IETF Logo Mail Archive

Re: Alvaro Retana's Discuss on draft-ietf-bfd-unsolicited-11: (with DISCUSS and COMMENT)

Jeffrey Haas <jhaas@pfrc.org> Tue, 21 March 2023 01:21 UTC

Return-Path: <jhaas@pfrc.org>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E646C14F736; Mon, 20 Mar 2023 18:21:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zkrMW9p1hkRw; Mon, 20 Mar 2023 18:21:53 -0700 (PDT)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 69B34C14F75F; Mon, 20 Mar 2023 18:21:51 -0700 (PDT)
Received: from smtpclient.apple (104-10-90-238.lightspeed.livnmi.sbcglobal.net [104.10.90.238]) by slice.pfrc.org (Postfix) with ESMTPSA id B1FEB1E037; Mon, 20 Mar 2023 21:21:50 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Subject: Re: Alvaro Retana's Discuss on draft-ietf-bfd-unsolicited-11: (with DISCUSS and COMMENT)
From: Jeffrey Haas <jhaas@pfrc.org>
In-Reply-To: <167103067462.48163.5620864981176514078@ietfa.amsl.com>
Date: Mon, 20 Mar 2023 21:21:50 -0400
Cc: The IESG <iesg@ietf.org>, draft-ietf-bfd-unsolicited@ietf.org, bfd-chairs@ietf.org, rtg-bfd@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <A0FD440A-10B3-48DD-B788-AA01D6ABD4DA@pfrc.org>
References: <167103067462.48163.5620864981176514078@ietfa.amsl.com>
To: Alvaro Retana <aretana.ietf@gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/xG4WoEgbuw7JN20vyHU86VpVU0U>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2023 01:21:54 -0000

Alvaro,

On Dec 14, 2022, at 10:11 AM, Alvaro Retana via Datatracker <noreply@ietf.org> wrote:
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> (1) The Introduction makes several claims that must be developed further or
> eliminated to avoid further confusion.
> 
> (1a)
> 
> 131        The procedure described in this document could be applied to BFD for
> 132        Multihop paths [RFC5883].  However, because of security risks, this
> 133        document applies only to BFD for single IP hops [RFC5881].
> 
> At first glance, I didn't see anything in rfc5883 that would prevent a node in
> the passive role from following this specification.  What am I missing?
> 
> Aren't the security risks already addressed in rfc5883?

The operational difference is that if you can't use GTSM, you're enabling BFD sessions to be created multiple hops away, potentially with low requirements for authentication.  In the absence of authentication, BFD sessions can be created with asymmetric parameters such that an attacker can keep a session open with a small number of BFD packets while the system running the unsolicited procedures was busy sending packets at a much higher rate.

BFD procedures will prevent a session from moving to Up via blind packet injection due to Discriminators needing to be exchanged.

The possibility thus exists to utilize unsolicited BFD as a packet amplification attack.

Thus, it's not a generally good use case.

Strong authentication, as noted, may permit this to be a useful feature.  However, it's not the expected (nor deployed) use case.


> 
> (1b)
> 
> 135        Compared to the "Seamless BFD" [RFC7880], this proposal involves only
> 136        minor procedural enhancements to the widely deployed BFD itself.
> 137        Thus we believe that this proposal is inherently simpler in the
> 138        protocol itself and deployment.  As an example, it does not require
> 139        the exchange of BFD discriminators over an out-of-band channel before
> 140        BFD session bring-up.
> 
> Given that this proposal claims to be better (or at least simpler) than S-BFD,
> what should an operator consider when deciding which to use?  Are they covering
> similar use cases?  If this is so much better, why is rfc7880 not deprecated?

S-BFD is a fancy ping mechanism.  Unsolicited BFD permits both sides to participate in actively testing the connection.  Different use cases.

> 
> 
> 468        *  Deploy the feature only in certain "trustworthy" environment,
> 469           e.g., at an IXP, or between a provider and its customers.
> 
> If this measure is mandatory, please expand on what a ""trustworthy"
> environment" is.

It's hard to believe this is a serious comment.  "You'll know it when you see it?"  

That said, what words would you prefer to see here?

-- Jeff

v2.23.0 | Report a Bug | By Email