IETF Logo Mail Archive

Re: I-D Action: draft-ietf-bfd-optimizing-authentication-06.txt

Mahesh Jethanandani <mjethanandani@gmail.com> Mon, 15 October 2018 17:26 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF22C130EB4 for <rtg-bfd@ietfa.amsl.com>; Mon, 15 Oct 2018 10:26:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5p0S1l1ghvc2 for <rtg-bfd@ietfa.amsl.com>; Mon, 15 Oct 2018 10:26:15 -0700 (PDT)
Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1331E12D7EA for <rtg-bfd@ietf.org>; Mon, 15 Oct 2018 10:26:15 -0700 (PDT)
Received: by mail-pl1-x62c.google.com with SMTP id q17-v6so9632886plr.8 for <rtg-bfd@ietf.org>; Mon, 15 Oct 2018 10:26:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=JBmMsJZOHdl2hECHxKF6BgR0K4wMdwgZuefNnb1bjQ8=; b=rBhx+Nl7oZKL/UvC9bViCMyQSv4pV+JKU+nyeHfaivbZu6C0tBPCF7cMOBoU0Fu2dv etBO0QAPaYmrxmlOT/wtE5wLgGLmo2m6Ik9WKPQpFm2YRKFB2ccP2Hw09qzG/t9OoOIu GdhE2z/05FT0tuiViwbv5D1J3KdZXlvaHAiC5jwcEkfNa4Fcgb3LNg3n20zvBBjdCml+ fso2oRDTnfFh8I1trV/Hpw8zHD2+KlQqS2TuHFQPSZzjFXTuLcKY61Y14ICDWgxSoTIM 51ETzQdZYKIMkubJL34GLyfqsT9V2VIBemJ6f+QchuwzhLpDut/f+aidqHjElSbuzrpU RnZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=JBmMsJZOHdl2hECHxKF6BgR0K4wMdwgZuefNnb1bjQ8=; b=kQPVya27vraCzyMphIbcnRmimLO3avetN3Q82oKeLVZLVx65Mj/3u84s7Z+jiEhKxe p0AodISWJYVjDcSnKX8JS0huTruzaITaDyWQV12+/Qz7EXRZRPe6Uj8Fpu1duZCXltbG JrROsN2Uknd4U2vOUmYG1RT+lxfoG0724wVTS+Nuyu298z+/ylD7v9M2Sb6GmqlJ37XW yf3Y0KI70PCCNRwzaSJyCxFqI/Li/qqvDrac/FWifU/XhKADQqRMcCsTXI3q807GIbJy vnPvq2CaTt+B+FRMk94jA+2Dvzk06FPtR/U7PIK55lEFJEK6SKOUjQrTyibtunTIOJCs SrYA==
X-Gm-Message-State: ABuFfoi3hE/7RjdCO2fHGaho2xmCCL2PtBONR1140+qKo2ILxJpGRRif sXBv6Wdv9HATtLknT9O24Jo=
X-Google-Smtp-Source: ACcGV6259keziTeHgIxtcooT26g+cDhB8kEpcFPYyBw5ZCKOyyh2+y7SJQbwtrctoROt+F1F790zSA==
X-Received: by 2002:a17:902:d704:: with SMTP id w4-v6mr18227318ply.230.1539624374476; Mon, 15 Oct 2018 10:26:14 -0700 (PDT)
Received: from [10.33.122.212] ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id q76-v6sm29048965pfa.18.2018.10.15.10.26.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 15 Oct 2018 10:26:13 -0700 (PDT)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <8FC1854D-DA08-48FB-A291-B293AB1464EF@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C398A2EC-9D87-4CB9-8616-ADC11A1CD136"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Subject: Re: I-D Action: draft-ietf-bfd-optimizing-authentication-06.txt
Date: Mon, 15 Oct 2018 10:26:11 -0700
In-Reply-To: <CA+RyBmXMOJOamDDk4bJu3tvgPCRet4=1GZEZJBobrxDPxkB6jA@mail.gmail.com>
Cc: "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>
To: Greg Mirsky <gregimirsky@gmail.com>
References: <153930035253.7105.12758186259660848661@ietfa.amsl.com> <D4B8FC5E-7FCE-4E53-A00C-BFE1530F56FC@gmail.com> <CA+RyBmXMOJOamDDk4bJu3tvgPCRet4=1GZEZJBobrxDPxkB6jA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/hCKEeCv0EmZnlitXpTxkWMgkAx4>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Oct 2018 17:26:18 -0000

Hi Greg,

But all packets that indicate a state change are authenticated. That has been the original premise of the draft, with or without a Detect Multiplier.

For example, we say in Section 1

   This document proposes that only BFD frames that signal a state
   change in BFD be authenticated.

The only question was with a steady stream, and no state change, how many authenticated packets needed to be sent to thwart a MITM attack. 

Cheers.


> On Oct 13, 2018, at 1:10 PM, Greg Mirsky <gregimirsky@gmail.com> wrote:
> 
> Hi Mahesh, Authors, et. al,
> thank you for your thoughtful consideration of the discussion in Montreal. I've checked the changes in the new version and I think that the agreement we've reached was not merely recommend that the authenticated BFD Control packets be sent as series of at least Detect Multiplier packets but require, i.e., make it mandatory for both periodic and state change modes. Here's the quote from the minutes:
>     Jeff Haas: one possibility is to send detect multiplier number of consecutive authenticated packets, then the session will go down if authentication packets fail validation.
>     Greg Mirsky: does that require use of P/F procedure?
>     Jeff Haas: P/F is not needed, we send consecutive authenticated packets
>     Mahesh Jethanandani: we can make that change.
>     Reshad Rahman: is there a need to do the same for state change?
>     Mahesh Jethanandani: every state change packet has to be authenticated.
>     Jeff Haas: for pedantic reasons, when making the state change we should do the same. On P/F sequence we should do    this for the new multiplier if it’s longer. We’ll take this back to the mailing list.
> Thus I suggest to consider changes along the following:
> OLD TEXT:
>  To detect a Man In the Middle (MITM)
>    attack, it is also proposed that a non-state change frame be
>    authenticated occasionally.  The interval of this non-state change
>    frame can be configured depending on the detect multiplier and the
>    capability of the system.  As an example, this could be equal to the
>    detect multiplier number of packets.
> NEW TEXT:
>   To detect a Man In the Middle (MITM)
>    attack, it is also proposed that a non-state change set of authenticated frames be
>    sent occasionally.  The number of consecutively transmitted authenticated BFD control packets in the set
>    MUST be not lesser than the value of the Detect Multiplier and the interval between such non-state change
>    set of frames can be configured depending on the
>    capability of the system.  
> If acceptable, similar change should be made to the following text:
>    Authenticating a small subset of these frames, for example, a detect
>    multiplier number of packets per configured period, significantly
>    reduces the computational demand for the system while maintaining
>    security of the session across the configured authentication periods.
> to change from recommendation "for example" to stronger normative language.
> 
> Regards,
> Greg
> 
> On Thu, Oct 11, 2018 at 4:31 PM Mahesh Jethanandani <mjethanandani@gmail.com <mailto:mjethanandani@gmail.com>> wrote:
> This version of the draft addresses comments received at IETF 102 as part of LC. At this point, the authors believe that this document, along with draft-ietf-bfd-secure-sequence-numbers and draft-ietf-bfd-stability are ready for IESG.
> 
> Thanks.
> 
> > On Oct 11, 2018, at 4:25 PM, internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> wrote:
> > 
> > 
> > A New Internet-Draft is available from the on-line Internet-Drafts directories.
> > This draft is a work item of the Bidirectional Forwarding Detection WG of the IETF.
> > 
> >        Title           : Optimizing BFD Authentication
> >        Authors         : Mahesh Jethanandani
> >                          Ashesh Mishra
> >                          Ankur Saxena
> >                          Manav Bhatia
> >       Filename        : draft-ietf-bfd-optimizing-authentication-06.txt
> >       Pages           : 7
> >       Date            : 2018-10-11
> > 
> > Abstract:
> >   This document describes an optimization to BFD Authentication as
> >   described in Section 6.7 of BFD RFC5880.
> > 
> > 
> > 
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-ietf-bfd-optimizing-authentication/ <https://datatracker.ietf.org/doc/draft-ietf-bfd-optimizing-authentication/>
> > 
> > There are also htmlized versions available at:
> > https://tools.ietf.org/html/draft-ietf-bfd-optimizing-authentication-06 <https://tools.ietf.org/html/draft-ietf-bfd-optimizing-authentication-06>
> > https://datatracker.ietf.org/doc/html/draft-ietf-bfd-optimizing-authentication-06 <https://datatracker.ietf.org/doc/html/draft-ietf-bfd-optimizing-authentication-06>
> > 
> > A diff from the previous version is available at:
> > https://www.ietf.org/rfcdiff?url2=draft-ietf-bfd-optimizing-authentication-06 <https://www.ietf.org/rfcdiff?url2=draft-ietf-bfd-optimizing-authentication-06>
> > 
> > 
> > Please note that it may take a couple of minutes from the time of submission
> > until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>.
> > 
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/ <ftp://ftp.ietf.org/internet-drafts/>
> > 
> 
> Mahesh Jethanandani
> mjethanandani@gmail.com <mailto:mjethanandani@gmail.com>
> 
> 
> 

Mahesh Jethanandani
mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email