TTL/Auth Redux

Dave Katz <dkatz@juniper.net> Sat, 12 March 2005 01:56 UTC

Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA01825; Fri, 11 Mar 2005 20:56:15 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1D9vuc-00074h-7o; Fri, 11 Mar 2005 20:59:30 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D9vov-00028H-8W; Fri, 11 Mar 2005 20:53:37 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D9vot-000257-SN for rtg-bfd@megatron.ietf.org; Fri, 11 Mar 2005 20:53:35 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA01613 for <rtg-bfd@ietf.org>; Fri, 11 Mar 2005 20:53:34 -0500 (EST)
Received: from colo-dns-ext1.juniper.net ([207.17.137.57]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1D9vs1-0006wT-9Z for rtg-bfd@ietf.org; Fri, 11 Mar 2005 20:56:49 -0500
Received: from merlot.juniper.net (merlot.juniper.net [172.17.27.10]) by colo-dns-ext1.juniper.net (8.11.3/8.9.3) with ESMTP id j2C1rQ990890 for <rtg-bfd@ietf.org>; Fri, 11 Mar 2005 17:53:26 -0800 (PST) (envelope-from dkatz@juniper.net)
Received: from [172.16.12.139] (nimbus-sf.juniper.net [172.16.12.139]) by merlot.juniper.net (8.11.3/8.11.3) with ESMTP id j2C1rLe15236 for <rtg-bfd@ietf.org>; Fri, 11 Mar 2005 17:53:21 -0800 (PST) (envelope-from dkatz@juniper.net)
Mime-Version: 1.0 (Apple Message framework v619.2)
Content-Transfer-Encoding: 7bit
Message-Id: <302ea42bfd6ba31bd7af777d8a017d42@juniper.net>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
To: "'rtg-bfd@ietf.org'" <rtg-bfd@ietf.org>
From: Dave Katz <dkatz@juniper.net>
Date: Fri, 11 Mar 2005 18:53:48 -0700
X-Mailer: Apple Mail (2.619.2)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 14582b0692e7f70ce7111d04db3781c8
Content-Transfer-Encoding: 7bit
Subject: TTL/Auth Redux
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
Sender: rtg-bfd-bounces@ietf.org
Errors-To: rtg-bfd-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8de5f93cb2b4e3bee75302e9eacc33db
Content-Transfer-Encoding: 7bit

For those not present in Minneapolis yesterday, there was a discussion 
about the issue of what to say about the use of the TTL Hack when 
authentication is in use.  There seemed to be a feeling in the room 
that the use of the TTL Hack in this case was desirable enough so that 
it should be a SHOULD.

I felt (though I was not present, but only participating via audio 
feed) that this was in part driven by Pekka reiterating his concerns 
about a system being somehow involuntarily forced to run repeated 
cryptographic operations, providing a DoS opportunity.  There was also 
some discussion about the order of these two operations.

Toward the end of the discussion, it appeared that Pekka's concerns 
were based on the assumption that a system had to attempt to validate 
any packet carrying authentication that it saw.


I thought it would be worth revisiting the issue one last time, now 
that I think I understand the concern.


In the last rev, I put in the following verbiage:

    If BFD authentication is in use, any value of TTL/Hop Count MAY be
    used in transmitted packets, and received packets MUST NOT be
    discarded based on the received TTL/Hop Count.

My intent was twofold.  First, the only purpose of the TTL check was as 
a really lousy form of authentication--if other forms of authentication 
are in use, the TTL check is unnecessary.  Second, I am concerned about 
the unintended consequences of this check.  There is an existence proof 
(or at least a historical existence proof) of media that appear as a 
single network layer hop, but decrement TTL in mid-link (tunneling 
schemes), as well as systems that decrement TTL when they ought not to. 
  By mandating the TTL hack, BFD could not function across such links, 
but they could be worked around through the use of authentication.  
This ought not to happen, but it has, and if the TTL hack is 
unnecessary, it ought not to be there.  (Not to mention that it is 
truly heinous.)  At least that's my take on the matter.

It's also my contention that if you *are* going to use authentication, 
you *must* have a generic mechanism for avoiding DoS attacks on the 
crypto engine, since otherwise you *must* trust all potential sources 
of packets (in which case the authentication is unnecessary.)


Pekka can correct me if I'm wrong, but I believe he was concerned that 
if a system was running without authentication (and thus making the TTL 
check) and a bad guy off in the distance lobbed in a packet with 
authentication, the system would be obligated to do cryptographic 
processing on the packet.

However, this scenario cannot happen due to the way the base spec is 
written.  First of all, the packet is demuxed by Your Descr.  If it 
doesn't select a session, the packet is discarded.  Next, if packet 
demuxes to a session and the session is not using authentication, the 
packet will be discarded if it has the A bit set.  So at this point, in 
the scenario in question, the packet would have been discarded one way 
or another without ever touching the authentication data.

So the short version is that there is *no* risk of doing *any* 
cryptographic calculation if authentication is not in use.

(One side issue is that "authentication in use" is not a well specified 
term.  I will improve that;  what it means is that authenticated 
packets are being sent and received for a particular session.)


The language, as written, bars the use of TTL hack when authentication 
is in use.  The question is, what should the spec say if someone 
*really* wants to use authentication *and* the TTL hack at the same 
time?

The antiauthoritarian product builder in me notes that any 
implementation is free to deviate from any specification at any time, 
so long as the implications on interoperability are known and it is 
done between consenting adults.  This is arguably hard-headed.

My druthers would be to leave the wording as-is with the belief that it 
is unnecessary and ugly to spec, and implementors can play games as 
they see fit.

However, I can see some wiggle room in this that serves everyones' 
purposes and doesn't introduce any interoperability issues.  That would 
be to say that the sender MUST use TTL 255 (which isn't any burden 
unless you're trying to do some kind of path length limitation, which 
would be even weirder), and that the receiver MAY make the TTL check, 
and have a couple of sentences about the implications of all this.  The 
issue then falls completely on the receiving system, and people can 
lobby their vendors for a knob, and nobody can be accused of being out 
of spec.

Comments?

--Dave