Comments on draft-ietf-bfd-generic-crypto-auth
"Nobo Akiya (nobo)" <nobo@cisco.com> Mon, 14 April 2014 17:23 UTC
Return-Path: <nobo@cisco.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A2491A069E for <rtg-bfd@ietfa.amsl.com>; Mon, 14 Apr 2014 10:23:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -113.373
X-Spam-Level:
X-Spam-Status: No, score=-113.373 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Sn1AtPi2aOy for <rtg-bfd@ietfa.amsl.com>; Mon, 14 Apr 2014 10:23:22 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id D37441A04C1 for <rtg-bfd@ietf.org>; Mon, 14 Apr 2014 10:23:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2961; q=dns/txt; s=iport; t=1397496199; x=1398705799; h=from:to:cc:subject:date:message-id: content-transfer-encoding:mime-version; bh=y2IZmxuQ7wlxMKrkv8VHhZrrjMrB+vrKvvcKbWe+KYI=; b=lEgNSr4sQ/lJCtccOKfBX0+d7Klpt4qqFUo9YQmrytBwaEeIjlChgK5D SdD6YlKfpaJofg7TBwdD2zlMVNuAgYSycucKwxl6s6yLq7cBbkFv37vkV 9EF44OYR0CZyogs1wdJrAydIAGrvqISETloPTMEeFiYW9Snn+0Wq8wvr0 s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ag0FAMwYTFOtJA2H/2dsb2JhbABZgmUhgRLDJoEkFnSCJwEEOj8SASoUQiYBBA4Nh3QBy2wXiUaEdzGDK4EUBJR0ljCDMYIr
X-IronPort-AV: E=Sophos;i="4.97,858,1389744000"; d="scan'208";a="314585593"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by rcdn-iport-9.cisco.com with ESMTP; 14 Apr 2014 17:23:19 +0000
Received: from xhc-aln-x11.cisco.com (xhc-aln-x11.cisco.com [173.36.12.85]) by alln-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id s3EHNJgh007871 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 14 Apr 2014 17:23:19 GMT
Received: from xmb-aln-x01.cisco.com ([fe80::747b:83e1:9755:d453]) by xhc-aln-x11.cisco.com ([173.36.12.85]) with mapi id 14.03.0123.003; Mon, 14 Apr 2014 12:23:18 -0500
From: "Nobo Akiya (nobo)" <nobo@cisco.com>
To: "draft-ietf-bfd-generic-crypto-auth@tools.ietf.org" <draft-ietf-bfd-generic-crypto-auth@tools.ietf.org>
Subject: Comments on draft-ietf-bfd-generic-crypto-auth
Thread-Topic: Comments on draft-ietf-bfd-generic-crypto-auth
Thread-Index: Ac9YBPKPaFZoutd+S+2hfnRg0bnzxw==
Date: Mon, 14 Apr 2014 17:23:17 +0000
Message-ID: <CECE764681BE964CBE1DFF78F3CDD3941E107BCA@xmb-aln-x01.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [161.44.212.138]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/rtg-bfd/tN5zscgDFb3hTtXSF3bJSBu1LVE
Cc: "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Apr 2014 17:23:23 -0000
Hi Authors,
I have reviewed your draft (draft-ietf-bfd-generic-crypto-auth ), comments below.
Since document is nearing expiration, perhaps you can address some of these comments and re-publish?
(1) Abstract
s/arbitary/arbitrary/
(2) Section 2
Before listing "Not Before Time" and "Not After Time", it'll be great if the document can provide some words to better transition from previous paragraph.
(3) Section 3.3
[snip]
The device MUST fill the Auth Type and the Auth Len fields before the
authentication data is computed. The Sequence Number field MUST be
set to bfd.XmitAuthSeq.
[snip]
The paragraph is slightly confusing wrt whether Sequence Number field need to be set before or after authentication data is computed. It'll be good to clarify this.
(4) Section 3.4, second paragraph
[snip]
If the Authentication Present (A) bit is set in the packet header and
the receiver will try to find a appropriate BFD SA in its local key
table to process the packet.
[snip]
I believe you meant to say:
If the Authentication Present (A) bit is set in the packet header and
Auth Type is TBD1 or TBD2, the receiver is to find an appropriate BFD
SA in its local key table to process the packet.
See below for usage of TBD1/TBD2.
(5) Section 3.4, fourth paragraph
Is it better to say "unsigned 64 bit circular number space" here, or keep it as "unsigned 32 bit circular number space"? If latter, then the document should clarify that it's low order 32 bits.
(6) Section 3.4, sixth paragraph
[snip]
In such a case, an error event SHOULD be logged.
[snip]
Such log could become DoS attack point? Rate limiting of such log is outside the scope of this document, but it could be beneficial to explain this in the Security Considerations section ... optional comment though.
(7) IANA Considerations
Indeed values 6 and 7 are next, but it's technically not correct to just use them [yet].
Can we use TBD1 and TBD2? If someone is implementing and early allocation is required, then we can do that.
Also it'll be beneficial for this section to clearly describe what is needed from where. Maybe something like:
IANA is requested to assign two authentication types from the
"BFD Authentication Types" sub-registry within the "Bidirectional
Forwarding Detection (BFD) Parameters" registry.
Address BFD Authentication Type Name Reference
------- --------------------------------------- -------------
TBD1 Cryptographic Authentication this document
TBD2 Meticulous Cryptographic Authentication this document
(8) Security Considerations
s/reestablishing/re-establishing/
(9) References
RFC5880 should be a normative reference instead of informative, as document is even referencing a variable from RFC5880 (ex: bfd.XmitAuthSeq).
-Nobo
- Comments on draft-ietf-bfd-generic-crypto-auth Nobo Akiya (nobo)
- Re: Comments on draft-ietf-bfd-generic-crypto-auth Mahesh Jethanandani
- RE: Comments on draft-ietf-bfd-generic-crypto-auth Nobo Akiya (nobo)