IETF Logo Mail Archive

Re: New Version Notification for draft-ietf-bfd-optimizing-authentication-02.txt

"Reshad Rahman (rrahman)" <rrahman@cisco.com> Sun, 26 March 2017 15:51 UTC

Return-Path: <rrahman@cisco.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 826241294AA for <rtg-bfd@ietfa.amsl.com>; Sun, 26 Mar 2017 08:51:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.523
X-Spam-Level:
X-Spam-Status: No, score=-14.523 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lfpGTNvsEkZa for <rtg-bfd@ietfa.amsl.com>; Sun, 26 Mar 2017 08:51:38 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8499E1294A8 for <rtg-bfd@ietf.org>; Sun, 26 Mar 2017 08:51:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6988; q=dns/txt; s=iport; t=1490543498; x=1491753098; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=ApPqxTgbIF2uiKy9djQ+4OHAFvQyiEQuX2xcsopBEa8=; b=aEr6G6aVTZRaEJxXKY0O51jdVd6dn3vFBOy3lipTOFSUXnHoQrXFCBE0 1/RFQwf3ZCPLZaRaxFt9xX4dywOBNQmdBGGOLyFKVvXgfMYKAZSIS5IbU oiM2yZFPYNKcyPqpVd2+KhIdsm1sUYgctPdIhLG8+qc4WgLRlBkXa01sy 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AWAgBS4tdY/49dJa1cGQEBAQEBAQEBAQEBBwEBAQEBg1RhgQsHg1uKD5FNiBeNNIIOKoV4AhqDDz8YAQIBAQEBAQEBayiFFQEBAQECATQ8BwIQAgEIDgoEKAICHxElAgQOBYlvAw0IDo1DnVMGgiiHJw2DAwEBAQEBAQEBAQEBAQEBAQEBAQEBAR2BBYVJhG+CUUaBPReCaYJlBY9gjEE6AYZ6hxuENoF8VIRWg1eGNIhXghaIdwEfOIEEWRUYhTeBSnWIa4ENAQEB
X-IronPort-AV: E=Sophos;i="5.36,227,1486425600"; d="scan'208";a="223184807"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Mar 2017 15:51:37 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by rcdn-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id v2QFpbMq017372 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Sun, 26 Mar 2017 15:51:37 GMT
Received: from xch-rcd-005.cisco.com (173.37.102.15) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Sun, 26 Mar 2017 10:51:36 -0500
Received: from xch-rcd-005.cisco.com ([173.37.102.15]) by XCH-RCD-005.cisco.com ([173.37.102.15]) with mapi id 15.00.1210.000; Sun, 26 Mar 2017 10:51:36 -0500
From: "Reshad Rahman (rrahman)" <rrahman@cisco.com>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
CC: "rtg-bfd@ietf. org" <rtg-bfd@ietf.org>
Subject: Re: New Version Notification for draft-ietf-bfd-optimizing-authentication-02.txt
Thread-Topic: New Version Notification for draft-ietf-bfd-optimizing-authentication-02.txt
Thread-Index: AQHSZiLAlo/tJTTLxUS5nmkdrVBMBaEn33GAgHou7gCAAGrigIAChyAAgAGL1oCAAUoEgA==
Date: Sun, 26 Mar 2017 15:51:36 +0000
Message-ID: <D4FD5B15.26F1A4%rrahman@cisco.com>
References: <148349024330.27920.12965506868600849117.idtracker@ietfa.amsl.com> <FEA9EB6F-D251-4F14-B854-C904A763EA63@gmail.com> <20170322193508.GT7253@pfrc.org> <B1E275DE-F3DB-43B6-8DDA-ABA86D6C5605@gmail.com> <D4FAA4A3.26E146%rrahman@cisco.com> <C7569A9E-0141-4A6C-9535-20F138514A2B@gmail.com>
In-Reply-To: <C7569A9E-0141-4A6C-9535-20F138514A2B@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.8.160830
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.86.242.190]
Content-Type: text/plain; charset="euc-kr"
Content-ID: <1441E62A8CFCCE409A1029C696913AEB@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/SEqqvtL-LK8YLdfPUwR9pvpDhkE>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Mar 2017 15:51:40 -0000

Thanks Mahesh. Then should the sequence number obfuscation be part of the
optimizing-authentication draft? If we keep them as 2 separate documents,
then the optimizing-authentication draft should refer to the sequence
number draft and basically the 2 docs would be tied together?

Regards,
Reshad.



On 2017-03-25, 12:10 PM, "Rtg-bfd on behalf of Mahesh Jethanandani"
<rtg-bfd-bounces@ietf.org on behalf of mjethanandani@gmail.com> wrote:

>
>> On Mar 24, 2017, at 1:33 PM, Reshad Rahman (rrahman)
>><rrahman@cisco.com> wrote:
>> 
>> Hi Mahesh,
>> 
>> Couple of questions/comments:
>> 
>> 1) I thought the secure sequence number was needed for the NULL Auth TLV
>> in the optimizing-authentication draft (to make NULL Auth TLV more
>>secure
>> as per comments from security folks). I guess it could be used with full
>> authentication also. So I don¹t understand how secure sequence number
>>can
>> be used ³standalone² as seems to be implied by your cost/benefit table
>> below.
>
>Sequence number obfuscation is not a replacement for optimized or full
>authentication. On a spectrum from no authentication to full
>authentication, I view obfuscation of sequence numbers, deployed by
>itself, somewhere in the middle to prevent a MITM attack. It does not
>prevent the packet from being modified, but the session cannot be taken
>over by MITM, therefore the medium benefit.
>
>It's true benefit, however, comes from it being used in optimized
>authentication. I do not see a particular advantage when full
>authentication is done.
>
>> 2) Section 2 mentions ³If the two ends have not previously negotiated
>> which frames they will transmit or receive with authentication enabled,
>> then the BFD session will fail to come up, because at least one end will
>> expect every frame to be authenticated.² How is this negotiation done?
>>Or
>> is this done via configuration aka outside the scope of this document?
>
>That is correct.
>
>Mahesh Jethanandani
>mjethanandani@gmail.com
>> 
>> 
>> Regards,
>> Reshad.
>> 
>> On 2017-03-22, 9:57 PM, "Rtg-bfd on behalf of Mahesh Jethanandani"
>> <rtg-bfd-bounces@ietf.org on behalf of mjethanandani@gmail.com> wrote:
>> 
>>> 
>>>> On Mar 22, 2017, at 12:35 PM, Jeffrey Haas <jhaas@pfrc.org> wrote:
>>>> 
>>>> This update is scheduled to be discussed at the upcoming session at
>>>> IETF-98
>>>> in Chicago.  
>>>> 
>>>> The likely discussion is whether the new draft from Sonal should be
>>>> specifically tied to the advancement of the optimization draft.  Our
>>>> prior
>>>> discussion with Alan had suggested some concern about the sequence
>>>> number
>>>> issues when we're using NULL authentication.
>>>> 
>>>> I suspect some good discussion will happen on this topic at the
>>>>upcoming
>>>> session and encourage the members of the Working Group to read both
>>>> drafts
>>>> in preparation.
>>> 
>>> Yes, it would be helpful to read both the drafts in preparation for the
>>> discussion.
>>> 
>>> Optimized authentication is not a substitute for sequence number
>>> obfuscation draft, and vice-versa. They offer different levels of
>>> cost/benefit, where
>>> 
>>> Draft                                             Cost        Benefit
>>> ====                                            ====       ======
>>> sequence number obfuscation     Low        Medium (does not
>>>authenticate
>>> the complete packet)
>>> optimized authentication              Medium  High       (authenticates
>>> entire ³state change² packets)
>>> full authentication                         High       High
>>> (authenticates all packets)
>>> 
>>>> 
>>>> -- Jeff
>>>> 
>>>>> On Jan 3, 2017, at 4:37 PM, internet-drafts@ietf.org wrote:
>>>>> 
>>>>> 
>>>>> A new version of I-D, draft-ietf-bfd-optimizing-authentication-02.txt
>>>>> has been successfully submitted by Mahesh Jethanandani and posted to
>>>>> the
>>>>> IETF repository.
>>>>> 
>>>>> Name:        draft-ietf-bfd-optimizing-authentication
>>>>> Revision:    02
>>>>> Title:        Optimizing BFD Authentication
>>>>> Document date:    2017-01-05
>>>>> Group:        bfd
>>>>> Pages:        8
>>>>> URL:         
>>>>> 
>>>>>https://www.ietf.org/internet-drafts/draft-ietf-bfd-optimizing-authent
>>>>>ic
>>>>> ation-02.txt
>>>>> Status:      
>>>>> 
>>>>>https://datatracker.ietf.org/doc/draft-ietf-bfd-optimizing-authenticat
>>>>>io
>>>>> n/
>>>>> Htmlized:    
>>>>> 
>>>>>https://tools.ietf.org/html/draft-ietf-bfd-optimizing-authentication-0
>>>>>2
>>>>> Diff:        
>>>>> 
>>>>>https://www.ietf.org/rfcdiff?url2=draft-ietf-bfd-optimizing-authentica
>>>>>ti
>>>>> on-02
>>>>> 
>>>>> Abstract:
>>>>> This document describes an optimization to BFD Authentication as
>>>>> described in Section 6.7 of BFD [RFC5880].
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> Please note that it may take a couple of minutes from the time of
>>>>> submission
>>>>> until the htmlized version and diff are available at tools.ietf.org.
>>>>> 
>>>>> The IETF Secretariat
>> 
>

v2.23.0 | Report a Bug | By Email