Comments on draft-ietf-bfd-unaffiliated-echo-01
Jeffrey Haas <jhaas@pfrc.org> Mon, 05 April 2021 21:39 UTC
Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 626BF3A2916; Mon, 5 Apr 2021 14:39:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_HTML_ATTACH=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0iepXgTwYNHV; Mon, 5 Apr 2021 14:39:16 -0700 (PDT)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 57A6F3A2912; Mon, 5 Apr 2021 14:39:13 -0700 (PDT)
Received: by slice.pfrc.org (Postfix, from userid 1001) id EC18F1E44B; Mon, 5 Apr 2021 18:01:30 -0400 (EDT)
Date: Mon, 05 Apr 2021 18:01:30 -0400
From: Jeffrey Haas <jhaas@pfrc.org>
To: draft-ietf-bfd-unaffiliated-echo@ietf.org
Cc: rtg-bfd@ietf.org
Subject: Comments on draft-ietf-bfd-unaffiliated-echo-01
Message-ID: <20210405220130.GG12257@pfrc.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="x+6KMIRAuhnl3hBn"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/FlSvmcBmjuTW2Kl1NhVgmapPZuY>
X-Mailman-Approved-At: Mon, 05 Apr 2021 14:40:41 -0700
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Apr 2021 21:39:22 -0000
[Speaking as an individual contributor] Authors, Attached, please find an rfcdiff containing some suggested edits to your draft. The intent is to try to add clarity to the document. If you would find it helpful, I can also forward a patch vs. the published -01 xml. --- Additionally, there are several points of discussion for you and perhaps the Working Group about this proposal: The changes recommended in section 2 are clear, but difficult to see what content each change brings. IETF has a mixed culture about how to implement such changes in a document. This draft does so by copy, paste, and change. If we can collectively find a better way to highlight the differences without being so wordy, that would be good. Alternatively, I know some people will be thrilled with the format you have chosen. :-) --- In section 3, the proposal effectively says that the BFD speaker is originating BFD Control packets in the Echo Packet mode. Since RFC 5880/5881 keeps the details about how Echo packets are made out of scope, but does provide some guidance for security, this is acceptable. I would suggest highlighting that the validation procedures of RFC 5880 are used. The intent appears to be "re-use existing BFD Control procedure as much as possible", which means re-use of code. Good! However, this leads to some interesting issues. One example is that since a BFD speaker is "hearing itself" rather than having the remote device actually speaking BFD, some things are wrong. As an example, the Discriminator procedures in the BFD Async mode can't apply. The remote won't pick its own and swap it! I'd thus recommend some text about this. RFC 5880, section 5, has the following to say about authentication: : Some form of authentication SHOULD be included, since Echo packets : may be spoofed. Some procedural text related to authentication and the contents of the packets is needed. The desired min TX and required min RX intervals should be populated with something, even if it's 1 second. And perhaps some advice that we're ignoring the values in these fields. --- Your last set of changes in section 2 attempts to adjust the text covering sending Echo packets. When the implementation transitions to sending them at the desired echo speed is a little ambiguous since the role of Control packets is on the Echo port and in Echo packets. One possible solution is that the Echo rate is not used until the BFD state machine moves to the Up stage as per normal RFC 5880 procedures. However, that involves running the state machine from its usual slow rate of 1 second until we transition to Up, and reverting to the slow rate when it goes to Down/AdminDown. This text will be tricky to do since we're blending the Control mode in the Echo packets. A strong goal of this is what happens when the remote is not echoing packets back to us properly. We do not want the BFD echo sender to transition directly to a denial-of-service condition, especially since the TTL is set to 255. The usual slow rate until Up at least mitigates the sender's role in this problem. Note that the TTL receive check on the receiver will be at least 254 due to the loop. This reduces the effectiveness of GTSM, and potentially is an issue for the loop procedure. --- Does this mechanism ever go AdminDown? What does it do, if so? --- Suggestion: Move the following text in some form to the top of section 3: : After receiving the BFD Echo packets sent from device A, the one-hop- : away BFD peer device B immediately loops them back by normal IP : forwarding, this allows device A to rapidly detect a connectivity : loss to device B. Being able to do this is a requirement for the feature, and the easy one to articulate. It provides the motivations for the rest of the section. --- Security Considerations: The URPF comments in the security considerations is really intended to say "you can't do urpf for this feature". It might be easy to just say that more directly. The requirement for this feature is that the receiver is willing to loop UDP packets on port 3785. In the simplest possible implementation, this can become an open reflector attack and is probably one of the larger security considerations our Transport and Security Area Directors and their Directorates will flag. There are two mitigations that can help with this, although it's an open question whether the host stacks supplying the loop beheaviors can support them: - A packet SHOULD NOT be looped unless it has a TTL of 255. - A packet being looped MUST NOT reset the TTL to 255, and SHOULD use a TTL of 254. The motivation for this is firstly to respect GTSM procedures on reception and prevent remote attackers from exploiting the loop. This should be able to be implemented using a firewall at the very least. Secondly, retransmiting with a fresh TTL of 255 can potentially cause a set of looping devices to infinitely loop traffic. A TTL of 254 is the largest TTL that can prevent such infinite loops. A lower TTL widens the window for targeting attack traffic to the BFD speaker originating the Echo traffic. --- Comment to note for later purposes: the BFD state variables for the yang module will need to be defined for these changes. Oddly, we never got around to doing a central IANA registry for such things. -- Jeff