Re: Comments on draft-ietf-bfd-secure-sequence-numbers-12.txt

[Jeffrey Haas <jhaas@pfrc.org>]

Alan,

On Jan 17, 2024, at 11:19 AM, Alan DeKok <aland@deployingradius.com> wrote:
>  Perhaps then this text.  Which both refers to the other draft, and then also says how such a switch impacts ISAAC.
> 
>      <t>It is RECOMMENDED that implementations periodically use a
>      strong Auth Type for packets which maintain the session in an Up
>      state.  See <xref
>      target="I-D.ietf-bfd-optimizing-authentication">BFD
>      Authentication</xref> for appropriate procedures.</t>

This part is good.


>      <t>The nature of the Meticulous Keyed ISAAC method means that
>      there is no issue with this switch, so long as it is for a small
>      number of packets.  From the point of view of the Meticulous
>      Keyed ISAAC state machine, this switch can be handled similarly
>      to a lost packet.  The state machine simply notices that instead
>      of Sequence Number value being one more than the last value used
>      for ISAAC, it is larger by two.  The ISAAC state machine then
>      calculates the index into the current "page", and uses the found
>      number to validate (or send) the Auth Key.</t>

The fundamental issue here is that once we've selected a seed, we need to maintain the ISAAC pages vs. the page base we've selected.

As you note above, if we switch out of ISAAC mode for a few packets, this is no different than "lost packets" from the perspective of figuring out what our next page should be.  I.e., we should only need to flip a page or two.

Alternatively, if the ISAAC page is maintained with the sequence number no matter what on the presumption that we will eventually move back to ISAAC, there's no issues.

Noting that we do not have procedure to permit a new seed to be exchanged as the limiting factor causing the above is appropriate justification.

-- Jeff