IETF Logo Mail Archive

Re: draft-ietf-bfd-optimizing-authentication-13 nits

Mahesh Jethanandani <mjethanandani@gmail.com> Tue, 23 January 2024 18:19 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40949C14F699; Tue, 23 Jan 2024 10:19:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Db9R98L5gp-n; Tue, 23 Jan 2024 10:19:08 -0800 (PST)
Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE78BC14F682; Tue, 23 Jan 2024 10:19:03 -0800 (PST)
Received: by mail-pf1-x42f.google.com with SMTP id d2e1a72fcca58-6dd85328325so410466b3a.1; Tue, 23 Jan 2024 10:19:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706033943; x=1706638743; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=HlJgtWoGPM3V0Jty1Y2XLT+wfZSIucge1M0iCoBEmk8=; b=UN8xHOgDkbKFHCqcQEqasOkyexrTkm1KSBOcs4Dd03Ky0ps4CNtXw9gL11Ie7Q7+tQ /5HXa+s3YmDje80h36AJHR1extYKZswHO3/a56PbkPiw1YWiN/IWvUxmuFJlbHjaitoP 6LPjRsOnLmfpzpo3IP9IuJhNJP5hDRDJ7KZt62WGXBu1a7Ok9jqYo2uOTGPYJHUIk+lb aQhN0Uk0GQRO5vMqFs4+8B4uZKvRVHfG3cS90poRnhAjKN2UUPLoAW+OXzwJGHVuhzdF F17T/XG2DzdZ3MLkmzxHQcwgdE4nUQrIDUZLUFMzTpi5tQkaw/2K1UDvPb/R7cQk5dbr KtGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706033943; x=1706638743; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=HlJgtWoGPM3V0Jty1Y2XLT+wfZSIucge1M0iCoBEmk8=; b=wElHajH2kdv16J391gRbkiJue2mvj7IDln8RIBGazpBlsk4lHVXGSTUUT6TZ72Fz9M XBUwWSdSO/rASwyuu3tnYU8t3pXsolDgfX0LNoz53tnum5nA4yTXK7swn0OVxPoHeVZ0 Kcfe0Q9bwjqqFty+fvS7ourcITSIJh+cJFg5zzMGuChijjS2sSpvlDFtuZ8P0nm4mRK2 4PlLVGJnRYFsiGAIZ/bdub9SQOKwelCUswYWsujmLp6s16lzN6sTypdKNOAm2Pk1ix4X +PnXJ+IXpsg/jKmEY5SyxyfkZe49McuA9zjMu6+tlIHoXVMv9EgG5cb1NFTuqk+mGzRI 6Y0Q==
X-Gm-Message-State: AOJu0YxZYcJvdoHrVyevmm8JcewncKub1/fYqN2cEuTiMo8vqPfTR+i9 LyVRowPZYsTqZM6qxWk2ccl1Fnhd7TjW6W3x3rhpP13y8VuQqdf0xJvszoK/NnY=
X-Google-Smtp-Source: AGHT+IFMCfNWB1TO+9cPrV0+W52nD8IuN/K6sGx39FOnM/A152TFSKexwaU2c8iXneqKXwhXslcLcw==
X-Received: by 2002:a05:6a00:f97:b0:6dd:83c2:b5d8 with SMTP id ct23-20020a056a000f9700b006dd83c2b5d8mr932590pfb.13.1706033942696; Tue, 23 Jan 2024 10:19:02 -0800 (PST)
Received: from smtpclient.apple (c-69-181-169-15.hsd1.ca.comcast.net. [69.181.169.15]) by smtp.gmail.com with ESMTPSA id m6-20020a62f206000000b006dbd1678512sm6100823pfh.162.2024.01.23.10.19.00 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 Jan 2024 10:19:00 -0800 (PST)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <27C39AF2-D01F-48C5-A564-B600D1439CAC@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_78F1D22E-69EC-4DE3-9C6A-D4B07E0E6652"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.4\))
Subject: Re: draft-ietf-bfd-optimizing-authentication-13 nits
Date: Tue, 23 Jan 2024 10:18:59 -0800
In-Reply-To: <3B169E77-D0E6-4282-9F74-5ED9E0CB45CF@pfrc.org>
Cc: draft-ietf-bfd-optimizing-authentication@ietf.org, "rtg-bfd@ietf. org" <rtg-bfd@ietf.org>, Manav Bhatia <manavbhatia@gmail.com>, Ashesh Mishra <mishra.ashesh@gmail.com>
To: Jeffrey Haas <jhaas@pfrc.org>
References: <4F3695C8-3736-4E55-B5BB-84671FDC367E@pfrc.org> <A8D0BCD4-15FA-4061-A7F0-6D888158F5A3@gmail.com> <D3DB82BE-730A-4D7C-88B8-3B309C5AC3B9@pfrc.org> <9CDB2C7B-BAB6-476C-9F12-BFA7EAD6DD60@gmail.com> <478E63ED-1784-4522-96A8-6813A2028F40@gmail.com> <3B169E77-D0E6-4282-9F74-5ED9E0CB45CF@pfrc.org>
X-Mailer: Apple Mail (2.3696.120.41.1.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/JzgnBTAkkZPx_6JLr5QWBjnjqFU>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jan 2024 18:19:14 -0000


> On Jan 22, 2024, at 2:20 PM, Jeffrey Haas <jhaas@pfrc.org> wrote:
> 
> Mahesh,
> 
> 
>> On Jan 22, 2024, at 5:15 PM, Mahesh Jethanandani <mjethanandani@gmail.com <mailto:mjethanandani@gmail.com>> wrote:
>> 
>>> On Jan 19, 2024, at 4:14 PM, Mahesh Jethanandani <mjethanandani@gmail.com <mailto:mjethanandani@gmail.com>> wrote:
>>> At the same time, if 'secure-seq-num' is configured as ’true’, the sequence number is generated as defined by I-D.ietf-bfd-secure-sequence-numbers, and inserted into the packet. The only question I ask is, if “optimized auth” is enabled, and when there is a state transition, the packet is “fully” authenticated by selecting bfd.AuthType as one of the non-zero values (but not NULL-auth). Do we need to generate a secure sequence number at that time? Or is it easier/simpler to let it continue generating the secure sequence number, and not deal with “lost” packets as the session transitions from bfd.AuthType with a non-zero value and NULL-auth.
>> 
>> Want to make sure that this is clear enough (here), and if you think text to that effect should be added to the draft.
> 
> I'm not really looking for text that says the procedure sets specific bfd variables in order to say what is going on the wire.
> 
> However, what's needed is discussing that we're switching from a primary configuration for authentication with "strong" properties to a "weaker" one for the optimization.  We also need to discuss that for certain "weaker" authentications, like NULL, we may need to periodically do the strong authentication to ensure we haven't been MITMed.
> 
> And for that periodic strong auth check, what's the configuration element and what's the recommended time to do it?  For example, a few times an hour?  I suspect we'll pick a value and it'll immediately get hate mail from the security directorate no matter what so my recommendation is to pick something the authors think is reasonable and we'll iterate that conversational point in that thread.

I am proposing two config variables that I think that are pertinent to optimized configuration, and I can put a small YANG model that augments BFD YANG model to demonstrates it. They are:

- optimized-auth flag: A boolean flag, when set to true, the implementation would like to make use of optimized auth for the session in question.
- strong-auth-interval: A uint32 value that takes a microsecond value for the interval after which the session MUST try a strong authentication mechanism to prevent a MITM attack. The default value is default value of required-min-rx-interval as defined in the BFD YANG model, times the local-multiplier with a default value of 3 for a total of 3000000.

Both these variables can be protected with a feature statement that implementations will enable if they want to support optimized authentication.

Is that what you were looking for?


Mahesh Jethanandani
mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email