IETF Logo Mail Archive

Re: draft-ietf-bfd-optimizing-authentication-13 nits

Jeffrey Haas <jhaas@pfrc.org> Mon, 22 January 2024 14:14 UTC

Return-Path: <jhaas@pfrc.org>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB8D3C14F5E6; Mon, 22 Jan 2024 06:14:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v8FCYYQNyhPM; Mon, 22 Jan 2024 06:14:03 -0800 (PST)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id EDE39C14CF13; Mon, 22 Jan 2024 06:14:02 -0800 (PST)
Received: from smtpclient.apple (172-125-100-52.lightspeed.livnmi.sbcglobal.net [172.125.100.52]) by slice.pfrc.org (Postfix) with ESMTPSA id 33B3E1E039; Mon, 22 Jan 2024 09:14:02 -0500 (EST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_7F3AA5E4-83DD-483C-A4F2-B7445DEDAE81"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.4\))
Subject: Re: draft-ietf-bfd-optimizing-authentication-13 nits
From: Jeffrey Haas <jhaas@pfrc.org>
In-Reply-To: <FAEC1A4E-7E06-40D0-93CC-FFFB2AA34A3D@deployingradius.com>
Date: Mon, 22 Jan 2024 09:14:01 -0500
Cc: Mahesh Jethanandani <mjethanandani@gmail.com>, "rtg-bfd@ietf. org" <rtg-bfd@ietf.org>, draft-ietf-bfd-optimizing-authentication@ietf.org, Ashesh Mishra <mishra.ashesh@gmail.com>
Message-Id: <43F87BFE-8FBD-4CD0-BCA2-4E5C9BA9FBE0@pfrc.org>
References: <4F3695C8-3736-4E55-B5BB-84671FDC367E@pfrc.org> <A8D0BCD4-15FA-4061-A7F0-6D888158F5A3@gmail.com> <D3DB82BE-730A-4D7C-88B8-3B309C5AC3B9@pfrc.org> <9CDB2C7B-BAB6-476C-9F12-BFA7EAD6DD60@gmail.com> <B49A64C7-731F-4729-9D99-AC6C133983C8@deployingradius.com> <F7B727F3-DDE0-4F79-8D8B-7AE96B694D19@pfrc.org> <FAEC1A4E-7E06-40D0-93CC-FFFB2AA34A3D@deployingradius.com>
To: Alan DeKok <aland@deployingradius.com>
X-Mailer: Apple Mail (2.3696.120.41.1.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/i7MDYWdlTgJFb6cfrvmue4fuAQg>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jan 2024 14:14:07 -0000

Alan,


> On Jan 21, 2024, at 8:09 PM, Alan DeKok <aland@deployingradius.com> wrote:
> 
> On Jan 21, 2024, at 3:43 PM, Jeffrey Haas <jhaas@pfrc.org> wrote:
>>> i would lean towards forbidding "simple password", unless it uses a different password than is used for the stronger authentication methods.  Otherwise it leads to the password being exposed.
>> 
>> I'm supportive of that.  What text would you recommend?
> 
>  I'll push some text to github, but we could add text to the section "Updating RFC 5880":
> 
>  The use of "Simple Password" authentication is  NOT RECOMMENDED.  There is little security added by exposing a plain-text password "on the wire".

I'd skip the second sentence.

> Where Simple Password authentication is used, the password MUST NOT be used for other Auth Type methods.  Using Simple Password authentication for one packet and then the same password (for example) for Keyed SHA1 authentication would expose the password, and negate all security gained through the use of Keyed SHA1.

> Q: 5880 says that Auth Key ID will identify a particular key. But it's not clear if the Auth Key ID field is meant to be different for each Auth Type, or do all Auth Types share the same Auth Key ID?

The specification is silent on this matter.  My interpretation is that it's always a local matter between two authenticating systems.

The IETF keychain YANG model treats the keychain as a uint64 on top of a individual keychain and keychains are bound to individual protocols.

To pick my own company's implementation, the keychain has a key id 0..63 on an individual chain that may be applied to specific BFD sessions:
https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/key-edit-security-authentication-key-chains.html <https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/key-edit-security-authentication-key-chains.html>

> 
>> Since we now have split motivations, we need text that lets us decide when we should periodically use stronger authentication, or not, for staying in the Up state.
> 
>  This should be in the optimizing authentication draft, I suppose.  I have fewer opinions there.

Agreed.  When to change to a specific authentication is the scope for that draft.

> 
>  Off of the top of my head, swapping it once per second seems too high.  Once per day may be too low.  It all depends on how often the links stay up.

Sometimes on the order of months. :-)

-- Jeff

v2.23.0 | Report a Bug | By Email