IETF Logo Mail Archive

Re: Request for WG adoption of draft-mahesh-bfd-authentication

Manav Bhatia <manavbhatia@gmail.com> Thu, 03 December 2015 23:12 UTC

Return-Path: <manavbhatia@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D16AB1A03A6; Thu, 3 Dec 2015 15:12:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id abzl0dsoI-_3; Thu, 3 Dec 2015 15:12:26 -0800 (PST)
Received: from mail-yk0-x22c.google.com (mail-yk0-x22c.google.com [IPv6:2607:f8b0:4002:c07::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C32A1A0405; Thu, 3 Dec 2015 15:12:22 -0800 (PST)
Received: by ykdv3 with SMTP id v3so104965923ykd.0; Thu, 03 Dec 2015 15:12:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=HUjVQaM6P7UEtvSzg5ay5rPfZicVoSBRmKHuXO+brg0=; b=bXpYmNYTICk3Qz+UW1d66l8lTezeMms1Y8NcWoWIWjUVloyytK8lL0fKuztnTw9UTk Gkhhni0oNTg9pQGMQD80vg9wlS16Oo1fnNOops9yym3swKXuJSDRLiIvyLxvI26EBIuQ sdfvhgKpNxkj6ShnhBGtCcB5Sg0bt3kJg+8TOyHarbvkgqZ+/LqUPAIiAGdecK4/xLZw r+8Ujht/7+F91Qz+VlAhtVMmrf3ltNObzMCQ5D5GCqVqdYNphG4PWpfl1dl0Wb9aVOe8 id457IbxVSCQJfjszA28kb1t4HVlu3/mD1mXKj/l3gWNZ9Yd2T23sIxozPOtNTdrf1km Hg/g==
MIME-Version: 1.0
X-Received: by 10.13.250.196 with SMTP id k187mr10083395ywf.23.1449184341325; Thu, 03 Dec 2015 15:12:21 -0800 (PST)
Received: by 10.129.98.68 with HTTP; Thu, 3 Dec 2015 15:12:21 -0800 (PST)
In-Reply-To: <D285FC8A.109323%rajeenai@cisco.com>
References: <D2747638.109021%rrahman@cisco.com> <D27A74CD.10520C%rajeenai@cisco.com> <ED7433C2-8198-4D82-87BF-4F4FEA94080A@gmail.com> <D27BD707.106066%rajeenai@cisco.com> <20151201205502.GD22376@pfrc.org> <D285FC8A.109323%rajeenai@cisco.com>
Date: Fri, 04 Dec 2015 04:42:21 +0530
Message-ID: <CAG1kdoiStbKLZ68pmR773DpjSakLy1tLDhxqq9CEHEHK7y7ghA@mail.gmail.com>
Subject: Re: Request for WG adoption of draft-mahesh-bfd-authentication
From: Manav Bhatia <manavbhatia@gmail.com>
To: "Rajeev G Nair (rajeenai)" <rajeenai@cisco.com>
Content-Type: multipart/alternative; boundary="94eb2c05ed50e1005205260685e3"
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtg-bfd/g43GWBJJRzVOg0FA7zJGpNk_U4A>
Cc: "Reshad Rahman (rrahman)" <rrahman@cisco.com>, "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>, "draft-mahesh-bfd-authentication@ietf.org" <draft-mahesh-bfd-authentication@ietf.org>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2015 23:12:28 -0000

Hi Rajeev,

I apologize for the delay in my responses. I have not been as regular in
catching up with my IETF mails as i should have been.


> Rajeev> I recommend, we call out this in draft. That this scheme doesn¹t
> protect against attacks & fail-over times may be affected in case of an
> attack.
>

This is a  catch-22 situation.

We had given a similar argument when we had proposed
draft-ietf-bfd-generic-crypto-auth and draft-ietf-bfd-hmac-sha.

All IGPs and FRR mechanisms depend upon BFD for their fast convergence. I
had argued many years ago on the BFD list that it was not good enough
securing IGPs with better algorithms since the lowest layer, i.e. BFD, was
still insecure. So your network was really only as secure as the weakest
link.

However, it turns out that the burden of authenticating each BFD frame,
primarily because of its frequency, destabilizes the protocol and adversely
affects its scaling to the point where its pretty much un-deployable. You
just cannot compute the SHA digests for each BFD packet. As a result the
two BFD security WG documents have still not been published as RFCs,
because we dont want to push a proposal as a standard unless we have some
degree of confidence that it is deployable and will work in the field. With
BFD, it appears that the two WG docs propose a strategy that we know will
not scale.

We then wrapped out heads around the security problem and came up with an
alternate approach where we reduce the computational burden on the routers
and provide a solution that we think is deployable and will work in 99% of
the cases. Sure, there will be a few scenarios where you're probably better
of authenticating each packet, but then that means that the security will
never be supported, since that just wouldnt scale.

One way to fix this would be to send an authenticated packet every n
seconds. The receiver can time out of it doesnt receive that in time.
However, that would still bring down your detection time to n seconds in
the worst case.

Where this draft helps you with is the following scenario:

Two routers are alive and the session is Up. An attacker spoofs a packet
declaring the session to be down. Without security, all IGPs will
reconverge and traffic shifts and all bad things will happen.

You avoid this with the security.

The scenario you describe will only work in a multi-hop BFD, because in the
single hop, i suspect the two ends will hopefully always learn when the
directly connected link goes down. Is this correct?

Cheers, Manav
>
>
> >

v2.23.0 | Report a Bug | By Email