IETF Logo Mail Archive

Re: draft-ietf-bfd-optimizing-authentication-13 nits

Alan DeKok <aland@deployingradius.com> Sun, 21 January 2024 16:58 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D4D7C14F618; Sun, 21 Jan 2024 08:58:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4UeiDp4VepOM; Sun, 21 Jan 2024 08:58:51 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D9A4C14F5F9; Sun, 21 Jan 2024 08:58:49 -0800 (PST)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 6924919A; Sun, 21 Jan 2024 16:58:45 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Subject: Re: draft-ietf-bfd-optimizing-authentication-13 nits
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <F9A30ECC-28E1-4272-A23F-191310424E0F@pfrc.org>
Date: Sun, 21 Jan 2024 11:58:43 -0500
Cc: Mahesh Jethanandani <mjethanandani@gmail.com>, rtg-bfd@ietf.org, draft-ietf-bfd-optimizing-authentication@ietf.org, Ashesh Mishra <mishra.ashesh@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A9091D9D-1F6F-4AB7-BAD6-04229B0F3EFF@deployingradius.com>
References: <B49A64C7-731F-4729-9D99-AC6C133983C8@deployingradius.com> <F9A30ECC-28E1-4272-A23F-191310424E0F@pfrc.org>
To: Jeffrey Haas <jhaas@pfrc.org>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/PzPeoGUZQ5XUEOXI15UHlfyeFUA>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jan 2024 16:58:55 -0000

On Jan 21, 2024, at 10:43 AM, Jeffrey Haas <jhaas@pfrc.org> wrote:
> To your final point, ISAAC is reasonably secure for the Up case. However it doesn’t authenticate the packet contents. 

  What fields can be modified which *don't* affect the BFD state machine?  Most of the fields are mandated to have specific values for this particular session and this particular state.

  i.e. We may not need the full packet to be authenticated in order to maintain an "Up" state.

  Perhaps the RX / TX intervals could be modified without detection.  We could update the ISAAC doc to say that these fields need to be cached when ISAAC starts, and can only be changed via an Auth Type which authenticates the full packet content.

  Doing that would address pretty much all of the issues related to not authenticating the packet.  Either a received packet is byte-for-byte identical to what we expect (plus ISAAC key), or it's not, and we drop it.

  So the process is:

BFD packet is exactly what we expect (except for Auth Key)
         |
        +--- no?  drop it
         |
         | yes
         |
  check if the ISAAC Auth Key matches
         |
        +--- no?  drop it
         |
         | yes
         |
   session remains Up.

  I see a fully authenticated packet as being needed for state changes, or perhaps modifying the RX / TX intervals.

  But at a very high level, so long as the receiver sees the correct ISAAC Auth Type, the rest of the BFD packet almost doesn't matter.  No one other than the sender could have calculated the correct Auth Key.  Therefore the sender is still Up.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email