IETF Logo Mail Archive

Re: ttl and authentication

Dave Katz <dkatz@juniper.net> Thu, 24 February 2005 08:56 UTC

Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA19068; Thu, 24 Feb 2005 03:56:33 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1D4FAL-0007HJ-1b; Thu, 24 Feb 2005 04:20:13 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D4Em7-0005G4-Tc; Thu, 24 Feb 2005 03:55:11 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D4Em4-0005E5-Rq for rtg-bfd@megatron.ietf.org; Thu, 24 Feb 2005 03:55:08 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA18930 for <rtg-bfd@ietf.org>; Thu, 24 Feb 2005 03:55:07 -0500 (EST)
Received: from colo-dns-ext1.juniper.net ([207.17.137.57]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1D4F8w-0007FG-K3 for rtg-bfd@ietf.org; Thu, 24 Feb 2005 04:18:47 -0500
Received: from merlot.juniper.net (merlot.juniper.net [172.17.27.10]) by colo-dns-ext1.juniper.net (8.11.3/8.9.3) with ESMTP id j1O8so975686; Thu, 24 Feb 2005 00:54:52 -0800 (PST) (envelope-from dkatz@juniper.net)
Received: from [172.16.12.139] (nimbus-sf.juniper.net [172.16.12.139]) by merlot.juniper.net (8.11.3/8.11.3) with ESMTP id j1O8sie33295; Thu, 24 Feb 2005 00:54:44 -0800 (PST) (envelope-from dkatz@juniper.net)
In-Reply-To: <Pine.LNX.4.61.0502240936490.24247@netcore.fi>
References: <200502222036.PAA16786@ietf.org> <Pine.LNX.4.61.0502232111590.6499@netcore.fi> <eb091c568763bfdd10f3c04ae3c9677c@juniper.net> <Pine.LNX.4.61.0502240855100.22843@netcore.fi> <35ed279cf9e5b6c559f3d843e7c8d7c3@juniper.net> <Pine.LNX.4.61.0502240936490.24247@netcore.fi>
Mime-Version: 1.0 (Apple Message framework v619.2)
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Message-Id: <f8e9a4867f633982d4d21f1b839f23ff@juniper.net>
Content-Transfer-Encoding: 7bit
From: Dave Katz <dkatz@juniper.net>
Date: Thu, 24 Feb 2005 01:54:44 -0700
To: Pekka Savola <pekkas@netcore.fi>
X-Mailer: Apple Mail (2.619.2)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5a9a1bd6c2d06a21d748b7d0070ddcb8
Content-Transfer-Encoding: 7bit
Cc: rtg-bfd@ietf.org
Subject: Re: ttl and authentication
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
Sender: rtg-bfd-bounces@ietf.org
Errors-To: rtg-bfd-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f4c2cf0bccc868e4cc88dace71fb3f44
Content-Transfer-Encoding: 7bit

On Feb 24, 2005, at 12:39 AM, Pekka Savola wrote:

> However, it is not clear which packets routers implementing BFD will 
> demultiplex.  Are the BFD ports open to everyone -- i.e., are you 
> requiring that all packets addressed to the any of the routers' 
> addressed must be dropped at the borders (that's rather unreasonable 
> approach IMHO)?  What if you want to run BFD with eBGP and you cannot 
> be protected with border filtering?
>
> All in all, if there is no strong reason to remove the TTL check, I'd 
> strongly prefer to put it back in.
>

Let's put it a different way.  On first principles, if you are only 
willing to accept cryptographically authenticated packets from good 
guys, then cryptographic authentication has absolutely no value and you 
shouldn't use it at all (in which case you will have the TTL check.)

In general, there *must* be a spectrum of methods to protect against 
DoS attacks when cryptographic authentication is used (in any 
protocol), and these are likely to be adaptive and somewhat complex.  
BFD is *not* the only protocol with this issue, and given the direction 
things are going, there are only going to be more.


The metaproblem here is that specifications and operations are 
distinct.  When the spec says that you have to accept such packets, it 
is stated as such to provide a baseline of interoperability.  At some 
level, operationally, authentication is about consciously avoiding 
interoperation.  For example, in this case you could put a filter in 
place (outside of BFD) which discards all BFD packets received on the 
interface with TTL != 255.  This is is entirely equivalent to dropping 
it in the implementation (and is probably preferable if you're worried 
about DoS attacks, particularly if you filter in hardware.)  So is this 
somehow in violation of the spec as currently written?  Similarly, if 
an implementation provides a knob that provides this behavior within 
BFD, is that implementation broken?  I think we would agree that it is 
not.

The role of the spec has to be to provide as wide a range of 
interoperability as possible.  The MUST/MAY/SHOULD verbiage doesn't 
really give us the subtle gradations of meaning that are needed.  What 
I really want to say here is that an implementation has to be capable 
of accepting such packets, not that it has to under all circumstances 
and configurations.  I'm not sure how to say that.  I'd be happy to 
entertain suggestions.

Anyone who is familiar with my implementations knows that I view 
protocol specs liberally, so long as the box will interoperate fully 
with everybody else's.  In this particular case I wouldn't hesitate to 
add a knob to provide the behavior you desire, and would do so with a 
clear conscience.  I've always felt that the art of implementation is 
knowing what you can safely get away with.  But that's just me.

--Dave

v2.31.3 | Report a Bug | By Email | System Status