IETF Logo Mail Archive

Re: I-D Action: draft-ietf-bfd-secure-sequence-numbers-08.txt

Mahesh Jethanandani <mjethanandani@gmail.com> Mon, 26 July 2021 23:25 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41CEF3A0A34; Mon, 26 Jul 2021 16:25:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 99y6vfYZWXTW; Mon, 26 Jul 2021 16:25:31 -0700 (PDT)
Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D09A3A0A33; Mon, 26 Jul 2021 16:25:31 -0700 (PDT)
Received: by mail-pl1-x62f.google.com with SMTP id d1so6311906pll.1; Mon, 26 Jul 2021 16:25:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=b5g8CScSxLA7tyPmXcHJoZIpLmh2pb7FEhjtqFaIoAE=; b=OLxD+bJvZAkLlwvBz+3/hUO6hUM7azX0oqnmpg2sIBOVBOdXyE3ohD7lRApIYZnQDt ewLfgDcCvhJlY7eDYE5Xtj3rrw8jPp8ULQM66v9sM4x63nOVSm/UOvSjAOzurtaQzPiW SZMJse335Ng0ZNyAseit58nr6CE7kb/sqdFJJ03XEKGgLWO8hkwX2qlSRiLwb+NVZiAJ 002w4PN+yMZA5Hjt9WJtH89I0MLyezH3VVBz1hiockEfPgBI0aU7W+YSFlaLfoLz7iAW X0HeDeFGhN7QbGF7b8VnEBOQidvQohZfnJ2nr3VT0soCmOXGC5/p5/mPEm43eCsgckC+ FK0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=b5g8CScSxLA7tyPmXcHJoZIpLmh2pb7FEhjtqFaIoAE=; b=CmKAHetj88yii3cCyyb5h8mnFj9QRQJt+T6vA3+uaA1xdE9+0mK7nZ6RuQ5l2Ggkg2 KaPiQP0URb8JwRzh8nvetP0gkJ0+NM0PYfj9mh7ncwAYKS2dFqOzdA+dV9XEZV3qA5hU 6tflMazWShZqLTSi4/RTLybj3IzXMRbLTqPT/QvOgTEitO6g3ThnNPivH4HBHg5xaHRH d5pV63a0L2zQDNr30WeTlh7cmfaieSey5JVl6j8/YIARlDljUKo2+vPQ0g8gHPsHVWXq Ydo/TCBKfq9mmrutFu5X0wMUYfxfBMGTeqTQk3FLXpFwjDcGKkk54X0HVo4FMHntDqAY yjxg==
X-Gm-Message-State: AOAM5338mGrXt/QFHPtOg2hpQzp3bbWYS0MRLXtVu5ILuRJ+uejTI/pS sdmJ+L70kipcWGqQVcA/f4Tdl3O2uN2Ffg==
X-Google-Smtp-Source: ABdhPJxrmegJd+EXVe5gyFY9/RfJ/WOSAnRJO/6HZeebNuRPZSudTzy9tBXxgKAf/xEYt2RZ8aNeCg==
X-Received: by 2002:a63:5a42:: with SMTP id k2mr16196324pgm.301.1627341928981; Mon, 26 Jul 2021 16:25:28 -0700 (PDT)
Received: from [192.168.1.133] ([76.21.92.206]) by smtp.gmail.com with ESMTPSA id p53sm1129900pfw.168.2021.07.26.16.25.27 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Jul 2021 16:25:28 -0700 (PDT)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <173DA06B-21E7-42A4-8EFF-82AA3D84B338@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7B722D92-2663-4530-965F-B7B32F9B65B8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
Subject: Re: I-D Action: draft-ietf-bfd-secure-sequence-numbers-08.txt
Date: Mon, 26 Jul 2021 16:25:25 -0700
In-Reply-To: <20210726144826.GB32584@pfrc.org>
Cc: Alan DeKok <aland@freeradius.org>, "rtg-bfd@ietf. org" <rtg-bfd@ietf.org>, Reshad Rehman <reshad@yahoo.com>, draft-ietf-bfd-secure-sequence-numbers@ietf.org
To: Jeffrey Haas <jhaas@pfrc.org>
References: <20210405171412.GB12257@pfrc.org> <4831ADD8-6E8D-4CDD-966F-B273A3AF45C5@freeradius.org> <20210405184656.GE12257@pfrc.org> <468C7D1D-7BE2-4759-9D81-0E18725FCA90@freeradius.org> <20210405190821.GF12257@pfrc.org> <14A4DD6D-7002-45A9-8FE4-42B512E97318@freeradius.org> <D48909A0-D7E9-40DA-83DA-CB0327D2D586@gmail.com> <096BC9E7-8877-4EF3-A94B-394AFE0E76E7@freeradius.org> <20210726141455.GA32584@pfrc.org> <211EC22C-F4AB-4FE6-98AB-511C5CE4EB8B@freeradius.org> <20210726144826.GB32584@pfrc.org>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/Xj7dvbDZcd9oEA2dfgflayCK_x0>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jul 2021 23:25:36 -0000

Hi Jeff,


> On Jul 26, 2021, at 7:48 AM, Jeffrey Haas <jhaas@pfrc.org> wrote:
> 
> What's being requested is that our specifications have some specificity and
> a proposal be made for a suitable mechanism and how it integrates into BFD.
> :-)

Here are the set of changes that I propose we make to the draft to bring the specificity that you are requesting. For the introductory part of the document there is no reference to the method being applied to come up with a sequence number. It just states that the sequence number inserted is not the monotonically increasing sequence number. As such no changes are needed there.

The change therefore starts in Section 3 - Theory of operation. There are two changes that I see. One has to do with carrying of nonce in the first packet, and the other has to do with existing text in the section.

For the carrying of nonce in the first packet, Alan has already suggested adding the authentication section in the first packet. We will add text to that effect.

As far as the existing text in the section is concerned, we will replace reference to “symmetric key algorithm” and “symmetric algorithm” with “hash”. As a result, the sender will include a ciphertext that is a 32-bit hash computed using one of the algorithms Alan has suggested using a shared key (that is not necessarily symmetric) and inserted in-lieu of the sequence number of the packet. Yes, this draft is about obfuscation of the sequence number field of the packet, not the entire packet.  On reception of the BFD Control packet, the receiver instead of decrypting the ciphertext inserted in-place of the sequence number, will instead compare the ciphertext to pre-computed set of hashes using the same shared key, on the next k expected sequence numbers that are within the BFD Detect Multiplier range. If there is a match, the receiver will replace the ciphertext in the packet with the expected sequence number and pass the frame for further processing. In the case there is no match, it will drop the packet.

There are some similar updates to the Security Considerations section to replace “symmetric algorithm” with “hash”.

Are these set of changes enough to bring the specificity that you are looking for?

Thanks.

Mahesh Jethanandani
mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email