Re: Shepherd writeup for draft-ietf-bfd-optimizing-authentication

"Reshad Rahman (rrahman)" <rrahman@cisco.com> Thu, 02 July 2020 19:02 UTC

Return-Path: <rrahman@cisco.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C73F3A07CB; Thu, 2 Jul 2020 12:02:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=JvZuZfEy; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=gMEf1f0E
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dg7SwenwjRk6; Thu, 2 Jul 2020 12:02:37 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E17403A0847; Thu, 2 Jul 2020 12:02:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=57011; q=dns/txt; s=iport; t=1593716547; x=1594926147; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=IWzb6bPK6HAApfX2/KX/DSrX2qeXCE79jnd6j8/zSi0=; b=JvZuZfEySTjG/5O0aJ8o+juL2EHSLlTVQboZs9uW1rkpoVcZ4LQU52Wz GUZmjy0rZMsyjDC62/7PJJuNfpgyTApohXAwk4LKvJC8/BXkZN4cDRpve e8m3dX4Z+1aoiPMAO2bkkHE61lSToX66lEemJE7YBerkiivRDM6IQsgxK I=;
IronPort-PHdr: =?us-ascii?q?9a23=3AFJvqHxNtzJZxqvI+zPIl6mtXPHoupqn0MwgJ65?= =?us-ascii?q?Eul7NJdOG58o//OFDEvKwx3lDMVITfrflDjrmev6PhXDkG5pCM+DAHfYdXXh?= =?us-ascii?q?AIwcMRg0Q7AcGDBEG6SZyibyEzEMlYElMw+Xa9PBtaHc//YxvZpXjhpTIXEw?= =?us-ascii?q?/0YAxyIOm9E4XOjsOxgua1/ZCbYwhBiDenJ71oKxDjpgTKvc5Qioxneas=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CAAAACLv5e/4cNJK1fGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQEBAQEBARIBAQEBAQEBAQEBAQGCCoEjL1EHb1gvLAqEJ4NGA41KigG?= =?us-ascii?q?OWYJSA1ULAQEBDAEBJQgCBAEBhEcCF4IFAiQ4EwIDAQELAQEFAQEBAgEGBG2?= =?us-ascii?q?FWwyFbgEBAQEDEhEdAQEkEwEPAgEGAg4DAwECGQgBBgMCAgIfERQJCAIEDgU?= =?us-ascii?q?fA4MEAYF+TQMuAQ6ONZBoAoE5iGF2gTKDAQEBBYFGQYM2DQuCDgMGgTgBgmi?= =?us-ascii?q?HNIJLGoFBP4ERJxyCTT6CGkICAwGBYhkNCRmCRzOCLY8ngxOGQ4s7kAlNCoJ?= =?us-ascii?q?ciEuMEIRvAx2Cc4kwhSKNWJM+iDeCWZFrAgQCBAUCDgEBBYFqIoFWcBUaSwG?= =?us-ascii?q?CPlAXAg2OHgsCFoNOhRSFQQF0NwIGAQcBAQMJfIxBgQ8BgRABAQ?=
X-IronPort-AV: E=Sophos;i="5.75,305,1589241600"; d="scan'208,217";a="776624337"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 02 Jul 2020 19:02:25 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by alln-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 062J2Ph6024798 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 2 Jul 2020 19:02:25 GMT
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 2 Jul 2020 14:02:25 -0500
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 2 Jul 2020 14:02:24 -0500
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 2 Jul 2020 15:02:24 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=B5VwYuQN4oV6ND65uQ9OLilnM+uct0Xshq6rPcI2DqhdEgwSG8yLe98P1aDuJp9GEttoyUJM4Y3x5zZ7Ot9HmQOjRSdIYS4tR1/ALVpvn5rreFl3rXNs8CUMAjVOGqR2bYh/deYZ/Px4Vbs4LLQlBH7F40l4omjMAB9HVnSy6PelgXhD5V86cAMqOznjmAJ2z05Ryi4ve/GeJqucf1H+bQ/VbT/KCMKPXMPrT/PvhzbTCpHuLXg08j4mVJSQHykrXUZP06yV3r+cJs/X5hrxqqjJ0S55S6rdoBE7iIgjbfkh0m3RHLLGC9hMxWTg300QY7sjJBU4IBoiceewHemB/Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IWzb6bPK6HAApfX2/KX/DSrX2qeXCE79jnd6j8/zSi0=; b=bY97bVZVtNLnnWJ5KIKA0p3beOU2R5e0fToaccWJWl6HVczhivyQRJ0085BgdftB+4lv5KrIJeZ+ubzZIG+QSaAcX+83Mrwv2VY2TcXOdWpxFii00gSp/GThRz13W2DkS+e4XZNnB302LUZIEtehde5DDsFiAaT/fGlHJoTL3H0OvZqcfUo82g/U+pBkye1pAo4wnIgwPtXcX+dP/aWi65KtyLoeqzN5KQt7Ff4ZCUWjZ5ZzPKhiWGiaBxHUJArj7jW0BsNxrTn1bdAV6SV1WlmZJMDdDtacWth4f+u9ZBD181MPpOCT9+Xr6vJBuKZ0kxvF0Z1ClmCV/W17sgyb0w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IWzb6bPK6HAApfX2/KX/DSrX2qeXCE79jnd6j8/zSi0=; b=gMEf1f0EU2o49SQdGEnkR8dmHgcVkznYBLR7oE5bw5Sr4NkAKbvAFtI+X2F+pyXHLHwOWi7lZhRbeXy/YE30jcna+YL+3Z6xbG/ksU5+c4rxpc5t3fbv0TNHgcIOIVahY2T6TcRtKBH7gzCXNRdzqrFZ7jSZgP65DwC21Cr99oI=
Received: from BN6PR11MB3875.namprd11.prod.outlook.com (2603:10b6:405:80::37) by BN8PR11MB3748.namprd11.prod.outlook.com (2603:10b6:408:86::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3153.23; Thu, 2 Jul 2020 19:02:23 +0000
Received: from BN6PR11MB3875.namprd11.prod.outlook.com ([fe80::3076:a505:335e:a8ff]) by BN6PR11MB3875.namprd11.prod.outlook.com ([fe80::3076:a505:335e:a8ff%6]) with mapi id 15.20.3153.027; Thu, 2 Jul 2020 19:02:23 +0000
From: "Reshad Rahman (rrahman)" <rrahman@cisco.com>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
CC: "rtg-bfd@ietf. org" <rtg-bfd@ietf.org>, "draft-ietf-bfd-optimizing-authentication@ietf.org" <draft-ietf-bfd-optimizing-authentication@ietf.org>
Subject: Re: Shepherd writeup for draft-ietf-bfd-optimizing-authentication
Thread-Topic: Shepherd writeup for draft-ietf-bfd-optimizing-authentication
Thread-Index: AQHWQnykt4YmkJxKckmHBhtY2tCNm6jzyViAgAC1PoA=
Date: Thu, 2 Jul 2020 19:02:23 +0000
Message-ID: <D205BB56-DA58-4C39-B278-BC318CF3C1ED@cisco.com>
References: <86B2BDA3-B8BC-4ABF-A073-30844E7254FD@cisco.com> <8C54F0A2-0D11-4C50-B94F-19E6381365AE@gmail.com>
In-Reply-To: <8C54F0A2-0D11-4C50-B94F-19E6381365AE@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.37.20051002
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [142.113.229.50]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: acf756fa-bd1e-46bc-c6af-08d81eba7457
x-ms-traffictypediagnostic: BN8PR11MB3748:
x-microsoft-antispam-prvs: <BN8PR11MB374846A845DBA9D20CB4224CAB6D0@BN8PR11MB3748.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:2512;
x-forefront-prvs: 0452022BE1
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wA8qVE8sCF6+7w+R0gEp9P5nH8RqRd9c9s/bkQBP/cBnihKPaEZYCQRPc9P07Mdcy97Mx9yeG9rkJA/0Vo0gGfPwmfsVZahrnzejfAqcIww801LE5fO3RfPhEIN1EwMztswSTamGV+Ti/U3weD4NzpmseS233xssyOuT3Lo0X5kedIXvylhv9lpA4RZ+7PiSTJZC8qwwUxF/T/eeYloVI3F8asapMcuGy61oRZV36tk5iVA/VsrI8UtEJGyngl0TDi5ho8DU/O6br9KWXDrnJH/F8Zy6x1SJxBnydc8gHLDce9xre5utat3mtwTW9VBIFVBbfArznVeJvbxPFsXNVFF6q6sEUYS5I+WWPoxjzcisIXSmsnPmcvWVLPUoRDPkKUOuhejXONKYHuQHYJS4sw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN6PR11MB3875.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(376002)(396003)(366004)(39860400002)(136003)(166002)(86362001)(33656002)(186003)(4326008)(6916009)(53546011)(6506007)(83380400001)(2616005)(478600001)(316002)(64756008)(71200400001)(66476007)(66946007)(6486002)(91956017)(76116006)(966005)(66556008)(26005)(9326002)(8936002)(54906003)(66446008)(5660300002)(2906002)(6512007)(36756003)(8676002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: hAMnOba65jGtj51kh2N1E2MJOoXbAak+vb/6xLq44ugiGjF9q20zLuHA+cPHkvhrh0RmL2rMZmBFc75CpufR51cS5vX8a5nugh4Jp6XTc9LQhM1q7/hDHUR8g4ciEPgk50xtcfuUkBU0Ws+eqXyIwHhX9X97Pwt3zLV5nC1kAlSuYo+Orrux0uOMk0g4kJErRaUsoGaOSHOpTqfM1UF0rBnNvhG+xeG8Y5lXlXuPDV3Hpfeuh+YhtrpzV72RCKwFEVfjB+F9XDyCKb5PH7VPl6EUx4G4idJGmDOzhqkTM1461TXx4Bxf4GW2kgrlr1Mll/0mfpmbtvu6Iawm/Ez+pC/F06F/nDMrhTE0VQEkdq5D3H0zbdWloEmkl3CofWeFlXl6sXHLXnbvOCUhfvBFnwpvUflixvjiYeamrH8LhnVIEeHI5KeFfITKSgpBnqeTeIiX0EruVWxPHNU+DaF2tV9Vjnj4CppFo4aUcqZ3nLcYZTiS4TCf7H2E3hGKepaf
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_D205BB56DA584C39B278BC318CF3C1EDciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB3875.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: acf756fa-bd1e-46bc-c6af-08d81eba7457
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jul 2020 19:02:23.7045 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: BXu52UiXe4MKrlzH8n0uPILDCEWIro5U/dsT7rHLao7cOT7Rn1dvsdVnZxGGNJizAtg8pldtxVpVEHSlcMw8xA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3748
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com
X-Outbound-Node: alln-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/JcQOSPtxDXlxK9yCZVfZisibnnQ>
X-Mailman-Approved-At: Thu, 02 Jul 2020 12:05:16 -0700
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2020 19:02:42 -0000

Hi Mahesh,

Thanks for the update.  I’ll re-review the updated document when it’s available.

Inline <RR>

From: Mahesh Jethanandani <mjethanandani@gmail.com>
Date: Thursday, July 2, 2020 at 12:13 AM
To: "Reshad Rahman (rrahman)" <rrahman@cisco.com>
Cc: "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>rg>, "draft-ietf-bfd-optimizing-authentication@ietf.org" <draft-ietf-bfd-optimizing-authentication@ietf.org>
Subject: Re: Shepherd writeup for draft-ietf-bfd-optimizing-authentication

Hi Reshad,

Happy Canada day!

Thanks first of all for the shepherd writeup. Please see my comments/questions inline.

@Ashesh, please comment on the change to the table.


On Jun 14, 2020, at 11:50 AM, Reshad Rahman (rrahman) <rrahman@cisco.com<mailto:rrahman@cisco.com>> wrote:

Authors, WG,

The writeup is available at https://datatracker.ietf.org/doc/draft-ietf-bfd-optimizing-authentication/

For convenience I’ve copied the comments on the document below.

Regards,
Reshad.

General:

  *   Updates RFC5880 missing from title page

Hmm. How does one add the “Updates” tag?



  *
  *   Replace BFD frames by BFD packets or BFD control packets. Don’t use frames since RFC5880 uses packets.

Done.



  *
  *   Use of term Null-authentication TLV. RFC5880 uses authentication section, doesn’t mention auth TLV.

Ok. Have changed all references of “NULL Auth TLV” to “NULL Auth Type”.



  *

Abstract:
Mention that this document updates RFC5880.

Done.



Requirements Language
Please put this is a separate (sub)section later, e.g. after introduction.

Done.



Introduction
First paragraph: s/is computationally intensive process/is a computationally intensive process/

Done.


Split first sentence into 2, e.g.
   Authenticating every BFD [RFC5880] packet with a Simple Password, or
   with a MD5 Message-Digest Algorithm [RFC1321], or Secure Hash
   Algorithm (SHA-1) algorithms is a computationally intensive process.
   This makes it difficult, if not impossible, to authenticate every packet,
   particularly at faster rates.

Done.



2nd paragraph: “… only BFD frames that signal a state change in BFD be authenticated.” State change is not 100% correct since P/F/D bit changes aren’t state changes (as mentioned in more detail below in section 2 comments). What about this instead: “State change, a demand mode change (to D bit) or a poll sequence change (P or F bit change) in a BFD packet are categorized as a significant BFD change. This document proposes that all BFD control packets which signal a significant BFD change MUST be authenticated if the session’s bfd.AuthType is non-zero. Other BFD control packets MAY be transmitted and received without the A bit set.” If you do use “significant BFD change”, add it to terminology section.

Done.


s/non-state change frame/BFD control packets without state or D/F/P bit change/, e.g.
“To detect a Man In the Middle (MITM) attack, it is also proposed that BFD control packets without a significant change be authenticated occasionally.  The interval of these control packets…”

Done.



Section 2
POLL and DEMAND are NOT strictly states. POLL refers to “Poll sequence” as specified in section 6.5 of RFC5880. DEMAND refers to “Demand mode” as specified in section 6.6 of RFC5880. In the table, the POLL entry refers to polling sequence enabled and in any BFD state. Likewise, the DEMAND entry refers to Demand mode. This means that a session in UP state, in demand mode and polling sequence enabled will match 3 entries in that table. It’s a bit confusing. Here’s what I suggest instead:

  1.  Take POLL out of the table. Add a paragraph mentioning that if P or F bit changes value, the packet MUST be authenticated
  2.  Take DEMAND out of the table. Add a paragraph mentioning that if D bit changes value, the packet MUST be authenticated

Have made the change as follows. I am hoping Ashesh can comment on it.

The significant changes for which authentication is being suggested
   include:

          Read   : On state change from <column> to <row>
          Auth   : Authenticate frame
          NULL   : No Authentication. Use NULL AUTH Type.
          n/a    : Invalid state transition.
          Select : Most packets NULL AUTH. Selective (periodic)
                   packets authenticated.
         +--------+-----------+---------+---------+
         |            | DOWN   | INIT   | UP     |
         +--------+--------+--------+--------+
         | DOWN   |  NULL  |  Auth  |  Auth  |
         +--------+--------+--------+--------+
         | INIT   |  Auth  |  NULL  |  n/a   |
         +--------+--------+--------+--------+
         | UP     |  Auth  |  Auth  | Select |
         +--------+--------+--------+--------+

                       Optimized Authentication Map

   If P or F bit changes value, the packet MUST be authenticated.  If
   the D bit changes value, the packet MUST be authenticated.
<RR> I’m good with this. I’m ok with doing this differently too, as long as the crux of my concern is still addressed.



  1.

Another comment on the table. The text says it should be read as state change from column to row. Column INIT to row UP is n/a whereas column UP to row INIT is Auth. INIT to UP is a valid transition, UP to INIT is not (has to go through DOWN first). So I think those entries should be reversed in the table.

Done.



Last paragraph: CC frames is not defined in BFD, use “control packets” instead?

Done.



Section 3
Sequence number mentions “as defined in [RFC5880]”. Suggest mentioning bfd.XmitAuthSeq

Done.



Security Considerations.
I believe this needs to be beefed up:

  1.  Use of sequence number for non-authenticated frames. Secure sequence numbers even better.
  2.  Mention (again) that non-authenticated BFD packets which have a significant change (state, D/F/P) are dropped. So if someone injects a non-authenticated packet with Down state to take down the session, that won’t work.

The Security Considerations section now reads as follows:

  The approach described in this document enhances the ability to
   authentication a BFD session by taking away the onerous requirement
<RR> s/authentication a BFD/authenticate a BFD/
   that every frame be authenticated.  By authenticating packets that
<RR> s/every frame/every BFD control packet/
   affect the state of the session, the security of the BFD session is
   maintained.  In this mode, packets that are a significant change but
   are not authenticated, are dropped by the system.  Therefore, a
   malicious user that tries to inject a non-authenticated packet, e.g.
   with a Down state to take a session down will fail.  That combined
   with the proposal of using sequence number defined in Secure BFD
   Sequence Numbers [I-D.ietf-bfd-secure-sequence-numbers] further
   enhances the security of BFD sessions.


Regards,
Reshad.



  1.

Section 6.2
RFC5880 should be a normative reference.

Done.

Mahesh Jethanandani
mjethanandani@gmail.com<mailto:mjethanandani@gmail.com>