IETF Logo Mail Archive

Re: I-D Action: draft-ietf-bfd-optimizing-authentication-14.txt

Reshad Rahman <reshad@yahoo.com> Mon, 05 February 2024 21:18 UTC

Return-Path: <reshad@yahoo.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22CB6C14F6A5 for <rtg-bfd@ietfa.amsl.com>; Mon, 5 Feb 2024 13:18:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pwAUeqP6AXHb for <rtg-bfd@ietfa.amsl.com>; Mon, 5 Feb 2024 13:18:23 -0800 (PST)
Received: from sonic306-3.consmr.mail.bf2.yahoo.com (sonic306-3.consmr.mail.bf2.yahoo.com [74.6.132.42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 161A7C14F69E for <rtg-bfd@ietf.org>; Mon, 5 Feb 2024 13:18:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1707167902; bh=WQN4cYPmk+bmT5bEtOzcLppA+N6DTBdQxpuYpISIPHI=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject:Reply-To; b=pQTI8x9CLj4M0SDy5aPNRmWYBZKk9yThFtVpM5Gt7Qe6xuZlnjSTqqaNebXaLly7h5HI14aEMC47zrf/Ub9K0ZICfme4/qG8nebHueylAqRbmZZhOvOG+PWY+rGbX24qMPIjotxlV0x+wE/nXCuHIqjRhtdghlXzbhH/f94J0HdpgHI73nVqfDYrlJ5/zT09QrYdhIr+yZPHb7FkVxgOlLIvPGyos7HtG/iPR4YZORdkcUKxGw0//CKmOx7CJSU8o8l0qdr4fFzFmaDIeABCBvNvhXV8jR6FTTBSRmo15CRf6X8zCSVkGWQ/6Cwn+BdifVdVNnaLoie8eWXp/33W6g==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1707167902; bh=GyG40mWD3Sk0CqH6t0Vt7kAFvCKEVpw0dAsDGmrqOYQ=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=UnI3fQOWN6JzWCct3LL/ft4ewsXlj27bUmHv6dH4iv4KQS9vnD9lJBseqMhtRxbOzrBW2nKtbl7BtYsjRpXgXrwFoLxxskVmXk1kX4HMo9zy7D6NtvxUr5CwofGeX0Prv6URzqxdkO+x3PqmHw28zSTiE9zWbRTp2IiYddWXt9vsqwVLyE976RB75paGKN7szKjjP6GIisAhu+1oKxWI7/3PtRsEhkz2P8HSeylucMfZ8oT4xpri5jQnSdDEy8y7bAGiZHW2JaaV+fUUhlRgBckyDZxRcy5z6YNlBK8yV8jOM1xxcX++cjyQeMZZP6cL1MlJkByD1v8JyIs+4UcBeg==
X-YMail-OSG: VezOexsVM1n_sfD4WvJjNCK965DeKTMvR4wMd_shNDnFu5gDlpn05xO28t1BRNs PyS3SM2n7Q48YfBy8VVqNiynEd8SbPrEb8c29KtmWbEbLqnNsJERRWwxaOo6ZPyIM2tBxYNl64xO Am4etyxm.LHoFCNKJfebfzQzYBYrM9oho.oc0orLddgxQnsaip2nMcSerpAkmnTOs3dRZJvywK2Q 9tdLrb_A4Bo41OvcgAVT4DhOqz1.whNIqoLIvQPi5ox6U1dl.wLbAC8v6K10nbePFDkuUZOKU_NK 7UJ8MNZM4isQfo1MUAyrvQKRpqNTIi3ZIH57x877qOS4q0QXij9.EEC6rnseCNA6MG4k0c3k73qZ FX7BHTxKPmkvLpPU9Vs4nU06zZEcT4R_JKf3bs0yiXwZr20NY0l4jtw1oUOLvnrOC94c09BPRiWM 1gI_j.QyYiBX05cGvdABN99kN1L7HAYZCt3sZAoAY9yuC92cvrd9Eq6qEf7xeT7mAO0Af8.m4k_w jc3gfvjq1y0GUDcNxeQyX685Nc9RjXJ3h48yHL3C5fa4_IvcRS83edVHfsr6_ML1uP20dmrHiPKf 5SCjF.OJgmWtBKlq84zDa0JJPVTIS4t6L_P5InGeVOLecHxIS_n4ltce87bHb9mx0sAsstpFOzdk uaI0_b7cA86PEGn83GrTXoGB3Vunej1Thnf11p3JM9tFXYZSDQTl7w7oO30ycifOSrY4dY.bL8i7 sz0KDIDujU35ONKRO1MZ1t8XiFn9Pg48kt_SBmwdkfGcfTAvZkiAfwUHCOvwn0g3pjFlPEY59mbs aW4la_9cBPcMolcIZgOdCWyvEpMi5rDEvCEAgPVl2MdxMVD_TH2J8keznx7aPEKt4b.orVh2PLtv zQPc8PsOTvNrwoZ.r8eoj.MgXVlueRL8ZgiORIEIpbNi_NjGNRTqlf68tY.NHDShiVZQM8I2mUEK .nZapk94hNgzYCeP_g2HXh9ma57i1W9gnV3.OSucL5MqHCTV0ucnDUILsNDGoW2T4L1p5RqyUxGW Sv38nJzDsmDgfziKKK2aDrW2OwqNkUjzLfZxDThtauVcHt7RP3lxVZEYPAdKflchQQQW8NuVkMLg l6jxwdOmqjki1NaKk0eV012bUn5KH.0jURlCpktIUqMAmJn9xlP7PgbpAUIKy1T0WKr8T4MzjXTR F1FC.lD3Q4VsU8bJXpCofG6uHzMp9ym3c3iVoz09BHJtKSfvtR8gzd_OlBq3fdaLxlKYSksDZJX7 91aBWDC1sTm4LH_9hdtWIU3Eqcp8IG1qws.k9k8SkXb31ocAf.VmBY0BsDDyN6pixxn1w4BapwkW fGqN0bXkBBaiPJ9r1PEHFotGuQ.D.4Y1qGaBetbqL3rqh4uVWkUEfxl.Abqo2dgPdt.M4bBvC.fC FX4I8_RVLR3o0jxePYKSqfvzozsZvC1YppckRl67L2oqDAO55GMwdL3vUr_drZwavUxHENXp7E2F xLcVt3CB2VP5cst4FhrBKhekF_cPqd6VmhhbmqKGk8w41gxIXSCRmsZ1zI6leKfF9YE9nhxsyxO6 _MxaivjkWW9pnhQhFoE09wDo01HO7H3eCaFAaF49sfMXwWs.Vv.vpCI5x0afL9U14KLTV4.Eb0TH 7AwJx0IT3X29lLPSRmrDz.2Apju2pVzaFrv.QTkXohO2hPMH5tt15xQnxn9A9rFrZQigfYRv6gBe Wb2ZUlkpzHhrmuKCfKIFuRf7J9v9rXc0XDa1ObQzUY8OQIiIBBg37Eseii55UNpmWYWIwAlWaphs zkXLH_tQ12gOFcbEbigzj0yCuDi0C95w9CnKMwgLviXgOw_R3xAbj8YYckmdNLp22lMO2eK06pnx _dbuZ1Jyy426RntjyhxZNunjr9ROIjgpkoxfwbF_QKCwijioFx2mt45nIvShh4QkJeGpFKXDPw3b UafZfSSq5jGNXyRjqKEh_ko9Vq_iKaI0P6wAZYsrC.9mV3tf561fm9AY_2.uzwpu8Hs9nOeacwx1 gohAYfRMvMgejASdpG_Ie1GglP8ndmo7xTw9borklfbhg6cZAPYUf562e9VoEMJW1LvAyFKVpb2b kG4BpEEYzZwGn9J6E_NdNQVVmp8ax2pk9HlwVts8F6DvVM3m2M6Y497QamGApPB.KIZNg34vji.U ZJhsPyzTwIXIzJa_3_DxjZceYDgTdw22x4OOiI7YSbDZYnqsKQmqz7sTGydR2PqvEeJO9._clEgM 9XioG5m78QWE4bQm19TUquXRpDE31qf4xqwp7Q3oMCvUk4MTOjjqvwUTwCNqoWs99KZcPW_cZqTF 4Z.dJxIWzFmisyoHj0piiLjIFWMtvR5M-
X-Sonic-MF: <reshad@yahoo.com>
X-Sonic-ID: 9742cc77-176e-4c26-9128-ca964edc85c6
Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.bf2.yahoo.com with HTTP; Mon, 5 Feb 2024 21:18:22 +0000
Date: Mon, 05 Feb 2024 21:18:17 +0000
From: Reshad Rahman <reshad@yahoo.com>
Reply-To: Reshad Rahman <reshad@yahoo.com>
To: "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>, "draft-ietf-bfd-optimizing-authentication@ietf.org" <draft-ietf-bfd-optimizing-authentication@ietf.org>
Message-ID: <1703157988.3118868.1707167897162@mail.yahoo.com>
In-Reply-To: <170715329090.58811.17747021549116181763@ietfa.amsl.com>
References: <170715329090.58811.17747021549116181763@ietfa.amsl.com>
Subject: Re: I-D Action: draft-ietf-bfd-optimizing-authentication-14.txt
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_3118867_1418176859.1707167897159"
X-Mailer: WebService/1.1.22046 YMailNorrin
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/B5NEaSlEBWHM2VtqAwZ-HJF2TmY>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Feb 2024 21:18:27 -0000

 Hi,
I've provided some comments to the authors privately, sharing them here to restart/continue the discussion on the WG alias.
My main technical concern is in the changes to BFD auth mode: when transitioning to No auth for up packets, we don't know if the other end supports procedure changes from this document. So the other end could just drop the unauthenticated UP packets and the session will go down, eventually go back up, in a loop. The counter-argument which has been made is that this issue isn't new e.g. if one end is misconfigured for BFD auth, the session will not come up, so this boils down to being a typical config issue. I do agree partially, but I think the changes in this document can make things worse than usual in that the session will come up, go down very quickly and keep on ding that. We don't have any room left in the BFD header to indicate the desired behaviour. The only thing I could think of is to use Poll sequence with A=0 (on top of the expected A=1 packets), and transition to only A=0 if the Poll sequence succeeds (and the Poll sequence has to be for N packets where N is equal to "remote multiplier"). Jeff has pointed out that Xiao Min has suggested a similar solution in https://datatracker.ietf.org/doc/html/draft-xiao-bfd-padding-alteration-00.
In terms of editorial comment, I am now questioning the term NULL auth since we also use the term No auth. Suggestions: Meticulous sequence number, sequence number or something along those lines.
YANG comments/questions/suggestions:
     identity no-auth {
       base key-chain:crypto-algorithm;<RR> It is a bit odd to have a crypto algorithm which says none. I wonder if a boolean would have been better to indicate no-auth.
     identity null {
       base key-chain:crypto-algorithm;<RR> null-auth to be consistent with no-auth (assuming we keep NULL auth)?
       leaf reauth-interval {         when "../optimized-auth = 'true'";         type uint32;         units "microseconds";<RR> I think it's overkill to have this in microsecs. Other intervals use micro secs because we exchange timer values in micro secs. This value is not exchanged so we don't need microsecs. Or are you doing this for consistency?<RR> Mention that value of 0 means that we don't do periodic reauth with strong authentication.
       leaf up-auth-type {<RR> Since this points to a key-chain, rename to something like opt-auth-key-chain?         type key-chain:key-chain-ref;         must "(../optimized-auth = 'true') and " +              "(../bfd-ip-sh:meticulous = 'true')";<RR> Why the check for meticulous? Is the reasoning that for non-meticulous opt-auth isn't needed or is it something else?         description           "The authentication type that should be used once the            connection transitions to Up state. In case <RR> Why in case? Isn't this only for optimized auth?            of optimized auth, the choices are Reserved (or no             authentication), NULL Auth, or Meticulous Keyed ISAAC.";       }       description         "Augment the 'bfd' container to add attributes related to BFD <RR> The 'authentication' container? Same below          optimized authentication.";     }
Regards,Reshad.


    On Monday, February 5, 2024, 12:14:55 PM EST, internet-drafts@ietf.org <internet-drafts@ietf.org> wrote:  
 
 Internet-Draft draft-ietf-bfd-optimizing-authentication-14.txt is now
available. It is a work item of the Bidirectional Forwarding Detection (BFD)
WG of the IETF.

  Title:  Optimizing BFD Authentication
  Authors: Mahesh Jethanandani
            Ashesh Mishra
            Ankur Saxena
            Manav Bhatia
  Name:    draft-ietf-bfd-optimizing-authentication-14.txt
  Pages:  26
  Dates:  2024-02-05

Abstract:

  This document describes an optimization to BFD Authentication as
  described in Section 6.7 of BFD RFC 5880.  This document updates RFC
  5880.

The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-bfd-optimizing-authentication/

There is also an HTMLized version available at:
https://datatracker.ietf.org/doc/html/draft-ietf-bfd-optimizing-authentication-14

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-bfd-optimizing-authentication-14

Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts

v2.23.0 | Report a Bug | By Email