Regarding keyed MD5/SHA1 authentication for BFD (RFC 5880)
Gļebs Ivanovskis <glebs@mikrotik.com> Mon, 25 April 2022 10:23 UTC
Return-Path: <glebs@mikrotik.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3F803A160D for <rtg-bfd@ietfa.amsl.com>; Mon, 25 Apr 2022 03:23:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J5CyBeC6xc7a for <rtg-bfd@ietfa.amsl.com>; Mon, 25 Apr 2022 03:23:35 -0700 (PDT)
Received: from plekste.mt.lv (bute.mt.lv [IPv6:2a02:610:7501:2000::195]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0B733A161E for <rtg-bfd@ietf.org>; Mon, 25 Apr 2022 03:23:33 -0700 (PDT)
Received: from [2a02:610:7501:ffff:27fb:be4f:426e:d56a] by plekste.mt.lv with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <glebs@mikrotik.com>) id 1nivsQ-0001R5-95 for rtg-bfd@ietf.org; Mon, 25 Apr 2022 13:23:30 +0300
Content-Type: multipart/alternative; boundary="------------i5VFQ36UiBmkbriPVo6PMv5N"
Message-ID: <b4a3419f-b465-90fd-0f92-7385fa5595c4@mikrotik.com>
Date: Mon, 25 Apr 2022 13:23:29 +0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
Content-Language: en-US
To: rtg-bfd@ietf.org
From: Gļebs Ivanovskis <glebs@mikrotik.com>
Subject: Regarding keyed MD5/SHA1 authentication for BFD (RFC 5880)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/lDxFfNpqo4kwuNEUY0AbjMBb8JU>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 10:23:40 -0000
Hi,
I have a question regarding the order of operations during receipt of
BFD control packet using keyed MD5/SHA1 authentication. Both Section
6.7.3. <https://www.rfc-editor.org/rfc/rfc5880.html#section-6.7.3>
"Keyed MD5 and Meticulous Keyed MD5 Authentication" and Section 6.7.4.
<https://www.rfc-editor.org/rfc/rfc5880.html#section-6.7.4> "Keyed SHA1
and Meticulous Keyed SHA1 Authentication" (in parts "Receipt Using Keyed
MD5 and Meticulous Keyed MD5 Authentication" and "Receipt Using Keyed
SHA1 and Meticulous Keyed SHA1 Authentication" respectively) suggest
that Sequence Number field of incoming control packet is examined prior
to calculating any digest/hash. I have discovered that the order was the
other way round in early drafts, but then was changed between versions 8
and 9
<https://tools.ietf.org/tools/rfcdiff/rfcdiff.pyht?url1=https://www.ietf.org/archive/id/draft-ietf-bfd-base-08.txt&url2=https://www.ietf.org/archive/id/draft-ietf-bfd-base-09.txt>,
presumably followed by this comment
<https://mailarchive.ietf.org/arch/msg/rtg-bfd/tk6gbThUz-_30QGUIV8o7701t-w/>:
If we check the sequence number after doing a MD5 digest
verification, even if we get replayed packets, we will be doing the
costly hash operations, thus wasting a lot of CPU and exposing
ourselves to simple CPU exhaustion attacks.
Unfortunately, I couldn't find any discussion following this suggestion.
I understand the motivation of making a "cheaper" Sequence Number check
before doing more "expensive" digest/hash calculation, but the
reordering of stages does not seem to be thought through very well. The
text of RFC 5880 mandates implementations /to act/ on received Sequence
Number /before validating/ digest/hash:
Otherwise (bfd.AuthSeqKnown is 0), bfd.AuthSeqKnown MUST be set to
1, and bfd.RcvAuthSeq MUST be set to the value of the received
Sequence Number field.
and
Otherwise (bfd.AuthSeqKnown is 0), bfd.AuthSeqKnown MUST be set to
1, bfd.RcvAuthSeq MUST be set to the value of the received Sequence
Number field, and the received packet MUST be accepted.
This leaves the opportunity for unauthorized control packet to mess up
session state variables, potentially leading to subsequent valid packets
being dropped due to Sequence Number outside of expected range and BFD
session being erroneously diagnosed as Down. Note that "and the received
packet MUST be accepted" clause has been removed from MD5 part, but not
from SHA1 part, requesting implementations to skip hash verification
altogether if bfd.AuthSeqKnown is 0.
Is the sequence of operations described in Sections 6.7.3. and 6.7.4.
correct?
In my opinion, as a minimum, the following changes need to be made:
* The "and the received packet MUST be accepted" clause needs to be
removed from Section 6.7.4.
* Sections 6.7.3. and 6.7.4. need to split examining incoming packet's
Sequence Number (which can be done before digest/hash verification)
and acting upon it (which has to happen after verification).
Furthermore, I would like to suggest going back to original ordering
with digest/hash verification being done before examining Sequence
Number, because it simplifies the algorithm. I don't think that checking
Sequence Number first provides much protection against CPU exhaustion
attacks, because Sequence Numbers are transmitted in clear text and it
wouldn't be that difficult for an attacker to come up with a valid
Sequence Number to pass "cheap" check.
And finally, one more minor thing. Description of bfd.RcvAuthSeq in
Section 6.8.1.
<https://www.rfc-editor.org/rfc/rfc5880.html#section-6.8.1> "State
Variables" implies that it needs to be updated every time a valid
control packet is received:
A 32-bit unsigned integer containing the last sequence number for
Keyed MD5 or SHA1 Authentication that was received. The initial
value is unimportant.
However, Sections 6.7.3. and 6.7.4. only mention that "bfd.RcvAuthSeq
MUST be set to the value of the received Sequence Number field" when
bfd.AuthSeqKnown is 0. It would be nice to explicitly say that
bfd.RcvAuthSeq needs to be updated in case bfd.AuthSeqKnown is 1 as
well, so that implementations know when exactly this must be done (after
digest/hash verification, I suppose).
Best regards,
Glebs
- Regarding keyed MD5/SHA1 authentication for BFD (… Gļebs Ivanovskis
- Re: Regarding keyed MD5/SHA1 authentication for B… Alan DeKok
- Re: Regarding keyed MD5/SHA1 authentication for B… Greg Mirsky
- Re: Regarding keyed MD5/SHA1 authentication for B… Gļebs Ivanovskis
- Re: Regarding keyed MD5/SHA1 authentication for B… Alan DeKok
- Re: Regarding keyed MD5/SHA1 authentication for B… Alan DeKok