IETF Logo Mail Archive

Re: draft-ietf-bfd-optimizing-authentication-13 nits

Mahesh Jethanandani <mjethanandani@gmail.com> Sun, 21 January 2024 18:47 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 466ABC14F610; Sun, 21 Jan 2024 10:47:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dqzActfNzGGd; Sun, 21 Jan 2024 10:47:44 -0800 (PST)
Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE1E2C14F5F9; Sun, 21 Jan 2024 10:47:44 -0800 (PST)
Received: by mail-pg1-x531.google.com with SMTP id 41be03b00d2f7-5c66b093b86so2466069a12.0; Sun, 21 Jan 2024 10:47:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705862864; x=1706467664; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=jjoeH7UOPoBkvALWdHp9ITXfleo6jLsl57y/jmX9Dgk=; b=Mh/6LTr0YPypxwfMhek/ZyYsEQqUkTmazPAJWujFdegO4OI6yLxQOKV7vCas7/UyfV p5/2S5adYAgJy47/BQ6DN4rrPv8RjuzTwL+YQq4ECZci+qpU96GGNyn3B3ZQdCVnS9Ot 5ubZ641HF/LcN1193/GRPPFQoXy6qx3h4CIPEDK0o2O6YiYNy5dYhQDYoTSc8k/lhwvK ZkL7UDchCJbhJohgVTR7ZXRj46xGLsKstGulE+5lJNmm9QoWLvcSVLlVMczeBf05UBd/ fnAIwMcHrmA5aTJy/z3G1hwQN2fHz5JNEqRbkTuKRb2ZmzKTWj2CXp0jIbwmIWsiMhSv vo2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705862864; x=1706467664; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=jjoeH7UOPoBkvALWdHp9ITXfleo6jLsl57y/jmX9Dgk=; b=ToZ3mihDXNa0/Pyp6DN+D2I0I5i6ADNnZx/06AOmV0Cv0z+WZ4oDZDfXjwB5rF1deT BXAky0T9oqVsS9czcPw5DdhW1dryyeRPbyvRFgR9Cl4vFbBwkBTkEVenmieui49H4Vlj t84qqSEq0QeTeWw9snqlcU146SJZuHQedGaWbKRJ7NiNGB9AUGTQEhoRBXN7AfyXKUCm fIz07qlGa7gJAWdm8yZqyk4eViBMnj7Y9PA7oHXfJJu7347z7q5bdUsd/d1r/md8pb6s +Qhus1uZnXqriXiNvKZQXEd8lEAPXec4DK0g1GDYVgX7Xk+VYV8FxoZC7AkaV1HondNh i4IQ==
X-Gm-Message-State: AOJu0YyEV7xgWIqUqYdITVZYck7hSfiXfZsyZHbEH6RslEi78MppF06k mmOxjkiWaJp2uUY2Ydek5GyhtcwtoNG6f+VuYvKO3mFSpkFcU0oj
X-Google-Smtp-Source: AGHT+IGsWqDRdRj0xnx5ySY9/5BvXFTmJpzu8hI7SykwOHD/IGj52ylwQB05fKH1Lq7+SiskCnCn5w==
X-Received: by 2002:a17:90a:ac0e:b0:290:1c4d:82da with SMTP id o14-20020a17090aac0e00b002901c4d82damr3555426pjq.10.1705862863784; Sun, 21 Jan 2024 10:47:43 -0800 (PST)
Received: from smtpclient.apple (c-69-181-169-15.hsd1.ca.comcast.net. [69.181.169.15]) by smtp.gmail.com with ESMTPSA id qd13-20020a17090b3ccd00b00290689f5e10sm3517384pjb.31.2024.01.21.10.47.41 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 21 Jan 2024 10:47:41 -0800 (PST)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <15B398DB-1A14-4D6C-A9D4-2ED061C1A13F@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D606EEEC-0001-4E71-8FEE-D7AA5DA0CCD4"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.4\))
Subject: Re: draft-ietf-bfd-optimizing-authentication-13 nits
Date: Sun, 21 Jan 2024 10:47:40 -0800
In-Reply-To: <A9091D9D-1F6F-4AB7-BAD6-04229B0F3EFF@deployingradius.com>
Cc: Jeffrey Haas <jhaas@pfrc.org>, "rtg-bfd@ietf. org" <rtg-bfd@ietf.org>, draft-ietf-bfd-optimizing-authentication@ietf.org, Ashesh Mishra <mishra.ashesh@gmail.com>, Manav Bhatia <mnvbhatia@google.com>
To: Alan DeKok <aland@deployingradius.com>
References: <B49A64C7-731F-4729-9D99-AC6C133983C8@deployingradius.com> <F9A30ECC-28E1-4272-A23F-191310424E0F@pfrc.org> <A9091D9D-1F6F-4AB7-BAD6-04229B0F3EFF@deployingradius.com>
X-Mailer: Apple Mail (2.3696.120.41.1.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/UnEQRTsj2d8-HvVgIlUxqyyt9NA>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jan 2024 18:47:50 -0000

[Adding Manav back in the thread]

Hi Alan,

Even if I were to agree that securing the sequence number using ISAAC is another form of authentication, “optimized auth” is based on the premise that only an occasional authentication check is required when the BFD session is in UP state. Once the session is in UP state, most of the time the BFD session can do fine without any form of authentication. I want to keep the discussion of what goes into the sequence number field separate from whether we use authentication all the time or not.

Can we move the discussion below to the “secure-sequence-numbers” thread?

Thanks.

> On Jan 21, 2024, at 8:58 AM, Alan DeKok <aland@deployingradius.com> wrote:
> 
> On Jan 21, 2024, at 10:43 AM, Jeffrey Haas <jhaas@pfrc.org> wrote:
>> To your final point, ISAAC is reasonably secure for the Up case. However it doesn’t authenticate the packet contents. 
> 
>  What fields can be modified which *don't* affect the BFD state machine?  Most of the fields are mandated to have specific values for this particular session and this particular state.
> 
>  i.e. We may not need the full packet to be authenticated in order to maintain an "Up" state.
> 
>  Perhaps the RX / TX intervals could be modified without detection.  We could update the ISAAC doc to say that these fields need to be cached when ISAAC starts, and can only be changed via an Auth Type which authenticates the full packet content.
> 
>  Doing that would address pretty much all of the issues related to not authenticating the packet.  Either a received packet is byte-for-byte identical to what we expect (plus ISAAC key), or it's not, and we drop it.
> 
>  So the process is:
> 
> BFD packet is exactly what we expect (except for Auth Key)
>         |
>        +--- no?  drop it
>         |
>         | yes
>         |
>  check if the ISAAC Auth Key matches
>         |
>        +--- no?  drop it
>         |
>         | yes
>         |
>   session remains Up.
> 
>  I see a fully authenticated packet as being needed for state changes, or perhaps modifying the RX / TX intervals.
> 
>  But at a very high level, so long as the receiver sees the correct ISAAC Auth Type, the rest of the BFD packet almost doesn't matter.  No one other than the sender could have calculated the correct Auth Key.  Therefore the sender is still Up.
> 
>  Alan DeKok.
> 
> 
> 


Mahesh Jethanandani
mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email