IETF Logo Mail Archive

Re: I-D Action: draft-ietf-bfd-optimizing-authentication-06.txt

Greg Mirsky <gregimirsky@gmail.com> Tue, 16 October 2018 04:25 UTC

Return-Path: <gregimirsky@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00F5E127333 for <rtg-bfd@ietfa.amsl.com>; Mon, 15 Oct 2018 21:25:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fWlprsKc_1UP for <rtg-bfd@ietfa.amsl.com>; Mon, 15 Oct 2018 21:25:16 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02A1B1286E3 for <rtg-bfd@ietf.org>; Mon, 15 Oct 2018 21:25:13 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id 63-v6so19542422ljs.4 for <rtg-bfd@ietf.org>; Mon, 15 Oct 2018 21:25:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ItKiYCCb9p8d/qrogaH5g8pswzzZukaucVCgUtjsfDo=; b=KRgQW0xaeTjS0tduyDovf6RXNv5cbXiVf6+/QKwNGVm3GOcKysmtf4pobCKbBLmdpB H//8s4YCCNdXtC4DQ58z6ZKTvA9WgxB7PD8q5pH+3JfqIdfpIgmSKfRuDxsIpklzDCqj X3xQu3wbsHc+rcu6PIK5c3/ca6JmdbRD6K6JgkDUtAuPfc30/nE0lktuKC2ef7G9u4ro 0bzOtvtl1TQtMYE3czf3SMDcY4dQGyOtWn/TJ+kg8FX08XvBJHLCCWTLht/USIfrk5r0 9VWneVVVrNe+6tnekRX04XEyEOkPjxses5H/tzqvXU4TgeR65QZYIsPAltVPhs0GP0f6 ah1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ItKiYCCb9p8d/qrogaH5g8pswzzZukaucVCgUtjsfDo=; b=R0uSaABUDrxXx4kZ7IVC+POFK8wSytNzXglAWPaBsGU/srEIo8s+toqsylMiP2nDK9 qbgV5Mvare4Gi7h9hvuF2QIeZC5eASvBLluF3gbfhXG/Ktkk7ryyZKXVaazRZZkaRlpc xkiLQZJ/9hPWE9thbe6bwAlEemKPYKjWzxWn0meT/dPvlW9xs4/E1jq/oW22VHnRpT+j /P6fgagECqx+pr/FOKOpHYNdNgoBhOFqoG2VunswU0dtHoziKe1RWhT7SWIGagRUdC6t 83m43KH5hEYEgnhAXW3EYpN9UiIEZOM4mCZWmNudPE0Ludz/h6kCXWUetZQ+LgpTho50 FvwA==
X-Gm-Message-State: ABuFfojFwtUIm81AMeOTcfabYl2cOIHsEn4DMcW9yWagk3hAANNoHyGH IIgmUoFMaufjDcV4i9639Sbz5nbZX0Nf/D14KoU=
X-Google-Smtp-Source: ACcGV61hNNdR4cpt3NF6saTL8N+ed5EvFPcSCw+2JlFYtjZixiGeeiBTj0etHXCTCetT0UxxQLjz+Tg1HtNSIAd4j5A=
X-Received: by 2002:a2e:800e:: with SMTP id j14-v6mr12232654ljg.114.1539663910729; Mon, 15 Oct 2018 21:25:10 -0700 (PDT)
MIME-Version: 1.0
References: <153930035253.7105.12758186259660848661@ietfa.amsl.com> <D4B8FC5E-7FCE-4E53-A00C-BFE1530F56FC@gmail.com> <CA+RyBmXMOJOamDDk4bJu3tvgPCRet4=1GZEZJBobrxDPxkB6jA@mail.gmail.com> <8FC1854D-DA08-48FB-A291-B293AB1464EF@gmail.com>
In-Reply-To: <8FC1854D-DA08-48FB-A291-B293AB1464EF@gmail.com>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Mon, 15 Oct 2018 21:24:59 -0700
Message-ID: <CA+RyBmWQ1MkAh8eAm2mYEczPGL=y9HYFMvRjj-P50JFiiqOGGA@mail.gmail.com>
Subject: Re: I-D Action: draft-ietf-bfd-optimizing-authentication-06.txt
To: Mahesh Jethanandani <mjethanandani@gmail.com>
Cc: rtg-bfd WG <rtg-bfd@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000078fde8057850f050"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/pjMBLjZn5LbPknfMdzEGUvYl-hs>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Oct 2018 04:25:19 -0000

Hi Mahesh,
thank you for your quick response. The comment regarding the state change,
as I understand from the minutes, came from Jeff.
Yes, the question was about the periodic authentication in Up state. I
believe that at the meeting WG arrived at a very good solution and we've
agreed to make the appropriate changes in the document. I don't think that
the current version reflects the WG decision that in Up state authenticated
BFD control packets are transmitted periodically in sets of not less than
Detect Multiplier.

Regards,
Greg

On Mon, Oct 15, 2018 at 10:26 AM Mahesh Jethanandani <
mjethanandani@gmail.com> wrote:

> Hi Greg,
>
> But *all* packets that indicate a state change are authenticated. That
> has been the original premise of the draft, with or without a Detect
> Multiplier.
>
> For example, we say in Section 1
>
>    This document proposes that only BFD frames that signal a state
>    change in BFD be authenticated.
>
>
> The only question was with a steady stream, and no state change, how many
> authenticated packets needed to be sent to thwart a MITM attack.
>
> Cheers.
>
>
> On Oct 13, 2018, at 1:10 PM, Greg Mirsky <gregimirsky@gmail.com> wrote:
>
> Hi Mahesh, Authors, et. al,
> thank you for your thoughtful consideration of the discussion in Montreal.
> I've checked the changes in the new version and I think that the agreement
> we've reached was not merely recommend that the authenticated BFD Control
> packets be sent as series of at least Detect Multiplier packets but
> require, i.e., make it mandatory for both periodic and state change modes.
> Here's the quote from the minutes:
>     Jeff Haas: one possibility is to send detect multiplier number of
> consecutive authenticated packets, then the session will go down if
> authentication packets fail validation.
>     Greg Mirsky: does that require use of P/F procedure?
>     Jeff Haas: P/F is not needed, we send consecutive authenticated packets
>     Mahesh Jethanandani: we can make that change.
>     Reshad Rahman: is there a need to do the same for state change?
>     Mahesh Jethanandani: every state change packet has to be authenticated.
>     Jeff Haas: for pedantic reasons, when making the state change we
> should do the same. On P/F sequence we should do    this for the new
> multiplier if it’s longer. We’ll take this back to the mailing list.
> Thus I suggest to consider changes along the following:
> OLD TEXT:
>  To detect a Man In the Middle (MITM)
>    attack, it is also proposed that a non-state change frame be
>    authenticated occasionally.  The interval of this non-state change
>    frame can be configured depending on the detect multiplier and the
>    capability of the system.  As an example, this could be equal to the
>    detect multiplier number of packets.
> NEW TEXT:
>   To detect a Man In the Middle (MITM)
>    attack, it is also proposed that a non-state change set of
> authenticated frames be
>    sent occasionally.  The number of consecutively transmitted
> authenticated BFD control packets in the set
>    MUST be not lesser than the value of the Detect Multiplier and the
> interval between such non-state change
>    set of frames can be configured depending on the
>    capability of the system.
> If acceptable, similar change should be made to the following text:
>    Authenticating a small subset of these frames, for example, a detect
>    multiplier number of packets per configured period, significantly
>    reduces the computational demand for the system while maintaining
>    security of the session across the configured authentication periods.
> to change from recommendation "for example" to stronger normative language.
>
> Regards,
> Greg
>
> On Thu, Oct 11, 2018 at 4:31 PM Mahesh Jethanandani <
> mjethanandani@gmail.com> wrote:
>
>> This version of the draft addresses comments received at IETF 102 as part
>> of LC. At this point, the authors believe that this document, along with
>> draft-ietf-bfd-secure-sequence-numbers and draft-ietf-bfd-stability are
>> ready for IESG.
>>
>> Thanks.
>>
>> > On Oct 11, 2018, at 4:25 PM, internet-drafts@ietf.org wrote:
>> >
>> >
>> > A New Internet-Draft is available from the on-line Internet-Drafts
>> directories.
>> > This draft is a work item of the Bidirectional Forwarding Detection WG
>> of the IETF.
>> >
>> >        Title           : Optimizing BFD Authentication
>> >        Authors         : Mahesh Jethanandani
>> >                          Ashesh Mishra
>> >                          Ankur Saxena
>> >                          Manav Bhatia
>> >       Filename        : draft-ietf-bfd-optimizing-authentication-06.txt
>> >       Pages           : 7
>> >       Date            : 2018-10-11
>> >
>> > Abstract:
>> >   This document describes an optimization to BFD Authentication as
>> >   described in Section 6.7 of BFD RFC5880.
>> >
>> >
>> >
>> > The IETF datatracker status page for this draft is:
>> >
>> https://datatracker.ietf.org/doc/draft-ietf-bfd-optimizing-authentication/
>> >
>> > There are also htmlized versions available at:
>> > https://tools.ietf.org/html/draft-ietf-bfd-optimizing-authentication-06
>> >
>> https://datatracker.ietf.org/doc/html/draft-ietf-bfd-optimizing-authentication-06
>> >
>> > A diff from the previous version is available at:
>> >
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-bfd-optimizing-authentication-06
>> >
>> >
>> > Please note that it may take a couple of minutes from the time of
>> submission
>> > until the htmlized version and diff are available at tools.ietf.org.
>> >
>> > Internet-Drafts are also available by anonymous FTP at:
>> > ftp://ftp.ietf.org/internet-drafts/
>> >
>>
>> Mahesh Jethanandani
>> mjethanandani@gmail.com
>>
>>
>>
>>
> Mahesh Jethanandani
> mjethanandani@gmail.com
>
>
>
>

v2.23.0 | Report a Bug | By Email