IETF Logo Mail Archive

Re: Some comments to the authors of draft-ietf-bfd-unsolicited

Naiming Shen <naiming@zededa.com> Mon, 28 February 2022 00:09 UTC

Return-Path: <naiming@zededa.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD8F53A13F5 for <rtg-bfd@ietfa.amsl.com>; Sun, 27 Feb 2022 16:09:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zededa.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oqm-ZxKuRrw1 for <rtg-bfd@ietfa.amsl.com>; Sun, 27 Feb 2022 16:09:51 -0800 (PST)
Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BF1E3A13B3 for <rtg-bfd@ietf.org>; Sun, 27 Feb 2022 16:09:51 -0800 (PST)
Received: by mail-pl1-x634.google.com with SMTP id p17so9261310plo.9 for <rtg-bfd@ietf.org>; Sun, 27 Feb 2022 16:09:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zededa.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=cGkmPGa4FdX8XUaDAeofk1T6Re13AY7SGsW43McSOtg=; b=YFd5yyj461VlFm9olmFI0Adk1Oy6bl9sgmzEMF5dUVWYINj9pXXTkswt5SYMrnU9zS vRcXXS9P8mCKDOnAdrtd0KVkn/nXSCvhLkbRwriqBUwrc0MjB1PwgQdejVjHyuOpuh/5 RWpn6qcWk1+kNpfS+3XhklJKHXMWgblxFA4qcJmRBdsQWYq6iUyWFc9NXLbF6Eb+Aeyy eCgmDqLSq+/Im6XKaBsGIPSsW1yLa1OmMnuEmRJte/QwvJLMFoT7MEfdQGnkFxxY9GbP IlTjrCDveEhTQM74MqiIujywE312OdI5TReMGPgLVU56A2Ky1H4/jzwWtLB7sl9h/xYW jdcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=cGkmPGa4FdX8XUaDAeofk1T6Re13AY7SGsW43McSOtg=; b=w2W3IMLFyaieOSedP5jhvB/GkxrQb/PgLVjIw3I0w/b+p3aAtJJqNi4rs35isAtuur 3tPOfiCbK03CIMlBOXoe0apGZXQEgJ92+aL2L059a2iTUcChyNacyEjS7VOJW0AslhEX VeFoGIagWItJmSoHPm0DVQmvtOiKQVJ0Dn/Fm+irlD8402ZQBdLszDJ9L4tYVYAFwQhD eBdAW06LY+fbpvxYJ4EC7+fNJ+HiKEwg794aZNMX0XTC4w8Xk53MU62QO6rxQGFdTk79 /qiFKFvFL0BMoKMnYqPPCO5MIBY0s3q+EyDevkjx6kN5+3xJ/ygfTy1KIW6D0esOJ8c4 zS2Q==
X-Gm-Message-State: AOAM532GRwQPjHW34uJVb/KziQzx+2zwgl1kLWHrfg8/CXnwqm1u5UKB Ywl788kWN+JrQb7aB1W4uEywT2NE47vi7Q==
X-Google-Smtp-Source: ABdhPJw6QGkBeSjhX0FdAMvaNyxTK91GNl6r84zXnYNPKu5YkyaynjVSRt542iq6ThRREtU9AfNXfw==
X-Received: by 2002:a17:90a:fd88:b0:1bc:4433:8a3b with SMTP id cx8-20020a17090afd8800b001bc44338a3bmr14041187pjb.11.1646006990162; Sun, 27 Feb 2022 16:09:50 -0800 (PST)
Received: from smtpclient.apple (c-147-92-91-124.rev.sailinternet.net. [147.92.91.124]) by smtp.gmail.com with ESMTPSA id h11-20020a056a001a4b00b004f0f7936bdesm10409213pfv.134.2022.02.27.16.09.48 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 27 Feb 2022 16:09:49 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_E2A1BC39-F72D-425A-ABCA-9CB50F2CE60F"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Subject: Re: Some comments to the authors of draft-ietf-bfd-unsolicited
From: Naiming Shen <naiming@zededa.com>
In-Reply-To: <381777191.1553826.1645979075642@mail.yahoo.com>
Date: Sun, 27 Feb 2022 16:09:48 -0800
Cc: "draft-ietf-bfd-unsolicited@ietf.org" <draft-ietf-bfd-unsolicited@ietf.org>, rtg-bfd WG <rtg-bfd@ietf.org>, Greg Mirsky <gregimirsky@gmail.com>
Message-Id: <8B79EB2B-4B59-479E-9DB8-66036A376509@zededa.com>
References: <CA+RyBmX8oAQFqJMjVhcj_78wYfrvz+afnSoP2-VjWyfCEunqmQ@mail.gmail.com> <381777191.1553826.1645979075642@mail.yahoo.com>
To: Reshad Rahman <reshad@yahoo.com>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/m7MFkYkhkLEheRUy-syLwPwTqCc>
X-Mailman-Approved-At: Mon, 28 Feb 2022 03:40:20 -0800
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Feb 2022 00:09:56 -0000

Also regarding the simplification, normally this is operated in some ’trusted’ environment,
e.g. in some trusted IXP subnet where the route server is at. Even the router does apply
the ‘access control’ on the subnet, it is much simpler than pre-configuring hundreds of BFD
peers on the subnet,  just in case some of those peers will later send us data traffic
and those BFD sessions will be used.

When MH is added in this draft, those recommendations will be more relevant.
Tradeoffs need to be considered in operations also, maybe it is better  in some cases
to use regular BFD vs unsolicited BFD in some environment due to security concerns.

thanks.
- Naiming
> Two recommendations in the Security Considerations section:
>    o  Apply "access control" to allow BFD packets only from certain
>       subnets or hosts.
> ...
>    o  Use BFD authentication.
> leave some serious doubts that the proposed model does bring any operational simplification compared to explicitly configuring BFD on both systems (especially to use authentication).
> 
> <RR> Good point. I think it depends. e.g. if BFD authentication is already in use, this is not an issue.

v2.23.0 | Report a Bug | By Email