Re: Lars Eggert's Discuss on draft-ietf-bfd-unsolicited-11: (with DISCUSS and COMMENT)
Reshad Rahman <reshad@yahoo.com> Mon, 27 March 2023 03:05 UTC
Return-Path: <reshad@yahoo.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C6CEC151B28 for <rtg-bfd@ietfa.amsl.com>; Sun, 26 Mar 2023 20:05:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fgeoxbPjKyAL for <rtg-bfd@ietfa.amsl.com>; Sun, 26 Mar 2023 20:05:40 -0700 (PDT)
Received: from sonic318-27.consmr.mail.bf2.yahoo.com (sonic318-27.consmr.mail.bf2.yahoo.com [74.6.135.82]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74C26C151B03 for <rtg-bfd@ietf.org>; Sun, 26 Mar 2023 20:05:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1679886339; bh=wAQ+3SxRq2yMVLnas3Wo7D1APtnu8WbtDCCJ5YDSrGY=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject:Reply-To; b=EwxdkWnxlmieUA3EouA5TUZHwkxj8BH6lAXcx81D70PLwibjmV3aLuDUcIdizZq5nG/xk9Pp8bERMcSsU0sPYl7aEs1edF/rlwB3hP7PP9yXcRMJBJHiQJA6qAsV4LyEhsAHRL/dOBESny55xfWfUMfbvcWnhVllQbn6Q8dxg/PCL0zXJutrJNu6+esB+3URiESb3VXn/hDGQg7W9D6A5IR2W9hjVT9mt75he59Nni2fiYjZnzuuT637ltFDquHah8lthghNu+rZTemV9A7tp/sisBlkZkrSy3g3ONSf11LHemny2dIa5mBy+thYw4Y07FbXioL3H3300AGBNAu1Qw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1679886339; bh=lNbcRYRfpQac4KRC42EIABIAK1c3ZuJDpl1OdgrmEM7=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=WdC7fOPBHpaFAY+swF6ADMCPAdL/7I3URY5VVmhzQzednd7BChGxq0+/FY0Wmj5+rm0+w/DdEd58o+Jb1qDR42sIczkN7UfT+uBlDwq/J16Lm9trWptuIP6cN8HQU1JaBgE9YM7EKj3IRgzKm8cC7H88FSq7V6Ex+LZ0cokXioFPhqZNyEvMe2Oe0PdJwzQ4oXKPwAIgtT5gd4/zXdnwpyqpZkJ+c8WDlEEpR/rKl8YyzOsXVn6d35SCq8b+nhYUOXhzFv4rfF97eihpO+Y4cof+vQqLsn+QjQLPLnt4437Z9Gr0UtqWGkO+NHWK9BxhncTzZ0idt7fwyXCLXdS5/w==
X-YMail-OSG: .mUKXjAVM1ka89q7WOax4QRtSueD4BaDQ7Kztl4rXTazjQtxHeUt2KbC8tEDvZk Vpp4aQjDrhY31BaDqg0I5XH5jYIJgvHx9tAjt2Mw2lNvCk8Df1nGHLBfAsLL52gOw_FbLQcX5C3k WbUAggunsKF9gO_zM4TGJAnW26cp5C0FCtVOZrArXYLXMb.4FPIFA5EEdvW3HSDeTBMPyCYuCeR7 65jFVhBHw7ARJDaKyhUR8Z0T1c0TkLqMZZZhPn.9cbe3rP6qz0znm0AxZ6KsrHJVOI2W3BtnFMKz F15e6jmN35tqjTHETdP27IB4xd5c4toOXt2KOO9FE0p.c2EusITIyQes2igEf3BW_vOEwPlCOHXN esXqXhS6vM.RDcyhdr7S8NNnZDr_w56yh22xtqMsBv186l5SZ51QCxPDyOU8i4aILT9zzpKI2jvy XFHs9YbHg017Xc_oavllSut93d3__Q56Yl21_iVDqypu5FWUj5fizNoTWic2931Sg3CYvihzNpRY zrAgH2HMlBlWCxhj61wh5pqRVDXkzuvZbtIwT.__CaVfSjBz6BCVz35cW6YvNoqQ_BXuq5m9rs9U KREEWhTTzkn5kWKPIXdUGXoH6UkoQ5kpbW_Zy85netj9Cm0U7RWJldnk8anZLsgMfYEhuX9h_8k5 qQQi_HlDGz_4mWHcVTRTo_pnpzwAguCYqkZVxmtnk67Nn1hxCJkBRwU3M0OvN_cuBAKjPB6fVoVN eYu6Quq95gnpwcdSyxWhFJorkNN6lKtClZr4kDU4wezRZ4dyVTJhfjDCKwVbE_2fqzh.bom6pPcT PERTa53wkVkn7C26_VCSA34auGWpJJlYnAaI89u5VFm4A2R1yJDMilG0bCWK.cp3bxxqqd0gwGy_ WfG2xLbZ3FiUwonfToGoSdEHl46WBpzPmOWstNa3HHEDn1ASP.EjkEvwSMKCNnfybmf9cPK1nMc0 QVQJCtqk65mZSNTZUCmp9QpcBpU2J5syQJ3J7DjnqVrT.n.xAs2Bdtxu.RFOBAOsn3sM2bo98omZ 2htKkXYSrlTPD_9j17LFFDbVScsGuVlAKCSUu_wOp891hDGwLojTDCrBTwG1lP_c9YY3JyiH8Aji jKaConejRUnHbuwgvSzonmeamRh3CZ_UIxh86yQHFiC4Epa6UsE2yn9UOf5wxT69skYmYaIBl0QA yFEa2suVSyitWu5B9YQrZyFOQmNmnHSX4fyL0AJN_isjkUI5wbElvukvqHxlWGkDGT3lU6sqzg1u _j463TaLs56X7ab5SGIRJm.u2V1GvZ9iJeSjQfPQJKdjDx5nkmHTlqYUdcvJwNbfyz_Hea8CCday _EKaWKGa0bm2L85P57NLTapzW3Q6KOUEb6nv7hMf3xgDFT.RzyhS1LG_V4rYDY5JBc88dvQJW8jN KQ7zBYpw2zjQnoNM0zu.xmdkt7PB2A0lh3Q3UqUCM5ebPyELcKx3vIdUOHyNWH8g.X28zp9dkXnv 9UAKNIML6zZ3y22NtPCLpxiXxiB26GsrjYWWhsAbAxfiUic4o9GW7z6iXk9epx2eP12eZtUlsHhB 3WDSVvW8_X2rEdYd_Dn4.GmE2tHLhEW5PSzEpjPijpidD6EwG99PWO.kDFwIdsXWh17WJGk6rhLz VnNmb5lnD5BZKS03XYoMe8VAMYVLyxQL_owf48.kYY.bDQtR5dlDr8Y6H64OgxtIucqWcuQ5zS7U FPPoAo6JCIgxrIkydKp_d6KbJYzXzvGPFggmtCqSwZBPlKQ6_yTMDUr4javaN4ZkZ7SZUYzrjHvE qwf8h1rqqHddVNbiynIL4H5pGy1BZIt0Y6Iov7RP9foZKOCDbJ1PBYWL7qjZ9lqAF1ixCts_9hyn v.nTbkRw2RjJ8LuNhiLbRaluglrc7u.CATccTT5OqJNyR3TcvvzCDN88lVzEzWC5G5XS2kjbXqP4 EuZp3lYrkLCQdYgPYnI.J0zOcw56bCe6O1HBLHJySzNduvI.3C27AW15lY.LuqewFsw9KrwdWdOb 7APqTfKn7iBPRH.pAQ8wWKljrPH5r4wkmyBnX9sVq.iPknErx1uYG3JV6KbusX7Hp.XSjFcIllp6 W4TpaMGZmpF_VVR5KoDeI4qJ_rBX_LDpy.oeDQ2BBNxzuVquPSk.HUS5ZVh2CB1.ddBFTkQ6Nsgu VipxvKYMdDFEsxC902wppNnUyPRPnJ3aLftrvYrsVIlRNAgRgWALA0W08qwp3ehDK6TnPWhZNvRu U9D4hjksH8MlIc6oYp6WKgLTTd_ZgKyFNSPYFHl9HGDgl_YLtVuMaAfjYq4xwar1yUSI4Y7jAMAD qo1A0P9jawcOexIWRXwAJ
X-Sonic-MF: <reshad@yahoo.com>
X-Sonic-ID: f7a6829a-da38-474e-9185-8bc9b434c26b
Received: from sonic.gate.mail.ne1.yahoo.com by sonic318.consmr.mail.bf2.yahoo.com with HTTP; Mon, 27 Mar 2023 03:05:39 +0000
Date: Mon, 27 Mar 2023 02:55:34 +0000
From: Reshad Rahman <reshad@yahoo.com>
Reply-To: Reshad Rahman <reshad@yahoo.com>
To: Lars Eggert <lars@eggert.org>, Jeffrey Haas <jhaas@pfrc.org>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-bfd-unsolicited@ietf.org" <draft-ietf-bfd-unsolicited@ietf.org>, "bfd-chairs@ietf.org" <bfd-chairs@ietf.org>, "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>
Message-ID: <61641543.587983.1679885734502@mail.yahoo.com>
In-Reply-To: <20221215221845.GC23286@pfrc.org>
References: <167085524502.46296.874220036032961397@ietfa.amsl.com> <20221215221845.GC23286@pfrc.org>
Subject: Re: Lars Eggert's Discuss on draft-ietf-bfd-unsolicited-11: (with DISCUSS and COMMENT)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_587982_136179719.1679885734501"
X-Mailer: WebService/1.1.21284 YMailNorrin
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/i9AMPnVeLjSPz8pD3Az4jIfwz-k>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2023 03:05:41 -0000
Lars, thank you for the review.
We have uploaded -13.
Please see inline.
On Thursday, December 15, 2022, 05:18:56 PM EST, Jeffrey Haas <jhaas@pfrc.org> wrote:
Lars,
[Speaking in role as chair/shepherd and not author.]
On Mon, Dec 12, 2022 at 06:27:25AM -0800, Lars Eggert via Datatracker wrote:
> ## Discuss
>
> ### Section 7.1, paragraph 3
> ```
> The same security considerations and protection measures as those
> described in [RFC5880] and [RFC5881] apply to this document. In
> addition, with "unsolicited BFD" there is potential risk for
> excessive resource usage by BFD from "unexpected" remote systems. To
> mitigate such risks, the following measures are mandatory:
>
> * Limit the feature to specific interfaces, and to single-hop BFD
> with "TTL=255" [RFC5082].
> * Apply "policy" to allow BFD packets only from certain subnets or
> hosts.
> * Deploy the feature only in certain "trustworthy" environment,
> e.g., at an IXP, or between a provider and its customers.
> * Use BFD authentication, see [RFC5880]. In some environments, e.g.
> when using an IXP, BFD authentication can not be used because of
> the lack of coordination into the operation of the two endpoints
> of the BFD session. In other environments, e.g. when BFD is used
> to track the next hop of static routes, it is possible to use BFD
> authentication: this comes with the extra cost of configuring
> matching key-chains at the two endpoints. If BFD authentication
> is used, the Meticulous Keyed SHA1 mechanism SHOULD be used.
> ```
> BFD can be configured to send large volumes of traffic, and it sends
> it without congestion control. When a past IESG approved BFD for
> standardization in that form, it was exactly because both endpoints
> needed to be configured, which significantly reduces the
> possibility/impact of unilateral misconfiguration. I don't believe
> the suggestions above provide nearly the same level of protection.
> Also, if (all of?) these are mandatory, that needs to be made very
> clear, i.e., using RFC2119 terms here and elsewhere in the document
> (where it currently says these mechanisms are recommended...)
Strictly from an English standpoint, I'm unclear what the appropriate
response is to your request above. The "mandatory" word leading the bullet
points certainly could be treated as each of those points as having a
leading "MUST" there. Or alternatively, the word mandatory itself could be
replaced with MUST.
Would you be satisfied by replacing the sentence prior to the bullet points
with:
"To mitigate such risks, implementations of unsolicited BFD MUST:"
?<RR> The suggested change above has been made in -13 (might actually have been in -12).
Wrt "large volumes of traffic", was Jeff's response below satisfactory, or is there still a concern?
Regards,Reshad.
With regard to the concerns about "large volumes of traffic":
- Those mandatory items restrict possible unsolicted sessions to a directly
connected interface, on subnets that are part of an ACL, and ideally with
BFD authentication mechanisms.
- BFD doesn't go into its fast mode until the BFD state machinery goes into
the Up state. Thus, the passive side will not send traffic at speed until
all of the requirements above are satisfied AND the state machine permits
the session to advance to Up.
- An active implementation that doesn't respect the state machinery isn't
compliant. Arguably, it's simply a DoS attacker that just happens to be
using BFD ports as its target.
-- Jeff
- Lars Eggert's Discuss on draft-ietf-bfd-unsolicit… Lars Eggert via Datatracker
- Re: Lars Eggert's Discuss on draft-ietf-bfd-unsol… Jeffrey Haas
- Re: Lars Eggert's Discuss on draft-ietf-bfd-unsol… Reshad Rahman