Re: I-D Action: draft-ietf-bfd-stability-11.txt
Jeffrey Haas <jhaas@pfrc.org> Tue, 23 January 2024 14:54 UTC
Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 204BFC14F6FB; Tue, 23 Jan 2024 06:54:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vc_9dv3miWz3; Tue, 23 Jan 2024 06:54:20 -0800 (PST)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id C40A5C14F5EA; Tue, 23 Jan 2024 06:54:16 -0800 (PST)
Received: by slice.pfrc.org (Postfix, from userid 1001) id E12451E28C; Tue, 23 Jan 2024 09:54:15 -0500 (EST)
Date: Tue, 23 Jan 2024 09:54:15 -0500
From: Jeffrey Haas <jhaas@pfrc.org>
To: rtg-bfd@ietf.org
Cc: draft-ietf-bfd-stability@ietf.org
Subject: Re: I-D Action: draft-ietf-bfd-stability-11.txt
Message-ID: <20240123145415.GA6341@pfrc.org>
References: <170597105372.48721.7411542216011306939@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <170597105372.48721.7411542216011306939@ietfa.amsl.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/a6OyqJCU_VoLw7wyqgVdSnmYYYo>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jan 2024 14:54:24 -0000
Authors, Thanks for the refresh on the stability document as we work toward winding up the authentication feature bundle. A few comment from the update using the id-nits line numbering: On Mon, Jan 22, 2024 at 04:50:53PM -0800, internet-drafts@ietf.org wrote: > Internet-Draft draft-ietf-bfd-stability-11.txt is now available. It is a work > item of the Bidirectional Forwarding Detection (BFD) WG of the IETF. > > Title: BFD Stability [...] > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-bfd-stability/ 126 4. BFD Null-Authentication Type 128 The functionality proposed for BFD stability measurement is achieved 129 by appending an authentication section with the NULL Authentication 130 type (as defined in Optimizing BFD Authentication 131 [I-D.ietf-bfd-optimizing-authentication] ) to the BFD control packets 132 that do not have authentication enabled. This section is correct, but not wholly so. Using the section below: 134 5. Theory of Operation 136 This mechanism allows operators to measure the loss of BFD control 137 packets. 139 When using MD5 or SHA authentication, BFD uses an authentication 140 section that carries the Sequence Number. However, if non-meticulous 141 authentication is being used, or no authentication is in use, then 142 the non-authenticated BFD control packets MUST include an 143 authentication section with the NULL Authentication type. These two sections together are trying to articulate the more fundamental requirement: Meticulous authentication carries an increasing sequence number in each BFD packet, regardless of the type. When meticulous authentication is in use, dropped packets can be detected by looking at the sequence numbers. Thus, "no authentication" isn't a valid scenario, it's "minimally, use the NULL auth type". The same applies to simple password. Non-meticulous can't help us here. There's thus the option with non-meticulous is interspersing non-meticulous with a meticulous mode that is inexpensive enough. NULL is an option, as is Meticulous Keyed ISAAC. The configuration requirement is thus similar to the discussion resolving in the optimizing authentication thread. There needs to be a "primary" authentication, with a set of acceptable "secondary". For optimizing authentication scenarios, this is a "stronger" for startup and transitions, and a "weaker" mode. For bfd stability, it's the allowable mix such that the full mix is always meticulous. 155 The first BFD authentication section with a non-zero sequence number, 156 in a valid BFD control packet, processed by the receiver is used for 157 bootstrapping the logic. When using secure sequence numbers, if the 158 expected values are pre-calculated, the value must be matched to 159 detect lost packets as defined in BFD secure sequence numbers 160 [I-D.ietf-bfd-secure-sequence-numbers]. The text covering secure sequence numbers is stale and no longer covers current Meticulous Keyed ISAAC procedures. I think you can fix this simply by dropping that text. -- Jeff
- I-D Action: draft-ietf-bfd-stability-11.txt internet-drafts
- Re: I-D Action: draft-ietf-bfd-stability-11.txt Jeffrey Haas