IETF Logo Mail Archive

Re: Optimizing Authentication - periodic re-authentication

Rahman <reshad@yahoo.com> Tue, 30 January 2024 05:31 UTC

Return-Path: <reshad@yahoo.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6CBCC18DBBA for <rtg-bfd@ietfa.amsl.com>; Mon, 29 Jan 2024 21:31:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yWU8KHsvpEQw for <rtg-bfd@ietfa.amsl.com>; Mon, 29 Jan 2024 21:31:04 -0800 (PST)
Received: from sonic311-44.consmr.mail.bf2.yahoo.com (sonic311-44.consmr.mail.bf2.yahoo.com [74.6.131.218]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B953DC15153E for <rtg-bfd@ietf.org>; Mon, 29 Jan 2024 21:31:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1706592663; bh=yGR5jQY4ztlbaMeCmelqEXRxNxxfKc54ms6XQRywYNw=; h=From:Subject:Date:References:Cc:In-Reply-To:To:From:Subject:Reply-To; b=aieOLQ7be3jlJSGnX2fFJJhteUJ1Es6u7M/DbggR8dzB8tmoAdilAtVnLmSjBMdkCUZCEELZOvj05xFWnYXUfwlnKmxecpMCptxA6ptC+8MV3iunK1pjI3ysq0kXUM2T3zAOpR9xmGnbiagBZV4gC+YotfwyxhPdwbHrFQUV+vG/w3i+/Smm1GwgMONNyzgvo+blS+9qxjMVQfvTWSnDVVG2TGLooRxlBdlzcrQbunlcXi1F5ppU4rcKfv6H9KIn79AW63kpRZyvHv7OH76SWMYS4R4Gp3xvdSQr1pl4/cSupcAfOx61rffpT+UG5H78AqH6Dj4W3LFlg3pd1SVbkg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1706592663; bh=raCsK6BH3XQlBGhkp3/LiGIiZ+1sMSHNmZhh7+CUGp9=; h=X-Sonic-MF:From:Subject:Date:To:From:Subject; b=V9ODti+S7nw0EXWZeKrtQoNJoN0iVwA99YiaxKoYdGPJybFsaWpMWaBzS/9Ts5EpL2crADNQzvCftsHHMTrbmZ0ZsKnC5PAJaKYYsUd+4C5Tkhf9z9mTRWAdjTqXKYTaNknhP+cwLzdcWFY6t2Hdd1mbOLNWHVemPerhXzFYeLVBRUUlC6TVpjI7fXjbGms1GW2R/SHwEjQ5cR91bxGcyld1ReIftuZ7+pRUEZJ1ihQrPw30esZPrIznqw4ku7k1FbxTctwSOHtIb1eaHlqq0MRB83fZ0HaUxSIhIjY8BsriXueXvLrfjC4Jz8x3l9tvp/vCVtyh32r0m0466LLPdA==
X-YMail-OSG: mJGR_NsVM1mYgwfKRMEDOJ2RKuKYTmQllmnMIhAaspC821aMhXw0Q4_Svtkt_1G BYLCgJTuNwzUyMlZb59G2d4G7Y.to25mY1uljNewAJTKuGfogoOjmii6q8W1iB0iyjowxAWIY2vE u8PXFuS6MNGLoMMu.KOdSnmS47dufHa3AGpYJv2TsxUKTNCexs190g69_Kn0YE5mW7hlgSwhfS4G uC75Grd1kNn.AFh.7AMRQiUzx01vwxPAjfi1uqDXEebl_nEOnJOyshgtTeZE.R9hhtDKP67L.eMu k1KRGchyE0ET9ARKa3OrrYXRfj1jIM_euZAnA2YV1.dImZC8iNJLRs3guAIYZx4QPfQ4rnhyz0RK XMtPiXgkOD7GM.HsM_MSVOzqv9DhlrZg925X8pxU.OUoQFImo4b8xR0ubr17MH2l6Yk3eL3xJ899 gau1_YE3ed8HM17gXYLALk..3jVydlMrcDGqzPFHIf7OA.M9oCRFrhIH8QvDSQQxqfFNRirZuTzN Be0mNRJOPAWKrJ8R6Gs4yA4_mhtD_9KGn4bPl7Kq1.2JQ9I69H.xX4Txdwv.12uhMzUGQI658psj hSKGCX6cPbt9qaGLCGdA5jc1Pu3H.MMw6VGzNstBJsjH8DkTkoL_XvESD0a7JtjOKTGgr_6dweWd 9Xxcw9wTdhQIap4d541cFqKaOm.aQ3GMrpExBol74ICdter7gKRKGZHjQQ5jiemk.3aZ72lqKss6 5lB8UoeNj6Ti7hdhOhsUTeHcT9A8qcHmNWt9qFP.euTiysiKdnNV7SS0Vo7zLyuSmq34CkPci5yr FOapWfahrvwF8damOwJy4HZuMMqNHQqap19Z_V4.AEQ.O5vFzHa0BYMHPdl4UPTrLgKW6Mhx1nJJ rIE9I66EuP2JPp8F38ftlXpZt2cnFk5AO7zuopYWXihoFhWn.qaTEujl0yDbeXaU.mM7qpPR6fan aLCtTrqwdTb2sjrpZ2BTrfGLDbpMI.i4O8z46P5RiPYQzAvMG26qD2y.w9.xSaFBr_XSmkUlTmWo Ty5qy9QZUlzwdCBhqBSK3MxAhRqYNsI2JIHqlI7ZpN5p6Z0KztRuDseAgn3vmmkVupvJJBXkdCKP 0L6uXjiybIdBeiLm3XRCEMNqtjmYjMBHIli1wOUazU3f7Y4s_qHs1mauukuToFCw2uSYZ1um1I08 m0ky0nsJcYjFHqD31OWcYMQUXf2xUfLFwskU5wrPeQE.pUuY3Nd5tX57QJOZ4x9mXDIldwaIGnCC ogdWxTUwG3ZhZa4XomQRQcjmqGiK7Y1x.zEK2iSn.FjHvKOPwK_vWxtzUFN1LDAh4JXfkgJSGbEt DAuD58nnRMtQrRQBibsz4dGJ__LobgnXfQlzR2JZK2xnpOIR0nQInLHOw58F_62W184hqYr7v3Tb nz.4s1y9YGTD_ODlz96ETF_ZSQhinHYQ6vZ8M3laoC9KiWdj_VbRciOqI1y3bXwDdgYmLCZr6tRg WAHQQK172XvjdxpAqTd4oIbU4s8Vq1JudJWlDkrjnXTRGNo7RgjBCw0.Baxni4_hUXpew.AcqXpd BRPQZhzoM7PsmQcXqMAB6uXg27rlv1Z6HxNGI3mCnUCPUB_I9Ca9U.yhIQbvQfMc_4k87cTpemc_ X1NPluVaQkyswVAGRjaiwMb0qr.k2.FtMjv3p1CY9TtzHqJyTj4b3gk7OnYgniMTao8OsJ8ho3cm V1fuRGKQwuaGR9338AIVv5N9_Cx1DgDscU.JgHOxEQEclCb0p.DwDNABLRdMG63OgwYy63F9l.hV Zfe6Oet9tRMkaoQp_tqrcyjJRTOwbeYKiAQGkq3F3CoxW8UTP8C0V8cBRv0MyQh3OKk5U.trvPKo yATXlhi4sl8Bx.eDyiEY0d38HyGGGMeRMtfYlRKRQdy3W9Z7jwXC0Kdops9ZysKnc1IDZc5q8SW8 pchpWVZKd6LvhvbAjPQ891LOMTwFoe3g5DbtrzG6XR0uRhtzn82XOB6iqwrd_tKKMe4dDoOBL8Vf kGZ3A8rDHHB8.en2wuaWPwCqPsbrocongKQTzUyod7tyaoiAcUOmFT_QFPMf8VuzhyMpxguS8GkT EoYPghMCsPqdIFUgUMtAG0hafR0CqBbXGcS4gVwD.SdTgFFwTwUGcUaPwbW6cdvPq0fvCK760Lm3 YbEUTwBXBdhVwfxJ0aV_LvH9bakqFSOdS9lkO5zpDlAGNEDGvsYy9v3B_xDY9awbcTZNtRq3hhqK PrZk3ALq2H.FA7fSP6c6YwVH1T_0lCBwkDOjZ
X-Sonic-MF: <reshad@yahoo.com>
X-Sonic-ID: cd1b357a-293f-4667-b451-845e159edb9e
Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.bf2.yahoo.com with HTTP; Tue, 30 Jan 2024 05:31:03 +0000
Received: by hermes--production-gq1-5c57879fdf-9nrfh (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 8bfb721f82797165b76735461fa67b93; Tue, 30 Jan 2024 05:28:57 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Rahman <reshad@yahoo.com>
Mime-Version: 1.0 (1.0)
Subject: Re: Optimizing Authentication - periodic re-authentication
Date: Mon, 29 Jan 2024 21:28:45 -0800
Message-Id: <2A54BB75-B967-425C-B3B4-39A3A91BE4B0@yahoo.com>
References: <20240128202100.GA11839@pfrc.org>
Cc: draft-ietf-bfd-optimizing-authentication@ietf.org, rtg-bfd@ietf.org
In-Reply-To: <20240128202100.GA11839@pfrc.org>
To: Jeffrey Haas <jhaas@pfrc.org>
X-Mailer: iPhone Mail (21C66)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/PtX9aiysl_vczx80P0cm5fNwsKY>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2024 05:31:05 -0000

Jeff, good catch.

We can document both ways, ie we can let implementations decide which of the 2 methods below they prefer? Or is the concern that this will cause a DISCUSS?

Regards,
Reshad.

Sent from my iPhone

> On Jan 28, 2024, at 12:21 PM, Jeffrey Haas <jhaas@pfrc.org> wrote:
> 
> Optimizing Auth Authors and Working Group,
> 
> The text on github is coming along, thanks.  Much of the work has been
> toward resolving procedural discussions vs. the secure sequence numbers
> draft.  While doing my latest review, it occurred to me that the periodic
> reauthentication procedure is perhaps flawed.
> 
> When running in the optimized mode, authentication may be disabled, the new
> NULL auth type, or Meticulous Keyed ISAAC.  For disabled or NULL, the intent
> of periodic re-authentication was to address active attacks on the Up
> portion of the session.[1]
> 
> The procedures have a BFD implementation periodically sending out
> authenticated control packets.  However, there's no way in the current
> procedures to synchronize that the receiver of those packets should expect
> authentication.
> 
> Thus, it's possible for an active attacker to simply drop the strong
> authentication packets and simply continue to inject either the
> unathenticated packets, or the next expected sequence numbers in the NULL
> auth mode.
> 
> There's at least two possible ways to address this:
> 1. We simply don't worry about periodic re-auth for no-auth or NULL-auth.
> We thus don't protect against this attack.  If you care about this attack,
> use Meticulous Keyed ISAAC and the attack goes away.
> 2. We test periodic strong authentication by using a Poll sequence.  If we
> don't receive a Fin within the Detect Interval with strong auth, compromise
> should be expected.
> 
> 
> -- Jeff
> 
> [1] Yes... the only attack we have in this mode is "keep the session Up when
> it might otherwise not be".  I expect the usual hilarity when we get to
> security area review.
>

v2.23.0 | Report a Bug | By Email