Re: I-D Action: draft-ietf-bfd-optimizing-authentication-06.txt

Jeffrey Haas <jhaas@pfrc.org> Mon, 29 October 2018 16:11 UTC

Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC570130FF8 for <rtg-bfd@ietfa.amsl.com>; Mon, 29 Oct 2018 09:11:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1h2tB3NxU-g6 for <rtg-bfd@ietfa.amsl.com>; Mon, 29 Oct 2018 09:11:05 -0700 (PDT)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id BE9461292F1 for <rtg-bfd@ietf.org>; Mon, 29 Oct 2018 09:11:05 -0700 (PDT)
Received: by slice.pfrc.org (Postfix, from userid 1001) id 36EF41E44B; Mon, 29 Oct 2018 12:10:27 -0400 (EDT)
Date: Mon, 29 Oct 2018 12:10:26 -0400
From: Jeffrey Haas <jhaas@pfrc.org>
To: Mahesh Jethanandani <mjethanandani@gmail.com>, Greg Mirsky <gregimirsky@gmail.com>
Cc: rtg-bfd WG <rtg-bfd@ietf.org>
Subject: Re: I-D Action: draft-ietf-bfd-optimizing-authentication-06.txt
Message-ID: <20181029161026.GO12336@pfrc.org>
References: <153930035253.7105.12758186259660848661@ietfa.amsl.com> <D4B8FC5E-7FCE-4E53-A00C-BFE1530F56FC@gmail.com> <CA+RyBmXMOJOamDDk4bJu3tvgPCRet4=1GZEZJBobrxDPxkB6jA@mail.gmail.com> <8FC1854D-DA08-48FB-A291-B293AB1464EF@gmail.com> <CA+RyBmWQ1MkAh8eAm2mYEczPGL=y9HYFMvRjj-P50JFiiqOGGA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CA+RyBmWQ1MkAh8eAm2mYEczPGL=y9HYFMvRjj-P50JFiiqOGGA@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/baVsboGQfc1g8e9jUs-eeJ8qGJw>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Oct 2018 16:11:07 -0000

Mahesh,

On Mon, Oct 15, 2018 at 09:24:59PM -0700, Greg Mirsky wrote:
> thank you for your quick response. The comment regarding the state change,
> as I understand from the minutes, came from Jeff.
> Yes, the question was about the periodic authentication in Up state. I
> believe that at the meeting WG arrived at a very good solution and we've
> agreed to make the appropriate changes in the document. I don't think that
> the current version reflects the WG decision that in Up state authenticated
> BFD control packets are transmitted periodically in sets of not less than
> Detect Multiplier.

I think the text is very close to what we'd likely want.  Here's the text in
the current draft:

:    Most frames transmitted on a BFD session are BFD CC UP frames.
:    Authenticating a small subset of these frames, for example, a detect
:    multiplier number of packets per configured period, significantly
:    reduces the computational demand for the system while maintaining
:    security of the session across the configured authentication periods.

Given BFD procedures, I believe we'd normally want to transmit at *least*
Detect Multiplier number of packets to ensure that the remote site has seen it.

How about the following text?

Most frames transmitted on a BFD session are BFD CC UP frames.
Authenticating a small subset of these frames, significantly
reduces the computational demand for the system while maintaining
security of the session across the configured authentication periods.
A minimum of Detect Multiplier packets MUST be transmitted per configured
periodic authentication interval.  This ensures that the BFD session should
see at least one authenticated packet during that interval.

-- Jeff