IETF Logo Mail Archive

Re: Comments on draft-ietf-bfd-secure-sequence-numbers-10

Alan DeKok <aland@freeradius.org> Tue, 21 March 2023 21:26 UTC

Return-Path: <aland@freeradius.org>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29CC9C14CF1E; Tue, 21 Mar 2023 14:26:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ECHBhmWTkKkU; Tue, 21 Mar 2023 14:26:47 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FD92C14F74A; Tue, 21 Mar 2023 14:26:45 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 73A07377; Tue, 21 Mar 2023 21:26:42 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=fail (p=reject dis=none) header.from=freeradius.org
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Subject: Re: Comments on draft-ietf-bfd-secure-sequence-numbers-10
From: Alan DeKok <aland@freeradius.org>
In-Reply-To: <4B9B39A0-8F35-43E9-850B-4E0B42371410@pfrc.org>
Date: Tue, 21 Mar 2023 17:26:40 -0400
Cc: draft-ietf-bfd-secure-sequence-numbers@ietf.org, rtg-bfd@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <A51F49B6-E5D9-49C0-9A1B-903E633ECF50@freeradius.org>
References: <20230321181834.GB3114@pfrc.org> <C4D01D2C-9C54-400E-925C-180A8EC72859@freeradius.org> <4B9B39A0-8F35-43E9-850B-4E0B42371410@pfrc.org>
To: Jeffrey Haas <jhaas@pfrc.org>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/GbECBEPa5YMb9troiy2IlanMT7M>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2023 21:26:49 -0000

On Mar 21, 2023, at 5:07 PM, Jeffrey Haas <jhaas@pfrc.org> wrote:
> The "use sequence number taken from previous auth method" is what I had in mind.
> 
> A concrete example might explain my thinking.  Let's start with a mechanism that has has sequence numbers, such as md5.
> ...
> If the state we're keeping isn't only the simple boring scalar variable that's in the document (bfd.XmitAuthSeq) and is rather the per-session, per-type, we can envision maintaining  sequence numbers separately for each method.  That's pretty straight forward.

  I agree.

>  This makes our state for ISAAC:
> 
> For a given session
> - For the meticulous ISAAC auth type
> - For a specific meticulous ISAAC auth key id
> - For a specific seed
> - There's a sequence number (bfd.XmitAuthSeq)

  Yes.

> 
> However, if we do so, this means that our packet acceptance criteria gains complexity.  We're expected to verify that our received authseq is within the expected range allowing for dropped packets. (RFC 5880, §6.7.3)  It's still easy to envision we keep that acceptable window per auth method.  Keeping track of those windows and whether we're missing a packet or not based on authentication method is doable, but gets messier.  This impacts the draft-ietf-bfd-stability draft a bit.
> 
> None of these things are impossible.  It does, however, mean we need more text covering that detail.  (It's just text.)
> 
> By contrast, if we used a single shared authseq, we change none of the above protocol complexity.  If the number is 20 for md5 and the next packet is ISAAC with sequence number 21 and seed-x, the implementation still computes the ISAAC table and indexes into 21.  Basically, it has skipped 0..20.

  The issue there is that the sequence numbers are 32 bits, and ISAAC produces "pages" of 256 32-bit numbers.  So it's effectively impossible to "seek" to some random 32-bit value.  The key generation has to start somewhere.  If it starts at zero, then if the current sequence number is 0x01000000, then it has to generate 2^24 pages to "sync up".

  A simple approach is to just declare a synchronization point.  The current value of bfd.XmitAuthSeq is where we start ISAAC.  Let's call this value  w

  In that case, the N'th output of ISAAC is just bfd.LocalIsaacStart + N.  The "next" value of bfd.XmitAuthSeq is (bfd.LocalIsaacStart + N) mod 2^32.

> I'm fine with either answer, and I suspect your inclination is keeping the separate sequence number spaces and updating the rest of the procedure to clarify for that.  It'd be good to hear from the other authors as well on this point.

  The only issue with starting at a value other than zero is that it's slightly harder to synchronize.  The receiving party has to obtain (3*Detect Mult), and the meticulously compare the received 32-bit Auth-Key with each value.  If one matches, the bfd.LocalIsaacStart variable is set to that.  The expected value for bfd.RcvAuthSeq is set to match.  

>> What if there's no auth method, or auth-type==simple?
> 
> Another argument for a separate numbering space.

  I think that's the best approach.

>> It just keeps going.  The sequence number isn't used to derive the 32-bit Auth-Keys taken from ISAAC.  So wrapping doesn't matter to it.
> 
> I may be confused here.
> 
> The current sequence number is 2^32 -1, we're on page X for ISAAC.
> The sequence number wraps to 0 next round.  ISAAC would normally generate another page.
> The index into that page is 0 rather than 2^32 at the API level.

  I think the misconception here is that the ISAAC pages depend on the sequence numbers.  They don't.

  Instead, we have the following properties, in vague pseudo-math notation

Dependency between pages:

	ISAAC page (n) = ISAAC magic (ISAAC page (n - 1))

Auth Key is derived from the current page:

	BFD Auth Key for ISAAC = ISAAC current page [ bfd.XmitAuthSeq & 0xff ]

We change pages after we've generated 256 values:

	if bfd.XmitAuthSeq & 0xff == 0xff
	  ISAAC page (n) = ISAAC magic (ISAAC page (n - 1))
	  ISAAC current page = ISAAC page (n)

  I hope that makes sense.


  So with those properties, page(n) doesn't depend on bfd.XmitAuthSeq at all.

> Is the presumption here that this is a modulus operation and it's unimportant that the next number is 0 rather than 2^32?

  There's no modulus for pages, just for indexes into a page.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email