Re: New Version Notification for draft-ietf-bfd-optimizing-authentication-02.txt
"Reshad Rahman (rrahman)" <rrahman@cisco.com> Sun, 26 March 2017 15:51 UTC
Return-Path: <rrahman@cisco.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 826241294AA for <rtg-bfd@ietfa.amsl.com>; Sun, 26 Mar 2017 08:51:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.523
X-Spam-Level:
X-Spam-Status: No, score=-14.523 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lfpGTNvsEkZa for <rtg-bfd@ietfa.amsl.com>; Sun, 26 Mar 2017 08:51:38 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8499E1294A8 for <rtg-bfd@ietf.org>; Sun, 26 Mar 2017 08:51:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6988; q=dns/txt; s=iport; t=1490543498; x=1491753098; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=ApPqxTgbIF2uiKy9djQ+4OHAFvQyiEQuX2xcsopBEa8=; b=aEr6G6aVTZRaEJxXKY0O51jdVd6dn3vFBOy3lipTOFSUXnHoQrXFCBE0 1/RFQwf3ZCPLZaRaxFt9xX4dywOBNQmdBGGOLyFKVvXgfMYKAZSIS5IbU oiM2yZFPYNKcyPqpVd2+KhIdsm1sUYgctPdIhLG8+qc4WgLRlBkXa01sy 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AWAgBS4tdY/49dJa1cGQEBAQEBAQEBAQEBBwEBAQEBg1RhgQsHg1uKD5FNiBeNNIIOKoV4AhqDDz8YAQIBAQEBAQEBayiFFQEBAQECATQ8BwIQAgEIDgoEKAICHxElAgQOBYlvAw0IDo1DnVMGgiiHJw2DAwEBAQEBAQEBAQEBAQEBAQEBAQEBAR2BBYVJhG+CUUaBPReCaYJlBY9gjEE6AYZ6hxuENoF8VIRWg1eGNIhXghaIdwEfOIEEWRUYhTeBSnWIa4ENAQEB
X-IronPort-AV: E=Sophos;i="5.36,227,1486425600"; d="scan'208";a="223184807"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Mar 2017 15:51:37 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by rcdn-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id v2QFpbMq017372 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Sun, 26 Mar 2017 15:51:37 GMT
Received: from xch-rcd-005.cisco.com (173.37.102.15) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Sun, 26 Mar 2017 10:51:36 -0500
Received: from xch-rcd-005.cisco.com ([173.37.102.15]) by XCH-RCD-005.cisco.com ([173.37.102.15]) with mapi id 15.00.1210.000; Sun, 26 Mar 2017 10:51:36 -0500
From: "Reshad Rahman (rrahman)" <rrahman@cisco.com>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
CC: "rtg-bfd@ietf. org" <rtg-bfd@ietf.org>
Subject: Re: New Version Notification for draft-ietf-bfd-optimizing-authentication-02.txt
Thread-Topic: New Version Notification for draft-ietf-bfd-optimizing-authentication-02.txt
Thread-Index: AQHSZiLAlo/tJTTLxUS5nmkdrVBMBaEn33GAgHou7gCAAGrigIAChyAAgAGL1oCAAUoEgA==
Date: Sun, 26 Mar 2017 15:51:36 +0000
Message-ID: <D4FD5B15.26F1A4%rrahman@cisco.com>
References: <148349024330.27920.12965506868600849117.idtracker@ietfa.amsl.com> <FEA9EB6F-D251-4F14-B854-C904A763EA63@gmail.com> <20170322193508.GT7253@pfrc.org> <B1E275DE-F3DB-43B6-8DDA-ABA86D6C5605@gmail.com> <D4FAA4A3.26E146%rrahman@cisco.com> <C7569A9E-0141-4A6C-9535-20F138514A2B@gmail.com>
In-Reply-To: <C7569A9E-0141-4A6C-9535-20F138514A2B@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.8.160830
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.86.242.190]
Content-Type: text/plain; charset="euc-kr"
Content-ID: <1441E62A8CFCCE409A1029C696913AEB@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/SEqqvtL-LK8YLdfPUwR9pvpDhkE>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Mar 2017 15:51:40 -0000
Thanks Mahesh. Then should the sequence number obfuscation be part of the optimizing-authentication draft? If we keep them as 2 separate documents, then the optimizing-authentication draft should refer to the sequence number draft and basically the 2 docs would be tied together? Regards, Reshad. On 2017-03-25, 12:10 PM, "Rtg-bfd on behalf of Mahesh Jethanandani" <rtg-bfd-bounces@ietf.org on behalf of mjethanandani@gmail.com> wrote: > >> On Mar 24, 2017, at 1:33 PM, Reshad Rahman (rrahman) >><rrahman@cisco.com> wrote: >> >> Hi Mahesh, >> >> Couple of questions/comments: >> >> 1) I thought the secure sequence number was needed for the NULL Auth TLV >> in the optimizing-authentication draft (to make NULL Auth TLV more >>secure >> as per comments from security folks). I guess it could be used with full >> authentication also. So I don¹t understand how secure sequence number >>can >> be used ³standalone² as seems to be implied by your cost/benefit table >> below. > >Sequence number obfuscation is not a replacement for optimized or full >authentication. On a spectrum from no authentication to full >authentication, I view obfuscation of sequence numbers, deployed by >itself, somewhere in the middle to prevent a MITM attack. It does not >prevent the packet from being modified, but the session cannot be taken >over by MITM, therefore the medium benefit. > >It's true benefit, however, comes from it being used in optimized >authentication. I do not see a particular advantage when full >authentication is done. > >> 2) Section 2 mentions ³If the two ends have not previously negotiated >> which frames they will transmit or receive with authentication enabled, >> then the BFD session will fail to come up, because at least one end will >> expect every frame to be authenticated.² How is this negotiation done? >>Or >> is this done via configuration aka outside the scope of this document? > >That is correct. > >Mahesh Jethanandani >mjethanandani@gmail.com >> >> >> Regards, >> Reshad. >> >> On 2017-03-22, 9:57 PM, "Rtg-bfd on behalf of Mahesh Jethanandani" >> <rtg-bfd-bounces@ietf.org on behalf of mjethanandani@gmail.com> wrote: >> >>> >>>> On Mar 22, 2017, at 12:35 PM, Jeffrey Haas <jhaas@pfrc.org> wrote: >>>> >>>> This update is scheduled to be discussed at the upcoming session at >>>> IETF-98 >>>> in Chicago. >>>> >>>> The likely discussion is whether the new draft from Sonal should be >>>> specifically tied to the advancement of the optimization draft. Our >>>> prior >>>> discussion with Alan had suggested some concern about the sequence >>>> number >>>> issues when we're using NULL authentication. >>>> >>>> I suspect some good discussion will happen on this topic at the >>>>upcoming >>>> session and encourage the members of the Working Group to read both >>>> drafts >>>> in preparation. >>> >>> Yes, it would be helpful to read both the drafts in preparation for the >>> discussion. >>> >>> Optimized authentication is not a substitute for sequence number >>> obfuscation draft, and vice-versa. They offer different levels of >>> cost/benefit, where >>> >>> Draft Cost Benefit >>> ==== ==== ====== >>> sequence number obfuscation Low Medium (does not >>>authenticate >>> the complete packet) >>> optimized authentication Medium High (authenticates >>> entire ³state change² packets) >>> full authentication High High >>> (authenticates all packets) >>> >>>> >>>> -- Jeff >>>> >>>>> On Jan 3, 2017, at 4:37 PM, internet-drafts@ietf.org wrote: >>>>> >>>>> >>>>> A new version of I-D, draft-ietf-bfd-optimizing-authentication-02.txt >>>>> has been successfully submitted by Mahesh Jethanandani and posted to >>>>> the >>>>> IETF repository. >>>>> >>>>> Name: draft-ietf-bfd-optimizing-authentication >>>>> Revision: 02 >>>>> Title: Optimizing BFD Authentication >>>>> Document date: 2017-01-05 >>>>> Group: bfd >>>>> Pages: 8 >>>>> URL: >>>>> >>>>>https://www.ietf.org/internet-drafts/draft-ietf-bfd-optimizing-authent >>>>>ic >>>>> ation-02.txt >>>>> Status: >>>>> >>>>>https://datatracker.ietf.org/doc/draft-ietf-bfd-optimizing-authenticat >>>>>io >>>>> n/ >>>>> Htmlized: >>>>> >>>>>https://tools.ietf.org/html/draft-ietf-bfd-optimizing-authentication-0 >>>>>2 >>>>> Diff: >>>>> >>>>>https://www.ietf.org/rfcdiff?url2=draft-ietf-bfd-optimizing-authentica >>>>>ti >>>>> on-02 >>>>> >>>>> Abstract: >>>>> This document describes an optimization to BFD Authentication as >>>>> described in Section 6.7 of BFD [RFC5880]. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Please note that it may take a couple of minutes from the time of >>>>> submission >>>>> until the htmlized version and diff are available at tools.ietf.org. >>>>> >>>>> The IETF Secretariat >> >
- Re: New Version Notification for draft-ietf-bfd-o… Jeffrey Haas
- Re: New Version Notification for draft-ietf-bfd-o… Mahesh Jethanandani
- Re: New Version Notification for draft-ietf-bfd-o… Reshad Rahman (rrahman)
- Re: New Version Notification for draft-ietf-bfd-o… Greg Mirsky
- Re: New Version Notification for draft-ietf-bfd-o… Mahesh Jethanandani
- Re: New Version Notification for draft-ietf-bfd-o… Reshad Rahman (rrahman)