and transition to only A=0 if the Poll sequence succeeds (and the Poll sequence has to be for N packets where N is equal to "remote multiplier"). Jeff has pointed out that Xiao Min has suggested a similar solution in https://datatracker.ietf.org/doc/html/draft-xiao-bfd-padding-alteration-00 <https://datatracker.ietf.org/doc/html/draft-xiao-bfd-padding-alteration-00>. Related notes from those conversations for the mailing list: - A poll mechanism to test for a new behavior where the possibility exists for the poll packets to be lost means you have to be mindful of Detect Mult (permitted number of lost packets) and timers. For example, a one packet poll is enough to probe if the packet isn't lost in either direction. In case of loss, you don't want to do the poll for Detect Mult packets because if the drop is the result, the session goes down. Mitigations may include temporarily changing the Detect Mult. - One mitigation for the repeatedly bouncing sessions is to have the BFD session keep state. If the implementation switches to optimized mode and the session drops, don't permit the session to automatically restart if it does this after more than X tries. Require the operator to clear the state? > > In terms of editorial comment, I am now questioning the term NULL auth since we also use the term No auth. Suggestions: Meticulous sequence number, sequence number or something along those lines. > > YANG comments/questions/suggestions: > > identity no-auth { > base key-chain:crypto-algorithm; > <RR> It is a bit odd to have a crypto algorithm which says none. I wonder if a boolean would have been better to indicate no-auth. We're looking for consistency in configuration. If optimized procedures require another mechanism to be chosen for the optimized Up side of things, and that's done via the keychain, you need a valid keychain entry. Further, properties such as "when is this valid" and other keychain properties are still valid. > > identity null { > base key-chain:crypto-algorithm; > <RR> null-auth to be consistent with no-auth (assuming we keep NULL auth)? If we don't change the name, sure. > > leaf reauth-interval { > when "../optimized-auth = 'true'"; > type uint32; > units "microseconds"; > <RR> I think it's overkill to have this in microsecs. Other intervals use micro secs because we exchange timer values in micro secs. This value is not exchanged so we don't need microsecs. Or are you doing this for consistency? This is a headache elsewhere in YANG modules. While the units clause lets us be clear that leaf A and leaf B aren't directly comparable if they don't share the units, it still trips people up. That said, it's also not forbidden. re-auth on the interval of seconds seems reasonable to me. And, as I mentioned in a prior thread, the 60 second value that's been chosen is rather arbitrary. > <RR> Mention that value of 0 means that we don't do periodic reauth with strong authentication. We could probably do that, especially in support of ISAAC procedures. > > leaf up-auth-type { > <RR> Since this points to a key-chain, rename to something like opt-auth-key-chain? Also reasonable. The move to the "opt" name token in the draft is largely over the most recent discussion. > type key-chain:key-chain-ref; > must "(../optimized-auth = 'true') and " + > "(../bfd-ip-sh:meticulous = 'true')"; > <RR> Why the check for meticulous? Is the reasoning that for non-meticulous opt-auth isn't needed or is it something else? The optimized procedures require meticulous authentication. The NULL and ISAAC methods use this mode to prevent PITM. If you don't regularly increment the numbers, you're defining the interval in which the "attack" (silly as it is to some people) can happen. > description > "The authentication type that should be used once the > connection transitions to Up state. In case > <RR> Why in case? Isn't this only for optimized auth? What wording would you prefer for "select this type for this mode"? > of optimized auth, the choices are Reserved (or no > authentication), NULL Auth, or Meticulous Keyed ISAAC."; > } > description > "Augment the 'bfd' container to add attributes related to BFD > <RR> The 'authentication' container? Same below > optimized authentication."; > } > > Regards, > Reshad. > > > > On Monday, February 5, 2024, 12:14:55 PM EST, internet-drafts@ietf.org <internet-drafts@ietf.org> wrote: > > > Internet-Draft draft-ietf-bfd-optimizing-authentication-14.txt is now > available. It is a work item of the Bidirectional Forwarding Detection (BFD) > WG of the IETF. > > Title: Optimizing BFD Authentication > Authors: Mahesh Jethanandani > Ashesh Mishra > Ankur Saxena > Manav Bhatia > Name: draft-ietf-bfd-optimizing-authentication-14.txt > Pages: 26 > Dates: 2024-02-05 > > Abstract: > > This document describes an optimization to BFD Authentication as > described in Section 6.7 of BFD RFC 5880. This document updates RFC > 5880. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-bfd-optimizing-authentication/ <https://datatracker.ietf.org/doc/draft-ietf-bfd-optimizing-authentication/> > > There is also an HTMLized version available at: > https://datatracker.ietf.org/doc/html/draft-ietf-bfd-optimizing-authentication-14 <https://datatracker.ietf.org/doc/html/draft-ietf-bfd-optimizing-authentication-14> > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-ietf-bfd-optimizing-authentication-14 <https://author-tools.ietf.org/iddiff?url2=draft-ietf-bfd-optimizing-authentication-14> > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > >
- I-D Action: draft-ietf-bfd-optimizing-authenticat… internet-drafts
- Re: I-D Action: draft-ietf-bfd-optimizing-authent… Reshad Rahman
- Re: I-D Action: draft-ietf-bfd-optimizing-authent… Jeffrey Haas
- Re: I-D Action: draft-ietf-bfd-optimizing-authent… Reshad Rahman