IETF Logo Mail Archive

Re: WGLC BFD Authentication Drafts

Mahesh Jethanandani <mjethanandani@gmail.com> Mon, 02 July 2018 18:42 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59D53131130 for <rtg-bfd@ietfa.amsl.com>; Mon, 2 Jul 2018 11:42:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DQ_nZ3JPYyoa for <rtg-bfd@ietfa.amsl.com>; Mon, 2 Jul 2018 11:41:55 -0700 (PDT)
Received: from mail-pf0-x233.google.com (mail-pf0-x233.google.com [IPv6:2607:f8b0:400e:c00::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5660D130EC1 for <rtg-bfd@ietf.org>; Mon, 2 Jul 2018 11:41:55 -0700 (PDT)
Received: by mail-pf0-x233.google.com with SMTP id j3-v6so7895923pfh.11 for <rtg-bfd@ietf.org>; Mon, 02 Jul 2018 11:41:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=3dtonyPv3b8ZuTddWIgermu6Irc5llzDZkYEaXvBMgw=; b=HtH3HmFO1bfebNDeKzxT/8E2jfZxAJ82uTF9j1F7zxcRKJFz+rMcERIq+pD7IMtwWL sRdwsgvEaHf9SLu5HYb0PxVIZZOoDPHmmnR7V3y8knSaTVczSnS0K7GcGit48fSLnd8C r2ifWvlNaQUMSBDBe7dk0NDn8PkdhsoSV/gLrm/ftQ2NYCT6VxF3k/F1TlMp75wamvCL KzpYhWYO2kkbzAxwzBkyyDRdUxy8fulSPNlq7bmokf/1qwVdP/ChQr3qFaAIM3ZlVKYe NlbCxGN2jVBRpHRKIlbC9UmuF5oFcSDId6lfUa7WKYFLDyQOa/HaEERv4pp5g10qwyKI 8bvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=3dtonyPv3b8ZuTddWIgermu6Irc5llzDZkYEaXvBMgw=; b=X/WxGh1FxqKgXPY1CgH95tL9l0o/gq7FQJft3XPYnx2eQD8su/d9a1y6etS/soRkwT aAmRx+nGgnx97GPgFE68XgF+eoRVBV7YndLJ8LsbJzO2CX0e6lidFJ//QMJkEt4os6qn 9DwS2HLoORfgcn0EIGH7oWdngA7qYBO1EUDHjHHd8zDx0XilBiMzte7BysvUSVZQ26PK 9wBEVWRc0yag1qKg0eO0X7sXj3I6uMIkEuQe/mN3WZcO/gblysMAm6hQm5NkaDB7P7X8 4hW3pjtzdv3nbH2aTsnT9aRfCHZ11zLDhK9CxplyDBvI4u52NNMzA9WO7xfTKQ5YV6YU U7YA==
X-Gm-Message-State: APt69E0Om6XIa+d3T+i1IGWrZOev+X5z0wT5l+4UopBdjQl3lb09kKfv UfQFB5nxFU1CC9yggwtzzyM=
X-Google-Smtp-Source: ADUXVKJn84u6RXhjLryA3bDbxZZ23lw6NkOanHsvNQKqYiN4LcjRawu5CyLkbHpyfvAIXvFtIKTVrg==
X-Received: by 2002:a65:4809:: with SMTP id h9-v6mr22896670pgs.258.1530556914778; Mon, 02 Jul 2018 11:41:54 -0700 (PDT)
Received: from ?IPv6:2601:647:4700:1280:1df:c58b:5fe0:6a3a? ([2601:647:4700:1280:1df:c58b:5fe0:6a3a]) by smtp.gmail.com with ESMTPSA id k187-v6sm8379477pgc.23.2018.07.02.11.41.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 Jul 2018 11:41:53 -0700 (PDT)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <6434EAB4-389D-4D1D-BCC6-E527FE187D11@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_DA8AF295-C5DC-461F-B2BA-7FA68CC90920"
Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\))
Subject: Re: WGLC BFD Authentication Drafts
Date: Mon, 02 Jul 2018 11:41:52 -0700
In-Reply-To: <CA+RyBmUN=-rx9rhtR-Rs9StCa4s3Jbs5-nkY7Crz-x9CF8cU-Q@mail.gmail.com>
Cc: Ashesh Mishra <mishra.ashesh@outlook.com>, "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>
To: Greg Mirsky <gregimirsky@gmail.com>
References: <20180328163856.GB3126@pfrc.org> <CA+RyBmVLPBKq1wthriY44FQN51bq85w3LfSR4K6WuRi=Kr1L9w@mail.gmail.com> <BL0PR0102MB33454D88A214B8EFFDD242B5FAA70@BL0PR0102MB3345.prod.exchangelabs.com> <CA+RyBmWh+_nKd-pvyg7W2xtdOFE9BkXEqTM3W48K_rifaUAYXw@mail.gmail.com> <36BBC371-54A2-43B0-8597-69782CFFD5E9@outlook.com> <CA+RyBmWue4iM9a2gazuTu=h-7yFN+YKEGMY8=_2C3gsj3yxekw@mail.gmail.com> <350B7795-76FC-4E7A-9532-2F3CF0577C31@outlook.com> <CA+RyBmVXzaHo1_AjkuYdGCJ2MUOPdobXS8awA0Fn9O8+JMFVQQ@mail.gmail.com> <CC7A767C-DE45-4349-8C65-BA28A4746830@gmail.com> <CA+RyBmUN=-rx9rhtR-Rs9StCa4s3Jbs5-nkY7Crz-x9CF8cU-Q@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.8.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/eWK4luSGxc22l-MHh4SjM2cmi_0>
X-Mailman-Approved-At: Tue, 03 Jul 2018 07:09:36 -0700
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jul 2018 18:42:09 -0000

Hi Greg,

The suggestion to authenticate every Nth frame came to us when we initially presented the draft. It was not part of the original draft. If I remember, the reason given was that if a MITM had taken over the session, then authenticating an occasional frame would help detect that. Note, however, a MITM cannot change the state of the session, because a change in the state of the session requires those frames to be authenticated by the sender, and for those frames to be marked valid by the receiver.

Cheers.  

> On Jul 2, 2018, at 11:06 AM, Greg Mirsky <gregimirsky@gmail.com> wrote:
> 
> Hi Mahesh,
> you've said:
> 
> If three or more frames are discarded because one or all three of them were marked with NULL Auth TLV, and all of them fail authentication, the receiver brings the session down. Again, this is no different from three or more unauthenticated or meticulously authenticated frames being discarded, causing the receiver to bring the session down.
> 
> My understanding of periodic mode is that when the BFD session is in Up state every Nth BFD Control packet is authenticated while rest of packets are not. Consider the scenario when each authenticated packet fails validation while unauthenticated packet pass. Would the state of the session remain Up? If so, what is the purpose of authentication? If not, if the session transitions to Down state, then it is, in my opinion, the change to BFD state machine per RFC 5880.
> 
> Regards,
> Greg
> 
> On Mon, Jul 2, 2018 at 9:58 AM, Mahesh Jethanandani <mjethanandani@gmail.com <mailto:mjethanandani@gmail.com>> wrote:
> Picking up on this thread.
> 
> The way to look at this draft is, that it suggests which frames will undergo authentication. This draft does not suggest any change to the state machine, or believe it causes a change in it. Frames that need authentication will carry the NULL Auth TLV. If they are not authenticated or do not need authentication they will not have the TLV.
> 
> If a BFD session is down, and it is going through a P/F sequence the frames need to be authenticated, since these frames cause a state machine transition. If authentication fails, frames are discarded and the session remains down. This is no different from a unauthenticated or a meticulously authenticated P/F frame getting discarded, keeping the session down. 
> 
> If the session is up, and it needs to be brought down, then the frame to bring it down needs to be authenticated, again because these frames cause a change in state machine. If it fails authentication, the frame is discarded and the session remains up. Again, this is no different from a unauthenticated frame or a meticulously authenticated frame being discarded, keeping the session up.
> 
> If three or more frames are discarded because one or all three of them were marked with NULL Auth TLV, and all of them fail authentication, the receiver brings the session down. Again, this is no different from three or more unauthenticated or meticulously authenticated frames being discarded, causing the receiver to bring the session down.
> 
> Cheers.
> 
>> On Apr 9, 2018, at 12:39 PM, Greg Mirsky <gregimirsky@gmail.com <mailto:gregimirsky@gmail.com>> wrote:
>> 
>> Hi Ashesh,
>> thank you for your response to my questions.. I think I need some more of your help to locate the text in RFC 5880 that, as you've stated, mandates that the single failure to authenticate a BFD control packet in Up state triggers the transition to Down state. I only see section 6.7 that describes authentication validation and when the received control packet must be discarded because of validation failure and the following text:
>>       If the A bit is set, the packet MUST be authenticated under the
>>       rules of section 6.7, based on the authentication type in use
>>       (bfd.AuthType).  This may cause the packet to be discarded.
>> But I don't find any text that states that if authentication is in use, then Detect Time calculated regardless of the value of the Detect Mult field. Perhaps I will extend the description of the scenario:
>> authentication is in use and every, for example, the fourth packet to be authenticated, i.e. three control packets with NULL Auth TLV followed by "real" authenticated control packet;
>> initial packets, three-way handshake, pass authentication verification and the session is Up;
>> at some point, the verification of the "real" authenticated packets fails and it is discarded;
>> packets with NUL Auth TLV pass the validation.
>> Appreciate your consideration and help.
>> 
>> Regards,
>> Greg
>> 
>> On Mon, Apr 9, 2018 at 10:51 AM, Ashesh Mishra <mishra.ashesh@outlook.com <mailto:mishra.ashesh@outlook.com>> wrote:
>> Hi Greg,
>> 
>>  
>> 
>> What I meant to say was that the state machine remains the same as in the case of 5880 authentication. If an authentication frame fails validation then the session goes down regardless of good OPER-UP frames (authentication or normal) before or after that frame. Since the behavior in 5880 does not require any more than 1 frame to fail validation, the mechanism works as-is in the new proposal. Once the session is down, all frames need to be authenticated to bring the session up so again, the session can’t come back up just because the frame that failed validation is followed by a stream of unauthenticated frames.
>> 
>>  
>> 
>> Hope that addresses the gap that you presented.
>> 
>>  
>> 
>> Ashesh
>> 
>>  
>> 
>> From: Greg Mirsky <gregimirsky@gmail..com <mailto:gregimirsky@gmail.com>>
>> 
>> 
>> Date: Tuesday, April 3, 2018 at 8:35 PM
>> 
>> 
>> To: Ashesh Mishra <mishra.ashesh@outlook.com <mailto:mishra.ashesh@outlook.com>>
>> Cc: Jeffrey Haas <jhaas@pfrc.org <mailto:jhaas@pfrc.org>>, "rtg-bfd@ietf.org <mailto:rtg-bfd@ietf.org>" <rtg-bfd@ietf.org <mailto:rtg-bfd@ietf..org>>
>> Subject: Re: WGLC BFD Authentication Drafts
>> 
>>  
>> 
>> Hi Asheh, <>
>> thank you for the detailed response to my questions and consideration of my comments.
>> 
>> I think I cannot agree that the BFD state machine remains unchanged if optimized BFD authentication is in periodic mode. Let's consider case when only every 5th BFD control packet is authenticated when the session is in Up state. What happens if from some moment every authenticated packet fails to be validated? Would the session go to Down state? But all unauthenticated BFD control packets pass the validation check and since only one packet seems to miss validation the session, if the state machine remains unchanged, will stay Up.
>> 
>>  
>> 
>> Do you see this as plausible scenario?
>> 
>>  
>> 
>> Regards,
>> 
>> Greg
>> 
>>  
>> 
>> On Tue, Apr 3, 2018 at 11:03 AM, Ashesh Mishra <mishra.ashesh@outlook.com <mailto:mishra.ashesh@outlook.com>> wrote:
>> 
>> Thanks for the clarification, Greg.
>> 
>>  
>> 
>> Here are my thoughts on the issues:
>> 
>>  
>> 
>> I'd break it into couple more specific questions:
>> 
>> ·         can the periodic Optimized Authentication mode be used without authorization o state changes;
>> 
>> ·         if the answer to the previous question "yes", then when the first authorized BFD control packet must be transmitted by the system;
>> 
>> ·         does the BFD state machine (section 6.2 RFC 5880) changes resulting from introduction of periodic optimized authentication mode;
>> 
>> [AM] The optimized authentication can be used without state changes and the first auth packet will be the DOWN state frame to kick-off the session negotiation as the proposal suggests that all DOWN state frames are authenticated. The state machine does not change in this proposal but it only indicates which frames should be authenticated and which ones can use NULL-AUTH TLV (un-authenticated frames).
>> 
>> And additional comments:
>> 
>> ·         "For example, the two ends can decide that BFD frames that indicate a state change should be authenticated and enable authentication on those frames only."
>> 
>> I don't think that nodes "decide" anything but are configured to do something.
>> 
>>  
>> 
>> [AM] I agree that the language is not accurate. We’ll change it in the next revision. The intention is to use indicate configuration  rather than negotiation.
>> 
>> ·         "If the two ends have not previously negotiated which frames they will transmit or receive with authentication enabled ..."
>> 
>> I couldn't find the negotiation procedure being described in the document. Is it out-of-band, i.e. by control or management plane, not part of this BFD enhancement?
>> 
>>  
>> 
>> [AM] The language should indicate configuration instead of negotiation.
>> 
>> ·         "The configuration of the periodic authentication interval for BFD CC UP frames is an open issue."
>> 
>> I believe that this open issue must be resolved in the definitive manner before the draft moved to WGLC.
>> 
>>  
>> 
>> [AM] This line should be removed and the preceding text should indicate that the parameters for authentication should be configured on the session end-points.
>> 
>>  
>> 
>> Regards,
>> Ashesh
>> 
>>  
>> 
>> From: Greg Mirsky <gregimirsky@gmail.com <mailto:gregimirsky@gmail.com>>
>> Date: Monday, April 2, 2018 at 12:34 PM
>> To: Ashesh Mishra <mishra.ashesh@outlook.com <mailto:mishra.ashesh@outlook.com>>
>> Cc: Jeffrey Haas <jhaas@pfrc.org <mailto:jhaas@pfrc.org>>, "rtg-bfd@ietf.org <mailto:rtg-bfd@ietf.org>" <rtg-bfd@ietf.org <mailto:rtg-bfd@ietf.org>>
>> 
>> 
>> Subject: Re: WGLC BFD Authentication Drafts
>> 
>>  
>> 
>> Hi Asheh, <>
>> thank you for taking time to review the minutes from BFD WG meeting at IETF-98. I don't think that we had enough time to discuss in details my question:
>> 
>> Greg Mirsky: One of the possible modes when the session is up is to use authentication with periodic timer trigger?
>> 
>> I'd break it into couple more specific questions:
>> 
>> can the periodic Optimized Authentication mode be used without authorization o state changes;
>> if the answer to the previous question "yes", then when the first authorized BFD control packet must be transmitted by the system;
>> does the BFD state machine (section 6.2 RFC 5880) changes resulting from introduction of periodic optimized authentication mode;
>> And additional comments:
>> 
>> "For example, the two ends can decide that BFD frames that indicate a state change should be authenticated and enable authentication on those frames only."
>> I don't think that nodes "decide" anything but are configured to do something.
>> 
>> "If the two ends have not previously negotiated which frames they will transmit or receive with authentication enabled ..."
>> I couldn't find the negotiation procedure being described in the document. Is it out-of-band, i.e. by control or management plane, not part of this BFD enhancement?
>> 
>> "The configuration of the periodic authentication interval for BFD CC UP frames is an open issue."
>> I believe that this open issue must be resolved in the definitive manner before the draft moved to WGLC.
>> 
>>  
>> 
>> Regards,
>> 
>> Greg
>> 
>>  
>> 
>>  
>> 
>> On Sun, Apr 1, 2018 at 6:11 PM, Ashesh Mishra <mishra.ashesh@outlook.com <mailto:mishra.ashesh@outlook.com>> wrote:
>> 
>> Hi Greg, 
>>  
>> Your questions in the IETF-98 meeting seemed to stem from the challenges of authentication in fast BFD sessions at high scale. 
>>  
>> I'll address the issue in two parts - 
>>  
>> "Is there a need for authenticated BFD sessions?" - I believe we can all agree that there is a clear market need for BFD authentication. So we should direct the conversation to the way in which we can address this requirement. 
>>  
>> "How can authentication work at scale?" - BFD authentication puts significant stress on the system and a non-meticulous method alleviates this computation pressure. That's the premise of this draft as it presents a way to relieve the BFD authentication requirement based on the capability of the system to handle the additional stress which maintaining the session scale. 
>>  
>> There are some BFD systems in the market, which are not conducive to authentication (even the optimized method), where the impediment to authentication is due to the implementation details specific to that vendor or system. 
>>  
>> I believe all these issues were address during the meeting. Are there any specific questions that I missed or any recommendations for the method in which the requirements can be addressed? 
>>  
>> Thanks,
>> Ashesh
>> From: Rtg-bfd <rtg-bfd-bounces@ietf.org <mailto:rtg-bfd-bounces@ietf.org>> on behalf of Greg Mirsky <gregimirsky@gmail.com <mailto:gregimirsky@gmail.com>>
>> Sent: Thursday, March 29, 2018 4:09:32 AM
>> To: Jeffrey Haas
>> Cc: rtg-bfd@ietf.org <mailto:rtg-bfd@ietf.org>
>> Subject: Re: WGLC BFD Authentication Drafts
>> 
>>  
>> 
>> Dear WG Chairs, et. al, 
>> 
>> I cannot support WG LC for draft-ietf-bfd-optimizing-authentication as my comments at BFD WG meeting dating back to IETF-98 <https://datatracker.ietf.org/meeting/98/materials/minutes-98-bfd-00> still not have been addressed nor even there was an attempt to address. As I've asked to clarify impact of the proposed mechanism, particularly periodic authentication, on the BFD State Machine, I'd point that the proposed mechanism directly affects BFD security as discussed in RFC 5880 and the section Security Considerations in the document, in my view, does not adequately reflects that and doesn't explain how the security of the BFD session maintained when the periodic authentication is in use.
>> 
>>  
>> 
>> Regards,
>> 
>> Greg
>> 
>>  
>> 
>> On Wed, Mar 28, 2018 at 7:38 PM, Jeffrey Haas <jhaas@pfrc.org <mailto:jhaas@pfrc.org>> wrote:
>> 
>> Working Group,
>> 
>> The authors of the following Working Group drafts have requested
>> Working Group Last Call on the following documents:
>> 
>> https://tools.ietf.org/html/draft-ietf-bfd-secure-sequence-numbers-01 <https://tools.ietf.org/html/draft-ietf-bfd-secure-sequence-numbers-01>
>> https://tools.ietf.org/html/draft-ietf-bfd-optimizing-authentication-04 <https://tools.ietf.org/html/draft-ietf-bfd-optimizing-authentication-04>
>> https://tools.ietf.org/html/draft-ietf-bfd-stability-01 <https://tools.ietf.org/html/draft-ietf-bfd-stability-01>
>> 
>> Given the overlap of functionality, WGLC will conclude for the bundle
>> simultaneously.
>> 
>> Authors, please positively acknowledge whether or not you know about any IPR
>> for your documents.  Progression of the document will not be done without
>> that statement.
>> 
>> Last call will complete on April 20.
>> 
>> -- Jeff
>> 
>>  
>> 
>>  
>> 
>>  
>> 
>> 
> 
> Mahesh Jethanandani
> mjethanandani@gmail.com <mailto:mjethanandani@gmail.com>
> 

Mahesh Jethanandani
mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email