Re: Shephered writeup for draft-ietf-bfd-secure-sequence-numbers

Reshad Rahman <reshad@yahoo.com> Wed, 24 February 2021 03:29 UTC

Return-Path: <reshad@yahoo.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C7C03A07C8 for <rtg-bfd@ietfa.amsl.com>; Tue, 23 Feb 2021 19:29:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.096
X-Spam-Level:
X-Spam-Status: No, score=-1.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GTFGHmEH-Zug for <rtg-bfd@ietfa.amsl.com>; Tue, 23 Feb 2021 19:29:02 -0800 (PST)
Received: from sonic312-22.consmr.mail.bf2.yahoo.com (sonic312-22.consmr.mail.bf2.yahoo.com [74.6.128.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C504D3A0652 for <rtg-bfd@ietf.org>; Tue, 23 Feb 2021 19:29:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1614137340; bh=SjReOxEWEloyWIGD0x3R38KhMyScf+IGOBQ0MEHh7K0=; h=Date:Subject:From:To:CC:References:In-Reply-To:From:Subject:Reply-To; b=e5vDn4eFjtpYH+nTyXB9t2o5bXqFi9GuADRkGiS5i1eqs9dC4AFhRHw3GijqfMarWHKQjicwJS6Mk5CvQ65fw4bGaPg/wz40B+8a9bT+8M/hVKLWpszXz1AP+YXW/Lfqd4aunjHsE+x/g0TzyAd8uFWlVl3Vxfxf/eHtR22cx7dtAw0StNLYK6RYVXZ0vNj1PbcsbB/KhPrag4ihrnzAgTb3IYi8pidOH17sn2Xij1Caa9/tnhNNKPlGFWL9NQ+3PhoO1v//m7gni7TCGLuXx8qyTfcxj+aSC9wYGYh19pJVd+XTztlffghvBeEfO7sEdliNTw9zyjfrzwnhPbhSfw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1614137340; bh=amndm4w3iO0xOOubNRRwOEdM/mr2UKyB9pBVtE+w/lJ=; h=X-Sonic-MF:Date:Subject:From:To:From:Subject; b=U00VQ2uxvLQvjSzaIUngUw/k9/Hk9cXeI0bVav0fCU/i5NDtbsjwfHI+q/zARikgBTF8J9FcFGm+WO6Lsha4bcFp04my26w+1ZXYhhq92ifCppPi/NKtkX5sJtLXVheHSAzA6Y9bvSWx/q8FG4U8ktryuBXqSdmvZFRsU0NZM4j66rlJMRyZtd2S/ewaK8n2F0/CbFP4pasreFb2s7NkzYHpclrs+btXyGXUnWwpVEpjtm/OuFrK0DiB+v1z7A5WZ0ZTfPrIqx1ONiz6HdfEnf21Vcz/r9oeV8HWnDyHY1/m5WbeMN4v5yjRYhnFiOOQu3ipOgCiAlh9Buz8+HQAKg==
X-YMail-OSG: XRpM.BkVM1ktM2Q3ZVHoH88mkd.1Kk3HMfudpy39Pbi6SEpR5o06NWHrx6cSlU8 8X6GejSMnhsTy30PbTNp5jIOgIoAVcBTlb5behCZw3bo7hDiYCxhAT40aTupTvgbFIhlSN37aj02 76xR.l8K93KekVczqeKXUKBUKkphSn.Oxgfl1azVdSKJJi6bmA7o_WZfhjVcsm6LWMABdOfd90yo C2Wqa_Ap7iCc_fqJZ4UgPNffXJXIyQKqu.hxkCCi8XDyKJGlqs7y.yE2grdoa0zCfwZJxz.aWS9h AWrK3Y_NKGVzByIgGc25xdvOUKGLftDy1oaA2eamXj6fUhVAG.eBMFOlkhlUqmUq3h5x82ZSNMxm pLD.L6IerBRW1wnFmmJ3Blxc.K4jj9ocdIm_.zUHGw3cbJ8gNm9jfVCwdXYbNdRAVbn.V4R7agCi OZyhZ9KfVLYdE9XBvJXQFCX5oy_SVXQKGQ9lan2hMiLTA6T_Z8Gliu8UyUyoZSIxxLW3AyVmyfg6 QMluTCQ7f3plinFoyVFFZG6i16A8QKr0784KMqx.u6OJU8iaR_wwVbN4xspXxjJZ1hw7CjPBppSt .OSrl2dsSZd7ySVRx8SB7N758KdG8tXmWcj.TZBeKem1izjnjv2NrVbAnT6x0hq_98qgjCArf4CJ 3aBdjyTwxhY4fz58sznPnet_u2KDBvk7LPLsSvUwh9qVa6vYvN3iNsujQ3ZcWy9oLt5jN2R9FVTA 7BYWxnRBJn1jZoSpZolyMP_E7dsyq7gzXi6t61NyCy_.SycLfvAlEQDTPV.J9tc3.OwPxDObnwmb L5DA7ctKuIMLE2Zu8EWL0HjMsjY93beYOIDO478R0U7OVAanJ7ynGMjgBJnZUy_S6GHlTZEklnCX euNOUbZHUnUT.RUvqeyFx.M7wWW48SAN4GhQyR6T0B2jGd6RzeAZD1U2Ah6s1e4kzoJcb9Wb5Lrm gQ6qOy9__qVEWOTYnBAs5euYE184GUtswp25uhjhoz2lyuSO12m0V2Y.CkaQzWfduVYa_VXPXHpg 5lIndjpzJOs10LJRnhqS91W54dxE6ObUBk7sqDp8wmUPY2_e21w811k4YlJo6yR23ATypMl2_ZyW lZTai3NdtqxioD_x.BKbDcFm9qq9hLI3YBs_x_YQ0xYyqHebDlqdqd.Bv10GYEeTJe_g82bWdH5n .MCFmigy22qdAj5Lbwp6UwtJCLsO31V9izANa4s0zOSfbsJMLeDLBVqR6pEpGJsmB6qODGGabX_C qXBrhKBWN.w2J6wzOHVbdS7G19BflVoSbR5wDbCZbBXBwV0Lb5InQXa_p6sIwWm5THoawLSaRKst HuLstKBgUq2avchIFceHDEGdjQaxe2mWo.lsJSX2aAyxsw91J.Xt1WybaBf9whg1Ehw27YcKGDtt tZw_0sL195nByStNHtApFHq.P3X11T.skjmq9nKBEKbzsIPyNATty.Zj84nlvqfsSMD3sEtxtOPV O83ovfkrYqovDKUnBvsrKCWi4wccm5eRJsZKOTRQBRJUttqoU_5TNPpMUUuxDwfktDiVIllj4hn4 Un_2yIj3P5MPSr6gYpVyFZ5XRogz.sNn0ciMrRfZ3gBAl_phjLyRywq4xALE0ANYKWtMK1FuN4TS hhHqy7B0JSucMasrABQIBxPYPXJpKmexd5nXh8wBFLdTVz2vVaPRkX9xKO3uGbzpkvSlMflmOS8j zT9GXd_1cTepy20ZcUds6BcDMpYSSyqoIQ0_HGhBRfwxIrWxAfx3913ZbwCT_9GRVEN1ajmqpbYt slHemQJt9xVMB7a932FHLxrABYkvpawAEHQLOTlw8L6Byp_bTnYDAKjDTjTD8DRmV8ylP_l_ecbL x41tDZrQxDWHpSYmMVD0j.pS7LosMhIeGu56YYcWepzFM6HrlONYLkzwz2Czl95Og9z8hEimWdA3 2FDBOppAy4n0VCZUSXIqKx_V_CzNatBoPszcrWSBAwniqeJ4z1C7JErUjVjZehkoRkDwad7GOS5I XtTnSwmCkYvl2xV7KbEI1ph10fGpUummAYUJB1Z1i4KXeVPv54lVJJjVZo66jkrYEN5.Z6PrVx3h XXiE9HJep4zhLE_.H.gCKTnRMHmaIrhBYKx3U0xI8gAABOuovZaOyumWRpbiY8xwXNULSMf3EDfn MWtUhBr7t1wK414zIWl7Rj59djp.RAyyvEm5kkhBz6cg0vSKw6v38A3GESIpRgfR2senXYKmmBgH xn.Q.nf9Dt4OFeLA6DSYLhtEtOoz9zQ5oR6vFId6L1GoWh3KZhVv3pEyZPGNtYl7KyFGX5xpuz1m 1lXuE13VPbIzGYdjsmWY2fgQp9Nq.pKPbz5ZIfupnH8GCCfB8i1EK6RGol2YfeF8vJqN.VMKwA6W Brh01mcLEZ8p7IVzn_h_Mb71r4Zxx6W.4ugNXC1gXI2EizznyCnYgq_RWVkc8ehyES3z2uZkk9LK dW9XTcgO4n_hRbJ7irWIOE4QaLjr8peXUaElemAMuzGywMmbKXjWYfUk.k7j44MAQmU1l_iqfZLs RLUQeLnRW1bvhjJI4wXaCGLB0ZSXAbY94NRQOkwD2fKItaJQkHoVcUk7Og6oLZb6o9YkAebvXbqD ElBMoJEnRdtletOeSm6FznaJiYc6eRX70dq6y6V7CN7tMeOfzIDJNsfUkG.YdhQqdkf9oDJBMnHl 2R90buHLqz2ojV4h756MwtNR3rhYzXLEK2HmoJ8LDkyW9LofNrhvTrLUjFzSCi6buGa0FzoX4Dnr ps2YrgYE-
X-Sonic-MF: <reshad@yahoo.com>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.bf2.yahoo.com with HTTP; Wed, 24 Feb 2021 03:29:00 +0000
Received: by smtp404.mail.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 54a603a7e29b38b3b414db03cfb1ea5f; Wed, 24 Feb 2021 03:28:54 +0000 (UTC)
User-Agent: Microsoft-MacOutlook/16.44.20121301
Date: Tue, 23 Feb 2021 22:28:52 -0500
Subject: Re: Shephered writeup for draft-ietf-bfd-secure-sequence-numbers
From: Reshad Rahman <reshad@yahoo.com>
To: Mahesh Jethanandani <mjethanandani@gmail.com>, Jeffrey Haas <jhaas@pfrc.org>
CC: "rtg-bfd@ietf. org" <rtg-bfd@ietf.org>, "draft-ietf-bfd-secure-sequence-numbers@ietf.org" <draft-ietf-bfd-secure-sequence-numbers@ietf.org>
Message-ID: <B7C0F597-6FFC-47C0-A0E6-F3F4BC62C7E3@yahoo.com>
Thread-Topic: Shephered writeup for draft-ietf-bfd-secure-sequence-numbers
References: <1995CE5F-4996-4C2B-9BFE-B3DC56511CC0@gmail.com>
In-Reply-To: <1995CE5F-4996-4C2B-9BFE-B3DC56511CC0@gmail.com>
Mime-version: 1.0
Content-type: multipart/mixed; boundary="B_3696964134_1269764325"
X-Mailer: WebService/1.1.17712 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Apache-HttpAsyncClient/4.1.4 (Java/11.0.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/DEoJENGiPHC_lpHl5vDaZcOW9pU>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 03:29:04 -0000

Hi Mahesh,

 

Thanks for the response. 

 

Would it be possible to have an updated document when the gates reopen?  Please see inline.

 

From: Rtg-bfd <rtg-bfd-bounces@ietf.org> on behalf of Mahesh Jethanandani <mjethanandani@gmail.com>
Date: Tuesday, February 23, 2021 at 3:03 PM
To: Reshad Rahman <reshad@yahoo.com>om>, Jeffrey Haas <jhaas@pfrc.org>
Cc: "rtg-bfd@ietf. org" <rtg-bfd@ietf.org>rg>, "draft-ietf-bfd-secure-sequence-numbers@ietf.org" <draft-ietf-bfd-secure-sequence-numbers@ietf.org>
Subject: Re: Shephered writeup for draft-ietf-bfd-secure-sequence-numbers

 

Hi Reshad,

 

I never really received this e-mail, till Sonal forwarded it to me. 

<RR> You have to remove my name from the spam sender list 😊

 

Anyway, here are our responses to the comments you have provided. Please see inline with [mj].

 

Hi Sonal, authors,

 

Thanks for the document update. Main comments:

 
Hash has been replaced by symmetric algorithm, to be able to retrieve the sequence number at the receiving side, this is good. 
Section 3 mentions that the symmetric key is provisioned securely on sender and receiver, but there is no mention of provisioning of the algorithm/function. Also there is no mention of what algorithms to use, is this on purpose since what’s good today will not be recommended tomorrow? Should we at least say “do not use DES” or too obvious?
[mj] I believe this is a question for the WG, and maybe something we can bring up in the upcoming meeting, if it is not answered on the mailing list. Would the WG prefer that a (set of) algorithms MUST be defined to ensure interoperability, or is this something we should leave up to implementors/operators to agree? We are concerned what we define today might be obsoleted tomorrow.

<RR> it would be good to have an update on this document at the upcoming meeting. Having a MUST set of algorithms has the drawback you mentioned. Letting implementors/operators agree is fine but I think we still need a suggested list (as of 2021) for interop. And I believe we need some text in the document wrt provisioning the algorithm.

 
Was there any discussions/thoughts on using asymmetric encryption instead (I didn’t follow this document when it started)? It avoids the pain of having a shared secret. I’m not saying we should go with asymmetric, just wondering.
[mj] We chose symmetric because that is what 5880 talks about.

<RR> Good with me. I’ll defer to security experts.



 
For the key, the terms “symmetric key”, “shared secret key” and “shared key” are used, settle on one for clarity (I believe it should be “shared key” or “shared secret”?)
[mj] Ok. How about “shared secret key”?

<RR> Good.



 
For the algorithm, the terms “symmetric key algorithm”, “symmetric algorithm” , “symmetric encryption algorithm”, “symmetric decryption algorithm” are used. Again, pick 1 “symmetric algorithm”?).
[mj] Ok. We will pick “symmetric algorithm”.

<RR> Good.

 
The term “hash” is still used e.g. in section 4 header
[mj] That is deliberate. We use “hash” when we refer to the value that is calculated over the entire packet and appended as a value at the end of the packet. That is different from ciphertext, which is the value after applying the symmetric algorithm on the sequence number and inserted in-lieu of the sequence number before the hash is calculated.

<RR> Section 4 header still uses the term “hash” but the text in that section has been changed to “cyphertext”, I believe this is an oversight.

 
Security is not my expertise. Should we get a security review asap, as opposed to waiting for IESG review. Jeff/Martin?
[mj] It would not be a bad idea, although we do have a security expert as a co-author on the draft :-)

<RR> It would seem you’re covered then. 



 
Diagram chains are clearer now.
Sequence number validity as described at the bottom of page 3 and on P4 (at the end of section 3). RFC5880 sections 6.7.3 and 6.7.4 describe that received sequence number should be between bfd.RcvAuthSeq(+1) to bfd.RcvAuthSeq+(3*Detect Mult) inclusive. I don’t see why this has to be changed for secure sequence numbers.
[mj] We will just refer to 5880.

<RR> Good.



 
Jeff’s comment regarding “The first sequence number can be obtained…” in section 3. I believe the text is incorrect. RFC5880 sections 6.7.3 and 6.7.4 explain how the first sequence number is obtained (using bfd.AuthSeqKnown and bfd.RcvAuthSeq).
[mj] Ditto.

<RR> Good.

 

Regards,

Reshad.

 
 

Nits:

 

Section 4: s/”while encryption/decryption”/”while doing encryption/decryption”/

[mj] Ok.

What does “non linear” mean in “monotonically increasing (but non linear) sequence number”?
[mj] A monotonically increasing number is just that, an increasing number, but it does not have to be linear. See the diagram below. That is why the mention of non-linear.

 




Section 7: s/Jeff Hass/Jeff Haas/

[mj] Will fix :-). Thanks


 

Regards,

Reshad.

Mahesh Jethanandani

mjethanandani@gmail.com