Re: Comments on draft-ietf-bfd-generic-crypto-auth
Mahesh Jethanandani <mjethanandani@gmail.com> Thu, 17 April 2014 06:18 UTC
Return-Path: <mjethanandani@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 438AE1A03FE for <rtg-bfd@ietfa.amsl.com>; Wed, 16 Apr 2014 23:18:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EWU7aBut53XY for <rtg-bfd@ietfa.amsl.com>; Wed, 16 Apr 2014 23:18:22 -0700 (PDT)
Received: from mail-yh0-x22d.google.com (mail-yh0-x22d.google.com [IPv6:2607:f8b0:4002:c01::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 95A021A03D6 for <rtg-bfd@ietf.org>; Wed, 16 Apr 2014 23:18:22 -0700 (PDT)
Received: by mail-yh0-f45.google.com with SMTP id a41so8639yho.4 for <rtg-bfd@ietf.org>; Wed, 16 Apr 2014 23:18:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=qvgjvLbmFmYvReVoUC8H5hVaEH/3QQM/U2BtFhxT4gQ=; b=zye3ludga65N7yZtISTrwxQ4BOMm+F7vwpZeEGdaDPwdWkHJZbs3At10TO9SnqAwOu sD15MxXR6JQh3OicpfwS5I6mY2/r2wsd9u8StF7333V27wwgKo7uSy7HPls5z4WfwXdW xAx2TYE5JicWxQKhUh4e4baePdfVybnoI2hsqEvgb4jMhWsBK2dqGTdzMPP9KjpqiSa6 JSb7/o+/uUy5d53lmMFYJ/LMxryHsn4He16zJxgBxBrgrwW1oPiYAAAg5eccd7RUP8oB bSvTLEgPgS2yCIRWJHmhcoEspWCmJz6LFF7K4lNVcj6X4N4ssujb6x3/VTYiin0RLK97 dmWA==
X-Received: by 10.236.45.69 with SMTP id o45mr19538579yhb.64.1397715499102; Wed, 16 Apr 2014 23:18:19 -0700 (PDT)
Received: from [192.168.1.101] (108-247-124-220.lightspeed.sntcca.sbcglobal.net. [108.247.124.220]) by mx.google.com with ESMTPSA id h66sm46640572yhb.7.2014.04.16.23.18.17 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 16 Apr 2014 23:18:18 -0700 (PDT)
Subject: Re: Comments on draft-ietf-bfd-generic-crypto-auth
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset="us-ascii"
From: Mahesh Jethanandani <mjethanandani@gmail.com>
In-Reply-To: <CECE764681BE964CBE1DFF78F3CDD3941E107BCA@xmb-aln-x01.cisco.com>
Date: Wed, 16 Apr 2014 23:18:16 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <E15C147B-0F20-4646-B552-84B39270D99F@gmail.com>
References: <CECE764681BE964CBE1DFF78F3CDD3941E107BCA@xmb-aln-x01.cisco.com>
To: Nobo Akiya <nobo@cisco.com>
X-Mailer: Apple Mail (2.1085)
Archived-At: http://mailarchive.ietf.org/arch/msg/rtg-bfd/RccT7yt491eJ4lxzsdQAgn5dF8k
Cc: "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>, "draft-ietf-bfd-generic-crypto-auth@tools.ietf.org" <draft-ietf-bfd-generic-crypto-auth@tools.ietf.org>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Apr 2014 06:18:24 -0000
Nobo, See comments inline. On Apr 14, 2014, at 10:23 AM, Nobo Akiya (nobo) wrote: > Hi Authors, > > I have reviewed your draft (draft-ietf-bfd-generic-crypto-auth ), comments below. > Since document is nearing expiration, perhaps you can address some of these comments and re-publish? > > > (1) Abstract > > s/arbitary/arbitrary/ Fixed. > > > (2) Section 2 > > Before listing "Not Before Time" and "Not After Time", it'll be great if the document can provide some words to better transition from previous paragraph. Those are the parameters associated with a BFD SA just like Authentication Algorithm etc. The indentation might have thrown you off. Let me see if I can fix it. > > > (3) Section 3.3 > > [snip] > The device MUST fill the Auth Type and the Auth Len fields before the > authentication data is computed. The Sequence Number field MUST be > set to bfd.XmitAuthSeq. > [snip] > > The paragraph is slightly confusing wrt whether Sequence Number field need to be set before or after authentication data is computed. It'll be good to clarify this. I was looking at RFC 5880 for guidance on this. It says "The Sequence Number field MUST be set to bfd.XmitAuthSeq." Period. No mention of before or after. How about this: "The device MUST fill the Auth Type, the Auth Len fields and set the Sequence Number field to bfd.XmitAuthSeq before the authentication data is computed." > > > (4) Section 3.4, second paragraph > > [snip] > If the Authentication Present (A) bit is set in the packet header and > the receiver will try to find a appropriate BFD SA in its local key > table to process the packet. > [snip] > > I believe you meant to say: > > If the Authentication Present (A) bit is set in the packet header and > Auth Type is TBD1 or TBD2, the receiver is to find an appropriate BFD > SA in its local key table to process the packet. > > See below for usage of TBD1/TBD2. Ok. Will fix it. > > > (5) Section 3.4, fourth paragraph > > Is it better to say "unsigned 64 bit circular number space" here, or keep it as "unsigned 32 bit circular number space"? If latter, then the document should clarify that it's low order 32 bits. Ok. Will change it to say "unsigned 64 bit circular number space" > > > (6) Section 3.4, sixth paragraph > > [snip] > In such a case, an error event SHOULD be logged. > [snip] > > Such log could become DoS attack point? Rate limiting of such log is outside the scope of this document, but it could be beneficial to explain this in the Security Considerations section ... optional comment though. > How about this: "In such a case, an error event SHOULD be logged. Rate limiting of such a log to prevent a DoS attack is outside the scope of this document." > > (7) IANA Considerations > > Indeed values 6 and 7 are next, but it's technically not correct to just use them [yet]. > Can we use TBD1 and TBD2? If someone is implementing and early allocation is required, then we can do that. > > Also it'll be beneficial for this section to clearly describe what is needed from where. Maybe something like: > > IANA is requested to assign two authentication types from the > "BFD Authentication Types" sub-registry within the "Bidirectional > Forwarding Detection (BFD) Parameters" registry. > > Address BFD Authentication Type Name Reference > ------- --------------------------------------- ------------- > TBD1 Cryptographic Authentication this document > TBD2 Meticulous Cryptographic Authentication this document > > Ok. Will make the suggested changes. > (8) Security Considerations > > s/reestablishing/re-establishing/ > Will fix. > > (9) References > > RFC5880 should be a normative reference instead of informative, as document is even referencing a variable from RFC5880 (ex: bfd.XmitAuthSeq). > That is correct. Consider it done. Thanks > > -Nobo > > Mahesh Jethanandani mjethanandani@gmail.com
- Comments on draft-ietf-bfd-generic-crypto-auth Nobo Akiya (nobo)
- Re: Comments on draft-ietf-bfd-generic-crypto-auth Mahesh Jethanandani
- RE: Comments on draft-ietf-bfd-generic-crypto-auth Nobo Akiya (nobo)