IETF Logo Mail Archive

Re: Regarding keyed MD5/SHA1 authentication for BFD (RFC 5880)

Alan DeKok <aland@deployingradius.com> Thu, 28 April 2022 13:21 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EF23C15E411; Thu, 28 Apr 2022 06:21:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CtTsBWv00cX0; Thu, 28 Apr 2022 06:21:06 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C876C15E403; Thu, 28 Apr 2022 06:21:06 -0700 (PDT)
Received: from smtpclient.apple (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id 73877216; Thu, 28 Apr 2022 13:21:03 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\))
Subject: Re: Regarding keyed MD5/SHA1 authentication for BFD (RFC 5880)
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <4e9bb1fe-028f-e981-9df3-27a2a714b055@mikrotik.com>
Date: Thu, 28 Apr 2022 09:21:02 -0400
Cc: rtg-bfd@ietf.org, draft-ietf-bfd-secure-sequence-numbers@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <6CEEE57D-0D0A-4C56-82F7-B285A2BE472F@deployingradius.com>
References: <b4a3419f-b465-90fd-0f92-7385fa5595c4@mikrotik.com> <03DC02BB-FBC4-4820-83D3-AAC309E16117@deployingradius.com> <4e9bb1fe-028f-e981-9df3-27a2a714b055@mikrotik.com>
To: Gļebs Ivanovskis <glebs@mikrotik.com>
X-Mailer: Apple Mail (2.3693.60.0.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/R1fWvGlGF3uO2RmOYLDXs04W728>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2022 13:21:11 -0000

On Apr 28, 2022, at 5:37 AM, Gļebs Ivanovskis <glebs@mikrotik.com> wrote:
> Thank you for the pointer. It seems that the "secure sequence numbers" draft makes the same mistake as RFC 5880 of putting bfd.AuthSeqKnown and bfd.RcvAuthSeq manipulations before FNV-1a digest calculation in Section 7. "Meticulous Keyed FNV1A Authentication" (part "Receipt Using Meticulous Keyed FNV1A Authentication"):
> 
> Otherwise (bfd.AuthSeqKnown is 0), bfd.AuthSeqKnown MUST be set to 1, and bfd.RcvAuthSeq MUST be set to the value of the received Sequence Number field.
> 
> Replace the contents of the Digest field with zeros, and calculate the FNV-1a digest as described below. If the calculated FNV-1a digest is equal to the received value of the Digest field, the received packet MUST be accepted. Otherwise (the digest does not match the Digest field), the received packet MUST be discarded.

  Yes, the text should be updated to authenticate first, then change state.

  There's also additional text needed to clarify and finalize all of the issues around state / state changes with those authentication methods.  Suggestions are welcome.  I spent time getting the ISAAC / FNV text updated, but I'm less familiar with the rest of BFD.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email