IETF Logo Mail Archive

Re: I-D Action: draft-ietf-bfd-secure-sequence-numbers-08.txt

Mahesh Jethanandani <mjethanandani@gmail.com> Tue, 17 August 2021 00:50 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85E683A0743; Mon, 16 Aug 2021 17:50:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6npsDl3rG6rm; Mon, 16 Aug 2021 17:50:10 -0700 (PDT)
Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66FBD3A0688; Mon, 16 Aug 2021 17:50:10 -0700 (PDT)
Received: by mail-pl1-x632.google.com with SMTP id e15so22717689plh.8; Mon, 16 Aug 2021 17:50:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=JvPlAdjM1zCFp0K6SEKREjUE6o2HiLXiQXeq7wYQ/XM=; b=W9loyJ2LhWa/YFaZZo/4i0VqCHGmVp5bgu2SloQ+B70YbLVxyQzUTOxoBuXxPzLJkc UkuFO3fZHDidyPMMNyLGAf3fbJPw13WbKGd6ohI+15HtEbrEtow2wWLvuXzB+9NmYJTs ejF38/tpOkE+BoLENCMabt7KKr+nDx6I76+nzNmzGgBCxn1nYD5xs+JtpzByFlPgQH1E UQtCoNcEZ20gznKPvQf+CjOOUWmqeefOP4u5jOwe5F/ZBiTiM2aWIka2oSEgMIP2q2W/ Zgc9YTvhpecH8+OjjG6yzUqq7R5xDNVg0REQa5Am/gVLj6K9/PkEQOthSyX5G1zB8OQn rnJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=JvPlAdjM1zCFp0K6SEKREjUE6o2HiLXiQXeq7wYQ/XM=; b=uZvA/rlJQKy7ICGjt+bXiwMgECdn+HmeYhUmQHFN66GmXbHshEm5z7tUto8yaKidYZ OFZGFjVWtebePpYHJ24FB4D9vcc/WeSbb8Ztb7LQTvM5znU8Qdf33Qmk+tG6ZG0A2ncW WW096+60ddsy7h5XB012mkMBi5Lydy+GH8Ph5mXpTTyeNbDr7q8s2NgFed3J76qT4CX1 HRiSuqSIpMmok26PnxM9UTKn4lP1JQHJdHWDOEtyAg+7O3BRSbvmbZ7NfHZhG8KmuhbG xyj98RdH3zCBUU9gR+4R9TCm6BVh7FJ7MxzROgm6r8sRi7Tnoi1v/EYG8qdSSw32tcK/ UXBg==
X-Gm-Message-State: AOAM530nKd5O9XviD3Oz8gQWkw+O1w/mcLuUooG+p7F0yCruf9w70v2U b+96xFwlTtNKJ5wg4utU7GA=
X-Google-Smtp-Source: ABdhPJzHHD+6LZbu6GVsaPLUwDjKGQD7YJsZr+IlGCznWmV2D5lQ88sY8g89OSnjAeFF2CCvQgQdGw==
X-Received: by 2002:a63:1e5c:: with SMTP id p28mr796559pgm.89.1629161408146; Mon, 16 Aug 2021 17:50:08 -0700 (PDT)
Received: from [192.168.1.133] (c-69-181-169-15.hsd1.ca.comcast.net. [69.181.169.15]) by smtp.gmail.com with ESMTPSA id g19sm322025pfc.168.2021.08.16.17.50.06 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 16 Aug 2021 17:50:07 -0700 (PDT)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <38CAE1C7-7977-46F9-AD0D-E3707E25E316@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_13610F46-337C-4105-84DB-58BB5D9DD7F1"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
Subject: Re: I-D Action: draft-ietf-bfd-secure-sequence-numbers-08.txt
Date: Mon, 16 Aug 2021 17:50:05 -0700
In-Reply-To: <173DA06B-21E7-42A4-8EFF-82AA3D84B338@gmail.com>
Cc: Alan DeKok <aland@freeradius.org>, "rtg-bfd@ietf. org" <rtg-bfd@ietf.org>, Reshad Rehman <reshad@yahoo.com>, draft-ietf-bfd-secure-sequence-numbers@ietf.org
To: Jeffrey Haas <jhaas@pfrc.org>
References: <20210405171412.GB12257@pfrc.org> <4831ADD8-6E8D-4CDD-966F-B273A3AF45C5@freeradius.org> <20210405184656.GE12257@pfrc.org> <468C7D1D-7BE2-4759-9D81-0E18725FCA90@freeradius.org> <20210405190821.GF12257@pfrc.org> <14A4DD6D-7002-45A9-8FE4-42B512E97318@freeradius.org> <D48909A0-D7E9-40DA-83DA-CB0327D2D586@gmail.com> <096BC9E7-8877-4EF3-A94B-394AFE0E76E7@freeradius.org> <20210726141455.GA32584@pfrc.org> <211EC22C-F4AB-4FE6-98AB-511C5CE4EB8B@freeradius.org> <20210726144826.GB32584@pfrc.org> <173DA06B-21E7-42A4-8EFF-82AA3D84B338@gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/FLaStaMPuYLJVJjT1qEHvj97zic>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Aug 2021 00:50:16 -0000

Hi Jeff,

Ping!

> On Jul 26, 2021, at 4:25 PM, Mahesh Jethanandani <mjethanandani@gmail.com> wrote:
> 
> Hi Jeff,
> 
> 
>> On Jul 26, 2021, at 7:48 AM, Jeffrey Haas <jhaas@pfrc.org <mailto:jhaas@pfrc.org>> wrote:
>> 
>> What's being requested is that our specifications have some specificity and
>> a proposal be made for a suitable mechanism and how it integrates into BFD.
>> :-)
> 
> Here are the set of changes that I propose we make to the draft to bring the specificity that you are requesting. For the introductory part of the document there is no reference to the method being applied to come up with a sequence number. It just states that the sequence number inserted is not the monotonically increasing sequence number. As such no changes are needed there.
> 
> The change therefore starts in Section 3 - Theory of operation. There are two changes that I see. One has to do with carrying of nonce in the first packet, and the other has to do with existing text in the section.
> 
> For the carrying of nonce in the first packet, Alan has already suggested adding the authentication section in the first packet. We will add text to that effect.
> 
> As far as the existing text in the section is concerned, we will replace reference to “symmetric key algorithm” and “symmetric algorithm” with “hash”. As a result, the sender will include a ciphertext that is a 32-bit hash computed using one of the algorithms Alan has suggested using a shared key (that is not necessarily symmetric) and inserted in-lieu of the sequence number of the packet. Yes, this draft is about obfuscation of the sequence number field of the packet, not the entire packet.  On reception of the BFD Control packet, the receiver instead of decrypting the ciphertext inserted in-place of the sequence number, will instead compare the ciphertext to pre-computed set of hashes using the same shared key, on the next k expected sequence numbers that are within the BFD Detect Multiplier range. If there is a match, the receiver will replace the ciphertext in the packet with the expected sequence number and pass the frame for further processing. In the case there is no match, it will drop the packet.
> 
> There are some similar updates to the Security Considerations section to replace “symmetric algorithm” with “hash”.
> 
> Are these set of changes enough to bring the specificity that you are looking for?
> 
> Thanks.

Mahesh Jethanandani
mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email