Re: I-D Action: draft-ietf-bfd-secure-sequence-numbers-08.txt
Jeffrey Haas <jhaas@pfrc.org> Mon, 26 July 2021 14:48 UTC
Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C1753A174B; Mon, 26 Jul 2021 07:48:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oRuTm5vL0KSj; Mon, 26 Jul 2021 07:48:28 -0700 (PDT)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 5AEC13A173B; Mon, 26 Jul 2021 07:48:28 -0700 (PDT)
Received: by slice.pfrc.org (Postfix, from userid 1001) id 2DCB41E1CD; Mon, 26 Jul 2021 10:48:27 -0400 (EDT)
Date: Mon, 26 Jul 2021 10:48:26 -0400
From: Jeffrey Haas <jhaas@pfrc.org>
To: Alan DeKok <aland@freeradius.org>
Cc: "rtg-bfd@ietf. org" <rtg-bfd@ietf.org>, Reshad Rehman <reshad@yahoo.com>, draft-ietf-bfd-secure-sequence-numbers@ietf.org
Subject: Re: I-D Action: draft-ietf-bfd-secure-sequence-numbers-08.txt
Message-ID: <20210726144826.GB32584@pfrc.org>
References: <20210405171412.GB12257@pfrc.org> <4831ADD8-6E8D-4CDD-966F-B273A3AF45C5@freeradius.org> <20210405184656.GE12257@pfrc.org> <468C7D1D-7BE2-4759-9D81-0E18725FCA90@freeradius.org> <20210405190821.GF12257@pfrc.org> <14A4DD6D-7002-45A9-8FE4-42B512E97318@freeradius.org> <D48909A0-D7E9-40DA-83DA-CB0327D2D586@gmail.com> <096BC9E7-8877-4EF3-A94B-394AFE0E76E7@freeradius.org> <20210726141455.GA32584@pfrc.org> <211EC22C-F4AB-4FE6-98AB-511C5CE4EB8B@freeradius.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <211EC22C-F4AB-4FE6-98AB-511C5CE4EB8B@freeradius.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/i8_zqG3XskweamxpyWfPXzs0ocE>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jul 2021 14:48:30 -0000
Alan, On Mon, Jul 26, 2021 at 10:35:01AM -0400, Alan DeKok wrote: > > That should be possible. [...] > Yes. [...] > Yes. > > > This means that the benefit for the feature would require a function that > > can be run on a window of packets for predicted inputs and generate the pool > > of next expected sequence numbers. > > Yes. > > I think a cryptographic random number generator here is likely OK. Those are usually simple, and fast. The system can be seeded with a strong secret, or maybe hash of a secret and other information. > > My suggestion to calculate a hash over the packet is that it prevents certain kinds of attacks. i.e. an attacker could take packet X, and sequence number Y, and put the two together, to spoof / forge state. > > Fixing that requires that the sequence number is somehow tied to a particular packet. I don't dispute that these things are possible. What's being requested is that our specifications have some specificity and a proposal be made for a suitable mechanism and how it integrates into BFD. :-) In any case, you've minimally confirmed that the current text in the secure-sequence numbers draft is misleading in suggesting a reversible operation. The procedural text there thus needs work to incorporate the points discussed. -- Jeff
- I-D Action: draft-ietf-bfd-secure-sequence-number… internet-drafts
- Re: I-D Action: draft-ietf-bfd-secure-sequence-nu… Sonal Agarwal
- Re: I-D Action: draft-ietf-bfd-secure-sequence-nu… Reshad Rahman
- Re: I-D Action: draft-ietf-bfd-secure-sequence-nu… Mahesh Jethanandani
- Re: I-D Action: draft-ietf-bfd-secure-sequence-nu… Reshad Rahman
- Re: I-D Action: draft-ietf-bfd-secure-sequence-nu… Mahesh Jethanandani
- Re: I-D Action: draft-ietf-bfd-secure-sequence-nu… Alan DeKok
- Re: I-D Action: draft-ietf-bfd-secure-sequence-nu… Jeffrey Haas
- Re: I-D Action: draft-ietf-bfd-secure-sequence-nu… Alan DeKok
- Re: I-D Action: draft-ietf-bfd-secure-sequence-nu… Jeffrey Haas
- Re: I-D Action: draft-ietf-bfd-secure-sequence-nu… Mahesh Jethanandani
- Re: I-D Action: draft-ietf-bfd-secure-sequence-nu… Mahesh Jethanandani
- Re: I-D Action: draft-ietf-bfd-secure-sequence-nu… Jeffrey Haas
- Re: I-D Action: draft-ietf-bfd-secure-sequence-nu… Mahesh Jethanandani
- Re: I-D Action: draft-ietf-bfd-secure-sequence-nu… Alan DeKok