Re: I-D Action: draft-ietf-bfd-optimizing-authentication-06.txt

[Jeffrey Haas <jhaas@pfrc.org>]

Mahesh,

On Mon, Oct 15, 2018 at 09:24:59PM -0700, Greg Mirsky wrote:
> thank you for your quick response. The comment regarding the state change,
> as I understand from the minutes, came from Jeff.
> Yes, the question was about the periodic authentication in Up state. I
> believe that at the meeting WG arrived at a very good solution and we've
> agreed to make the appropriate changes in the document. I don't think that
> the current version reflects the WG decision that in Up state authenticated
> BFD control packets are transmitted periodically in sets of not less than
> Detect Multiplier.

I think the text is very close to what we'd likely want.  Here's the text in
the current draft:

:    Most frames transmitted on a BFD session are BFD CC UP frames.
:    Authenticating a small subset of these frames, for example, a detect
:    multiplier number of packets per configured period, significantly
:    reduces the computational demand for the system while maintaining
:    security of the session across the configured authentication periods.

Given BFD procedures, I believe we'd normally want to transmit at *least*
Detect Multiplier number of packets to ensure that the remote site has seen it.

How about the following text?

Most frames transmitted on a BFD session are BFD CC UP frames.
Authenticating a small subset of these frames, significantly
reduces the computational demand for the system while maintaining
security of the session across the configured authentication periods.
A minimum of Detect Multiplier packets MUST be transmitted per configured
periodic authentication interval.  This ensures that the BFD session should
see at least one authenticated packet during that interval.

-- Jeff