Re: WGLC BFD Authentication Drafts

Greg Mirsky <gregimirsky@gmail.com> Wed, 04 April 2018 00:35 UTC

Return-Path: <gregimirsky@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C74D1252BA for <rtg-bfd@ietfa.amsl.com>; Tue, 3 Apr 2018 17:35:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id exAkUp0TnQEd for <rtg-bfd@ietfa.amsl.com>; Tue, 3 Apr 2018 17:35:47 -0700 (PDT)
Received: from mail-lf0-x22a.google.com (mail-lf0-x22a.google.com [IPv6:2a00:1450:4010:c07::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B207912420B for <rtg-bfd@ietf.org>; Tue, 3 Apr 2018 17:35:46 -0700 (PDT)
Received: by mail-lf0-x22a.google.com with SMTP id x70-v6so15944131lfa.0 for <rtg-bfd@ietf.org>; Tue, 03 Apr 2018 17:35:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=pJM7FgycHiZqoGN5XawP4WFODSB9bVBDRrQHj6fl+Ds=; b=Zu3vWV+i0dRW4A3BLRA3shURkS6bSn+5vXMhUC8djt/KTS8Ilq87YlJTJde/4RHNm4 owlTewT87PqtJ6Yt4SR546N3vbffkShJBYE5OWYRxAOWuxX/FtiIwGNj3v5DvVnzB4P3 x+kCJLCL//eb1gTRDAIIqHAoMgOwYCrXT3crAr/f0rgIJaY0iXOd1GY+Bcj24CgeKl9g mnq+0qKXy9w9hdAM2/Fov81vGshpFoogt76ajVoLD9HsP5GXvige3sf4EERYg6WjjN6n 3/XdYALa+JpC3XhYrhDFoiS2VJPjh4u4kcDdPhmRASJ8r8dHT/lDSbBMOxsbS0rQ8qY0 d2BA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=pJM7FgycHiZqoGN5XawP4WFODSB9bVBDRrQHj6fl+Ds=; b=NVrY0jCbGZXDGmewNheZZGLaq1g2an8//eJEYBdd35xyhTSyMbd7viR6+oLnGDIeqV 8w5vpajBC0htlwGWm6uaxRlhv3BgBhZ6zzErqD4kEeYTJuobBth2QYzgFJ1409Gd8CCl ktQIxC+rCDmSmagiRT1dJLlGyJ67hpcOvzP1ZpldMRV1Y028+KVDFCiL5yLaqrzgIjxz 3KG1Jg/0YQUOXUEcbLrwo3VpcgpMmFBaZomTgE2BzKnacgFQUtHH8Bw90SUlzRZCxF8y n9pt8TwMNnOXIEH6AzR5/d10qwcs1ZwYf3bsr2oY+JiNQV/zRCug91pTPc/KcjAeLjRK mUBw==
X-Gm-Message-State: ALQs6tBLUuU1AYAosj8OomCKJXUbHXASSQZAJ2rgjYhic4RXvyckw7Gh trOfEhnuuWIsZAdBjQ+WJE4V9ywATkfJQXwZdmc=
X-Google-Smtp-Source: AIpwx49Eme+Il/JG6lptw4yUGHrpDDJp7EWT7n/KxWwA/ohZNLOdK/Nz1BHkFZfPfqDbnXl4uBRedTLX99OVh9dTsLU=
X-Received: by 2002:a19:1a88:: with SMTP id a130-v6mr3485944lfa.7.1522802144859; Tue, 03 Apr 2018 17:35:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.46.73.66 with HTTP; Tue, 3 Apr 2018 17:35:44 -0700 (PDT)
In-Reply-To: <36BBC371-54A2-43B0-8597-69782CFFD5E9@outlook.com>
References: <20180328163856.GB3126@pfrc.org> <CA+RyBmVLPBKq1wthriY44FQN51bq85w3LfSR4K6WuRi=Kr1L9w@mail.gmail.com> <BL0PR0102MB33454D88A214B8EFFDD242B5FAA70@BL0PR0102MB3345.prod.exchangelabs.com> <CA+RyBmWh+_nKd-pvyg7W2xtdOFE9BkXEqTM3W48K_rifaUAYXw@mail.gmail.com> <36BBC371-54A2-43B0-8597-69782CFFD5E9@outlook.com>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Tue, 03 Apr 2018 17:35:44 -0700
Message-ID: <CA+RyBmWue4iM9a2gazuTu=h-7yFN+YKEGMY8=_2C3gsj3yxekw@mail.gmail.com>
Subject: Re: WGLC BFD Authentication Drafts
To: Ashesh Mishra <mishra.ashesh@outlook.com>
Cc: Jeffrey Haas <jhaas@pfrc.org>, "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e85abf0568fb0067"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/UwVkEBuOTGDSrckL-u1SkiNtHUs>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2018 00:35:50 -0000

Hi Asheh,
thank you for the detailed response to my questions and consideration of my
comments.
I think I cannot agree that the BFD state machine remains unchanged if
optimized BFD authentication is in periodic mode. Let's consider case when
only every 5th BFD control packet is authenticated when the session is in
Up state. What happens if from some moment every authenticated packet fails
to be validated? Would the session go to Down state? But all
unauthenticated BFD control packets pass the validation check and since
only one packet seems to miss validation the session, if the state machine
remains unchanged, will stay Up.

Do you see this as plausible scenario?

Regards,
Greg

On Tue, Apr 3, 2018 at 11:03 AM, Ashesh Mishra <mishra.ashesh@outlook.com>
wrote:

> Thanks for the clarification, Greg.
>
>
>
> Here are my thoughts on the issues:
>
>
>
> *I'd break it into couple more specific questions: *
>
> ·         *can the periodic Optimized Authentication mode be used without
> authorization o state changes;*
>
> ·         *if the answer to the previous question "yes", then when the
> first authorized BFD control packet must be transmitted by the system;*
>
> ·         *does the BFD state machine (section 6.2 RFC 5880) changes
> resulting from introduction of periodic optimized authentication mode;*
>
> *[AM] The optimized authentication can be used without state changes and
> the first auth packet will be the DOWN state frame to kick-off the session
> negotiation as the proposal suggests that all DOWN state frames are
> authenticated. The state machine does not change in this proposal but it
> only indicates which frames should be authenticated and which ones can use
> NULL-AUTH TLV (un-authenticated frames). *
>
> *And additional comments:*
>
> ·         *"For example, the two ends can decide that BFD frames that
> indicate a state change should be authenticated and enable authentication
> on those frames only."*
>
> *I don't think that nodes "decide" anything but are configured to do
> something.*
>
>
>
> *[AM] I agree that the language is not accurate. We’ll change it in the
> next revision. The intention is to use indicate configuration rather than
> negotiation. *
>
> ·         *"If the two ends have not previously negotiated which frames
> they will transmit or receive with authentication enabled ..."*
>
> *I couldn't find the negotiation procedure being described in the
> document. Is it out-of-band, i.e. by control or management plane, not part
> of this BFD enhancement?*
>
>
>
> *[AM] The language should indicate configuration instead of negotiation. *
>
> ·         *"The configuration of the periodic authentication interval for
> BFD CC UP frames is an open issue."*
>
> *I believe that this open issue must be resolved in the definitive manner
> before the draft moved to WGLC.*
>
>
>
> *[AM] This line should be removed and the preceding text should indicate
> that the parameters for authentication should be configured on the session
> end-points. *
>
>
>
> Regards,
> Ashesh
>
>
>
> *From: *Greg Mirsky <gregimirsky@gmail.com>
> *Date: *Monday, April 2, 2018 at 12:34 PM
> *To: *Ashesh Mishra <mishra.ashesh@outlook.com>
> *Cc: *Jeffrey Haas <jhaas@pfrc.org>, "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>
>
> *Subject: *Re: WGLC BFD Authentication Drafts
>
>
>
> Hi Asheh,
>
> thank you for taking time to review the minutes from BFD WG meeting at
> IETF-98. I don't think that we had enough time to discuss in details my
> question:
>
> Greg Mirsky: One of the possible modes when the session is up is to use
> authentication with periodic timer trigger?
>
> I'd break it into couple more specific questions:
>
>    - can the periodic Optimized Authentication mode be used without
>    authorization o state changes;
>    - if the answer to the previous question "yes", then when the first
>    authorized BFD control packet must be transmitted by the system;
>    - does the BFD state machine (section 6.2 RFC 5880) changes resulting
>    from introduction of periodic optimized authentication mode;
>
> And additional comments:
>
>    - "For example, the two ends can decide that BFD frames that indicate
>    a state change should be authenticated and enable authentication on those
>    frames only."
>
> I don't think that nodes "decide" anything but are configured to do
> something.
>
>
>    - "If the two ends have not previously negotiated which frames they
>    will transmit or receive with authentication enabled ..."
>
> I couldn't find the negotiation procedure being described in the document.
> Is it out-of-band, i.e. by control or management plane, not part of this
> BFD enhancement?
>
>
>    - "The configuration of the periodic authentication interval for BFD
>    CC UP frames is an open issue."
>
> I believe that this open issue must be resolved in the definitive manner
> before the draft moved to WGLC.
>
>
>
> Regards,
>
> Greg
>
>
>
>
>
> On Sun, Apr 1, 2018 at 6:11 PM, Ashesh Mishra <mishra.ashesh@outlook.com>
> wrote:
>
> Hi Greg,
>
>
>
> Your questions in the IETF-98 meeting seemed to stem from the challenges
> of authentication in fast BFD sessions at high scale.
>
>
>
> I'll address the issue in two parts -
>
>
>
> "Is there a need for authenticated BFD sessions?" - I believe we can all
> agree that there is a clear market need for BFD authentication. So we
> should direct the conversation to the way in which we can address this
> requirement.
>
>
>
> "How can authentication work at scale?" - BFD authentication puts
> significant stress on the system and a non-meticulous method alleviates
> this computation pressure. That's the premise of this draft as it presents
> a way to relieve the BFD authentication requirement based on the capability
> of the system to handle the additional stress which maintaining the
> session scale.
>
>
>
> There are some BFD systems in the market, which are not conducive to
> authentication (even the optimized method), where the impediment to
> authentication is due to the implementation details specific to that vendor
> or system.
>
>
>
> I believe all these issues were address during the meeting. Are there any
> specific questions that I missed or any recommendations for the method in
> which the requirements can be addressed?
>
>
>
> Thanks,
>
> Ashesh
> ------------------------------
>
> *From:* Rtg-bfd <rtg-bfd-bounces@ietf.org> on behalf of Greg Mirsky <
> gregimirsky@gmail.com>
> *Sent:* Thursday, March 29, 2018 4:09:32 AM
> *To:* Jeffrey Haas
> *Cc:* rtg-bfd@ietf.org
> *Subject:* Re: WGLC BFD Authentication Drafts
>
>
>
> Dear WG Chairs, et. al,
>
> I cannot support WG LC for draft-ietf-bfd-optimizing-authentication as my
> comments at BFD WG meeting dating back to IETF-98
> <https://datatracker.ietf.org/meeting/98/materials/minutes-98-bfd-00> still
> not have been addressed nor even there was an attempt to address. As I've
> asked to clarify impact of the proposed mechanism, particularly periodic
> authentication, on the BFD State Machine, I'd point that the proposed
> mechanism directly affects BFD security as discussed in RFC 5880 and the
> section Security Considerations in the document, in my view, does not
> adequately reflects that and doesn't explain how the security of the BFD
> session maintained when the periodic authentication is in use.
>
>
>
> Regards,
>
> Greg
>
>
>
> On Wed, Mar 28, 2018 at 7:38 PM, Jeffrey Haas <jhaas@pfrc.org> wrote:
>
> Working Group,
>
> The authors of the following Working Group drafts have requested
> Working Group Last Call on the following documents:
>
> https://tools.ietf.org/html/draft-ietf-bfd-secure-sequence-numbers-01
> https://tools.ietf.org/html/draft-ietf-bfd-optimizing-authentication-04
> https://tools.ietf.org/html/draft-ietf-bfd-stability-01
>
> Given the overlap of functionality, WGLC will conclude for the bundle
> simultaneously.
>
> Authors, please positively acknowledge whether or not you know about any
> IPR
> for your documents.  Progression of the document will not be done without
> that statement.
>
> Last call will complete on April 20.
>
> -- Jeff
>
>
>
>
>