Re: New Version Notification for draft-ietf-bfd-optimizing-authentication-02.txt
Mahesh Jethanandani <mjethanandani@gmail.com> Sun, 26 March 2017 02:38 UTC
Return-Path: <mjethanandani@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBDD01294BF for <rtg-bfd@ietfa.amsl.com>; Sat, 25 Mar 2017 19:38:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.157
X-Spam-Level:
X-Spam-Status: No, score=-1.157 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_06_12=1.543, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r_pzK40sEZqB for <rtg-bfd@ietfa.amsl.com>; Sat, 25 Mar 2017 19:38:37 -0700 (PDT)
Received: from mail-it0-x244.google.com (mail-it0-x244.google.com [IPv6:2607:f8b0:4001:c0b::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 286861294BB for <rtg-bfd@ietf.org>; Sat, 25 Mar 2017 19:38:37 -0700 (PDT)
Received: by mail-it0-x244.google.com with SMTP id y18so5211048itc.2 for <rtg-bfd@ietf.org>; Sat, 25 Mar 2017 19:38:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=content-transfer-encoding:subject:references:from:mime-version :in-reply-to:message-id:date:cc:to; bh=PD/+yPN1HDl3fbYJLGfQ404AWvVCdR/zWA6HiYWPIzA=; b=fTnKe918GwBG+CCuVtccML3CJlOrZ5M8ceTUA+BCN0AjmT0rq2N/sopMLTmEfbeAH/ TbS9XRdkeIrd84fsnS6RhDD0D9OoPWgPIrgZkPWnKKorgqoiyo17eE9Nd7i2KsKVSub1 H6YHax0PxU8xHyIohm29UWvyulUVkJtZOmBZ47g4lLoLA5ImyHaR71QVVH30rin2K4U9 YDeltBuastd3kXaK86SNHf/rhQrfmGBsGQLhMBv1TwtzaUNtbDAkkk0XfPROx127PaWe GQL2gvxXYj1Ug2BGznkT893txbxKME8Ka8S2koEZJLDhIL+q88/pHclndOmTsRjX22sA a39g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:subject:references :from:mime-version:in-reply-to:message-id:date:cc:to; bh=PD/+yPN1HDl3fbYJLGfQ404AWvVCdR/zWA6HiYWPIzA=; b=ETrlXNYaGtEiEY31GIXfIlAMnWpZn6tHwBe07ajZd0kt3ahsrPp6LgbkE2wDCqyjdN 8b9Wdox6uNOvCwfa3k6cVjljRvp0uNBvQK4TGcH5L0z8vCmwhw21IDX/f1dPz0Lyxz7T V864/dpCK4YTdOFBw9SbTipVWeqUVfwJUHyiRo6GW+46pxNFMx0PC18mpI9PkHtWUjc5 yi9S+j1ENkwAhU1jVcVxS+8qXFN5njePAn4OKHbQXQV9XhKuCvo7Xt9FHbFb2/4aXp4e 35UHELqfBVp+k/F+sCJRE7Q4d3V9Mnp8Uw/pUoI8vr2qAoJLpGeCuJIzKJwCbrc2Vk0C rrfQ==
X-Gm-Message-State: AFeK/H11LNqHjCFKMK+ClshM3Q35aw4CapHI037P0VmEsPheoJcKCID1vP1Pxv1dOexTiw==
X-Received: by 10.36.220.6 with SMTP id q6mr3824393itg.77.1490495916177; Sat, 25 Mar 2017 19:38:36 -0700 (PDT)
Received: from [172.20.6.125] (swissotel07.s.subnet.rcn.com. [216.80.61.6]) by smtp.gmail.com with ESMTPSA id f63sm1490914ita.26.2017.03.25.19.38.34 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 25 Mar 2017 19:38:34 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: New Version Notification for draft-ietf-bfd-optimizing-authentication-02.txt
References: <148349024330.27920.12965506868600849117.idtracker@ietfa.amsl.com> <FEA9EB6F-D251-4F14-B854-C904A763EA63@gmail.com> <20170322193508.GT7253@pfrc.org> <B1E275DE-F3DB-43B6-8DDA-ABA86D6C5605@gmail.com> <D4FAA4A3.26E146%rrahman@cisco.com>
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <D4FAA4A3.26E146%rrahman@cisco.com>
Message-Id: <C7569A9E-0141-4A6C-9535-20F138514A2B@gmail.com>
Date: Sat, 25 Mar 2017 09:10:35 -0700
Cc: Jeffrey Haas <jhaas@pfrc.org>, "rtg-bfd@ietf. org" <rtg-bfd@ietf.org>
To: "Reshad Rahman (rrahman)" <rrahman@cisco.com>
X-Mailer: iPad Mail (13G36)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/xzPo05N-RDXA2XqZiwbErTmy7lw>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Mar 2017 02:38:39 -0000
> On Mar 24, 2017, at 1:33 PM, Reshad Rahman (rrahman) <rrahman@cisco.com> wrote: > > Hi Mahesh, > > Couple of questions/comments: > > 1) I thought the secure sequence number was needed for the NULL Auth TLV > in the optimizing-authentication draft (to make NULL Auth TLV more secure > as per comments from security folks). I guess it could be used with full > authentication also. So I don¹t understand how secure sequence number can > be used ³standalone² as seems to be implied by your cost/benefit table > below. Sequence number obfuscation is not a replacement for optimized or full authentication. On a spectrum from no authentication to full authentication, I view obfuscation of sequence numbers, deployed by itself, somewhere in the middle to prevent a MITM attack. It does not prevent the packet from being modified, but the session cannot be taken over by MITM, therefore the medium benefit. It's true benefit, however, comes from it being used in optimized authentication. I do not see a particular advantage when full authentication is done. > 2) Section 2 mentions ³If the two ends have not previously negotiated > which frames they will transmit or receive with authentication enabled, > then the BFD session will fail to come up, because at least one end will > expect every frame to be authenticated.² How is this negotiation done? Or > is this done via configuration aka outside the scope of this document? That is correct. Mahesh Jethanandani mjethanandani@gmail.com > > > Regards, > Reshad. > > On 2017-03-22, 9:57 PM, "Rtg-bfd on behalf of Mahesh Jethanandani" > <rtg-bfd-bounces@ietf.org on behalf of mjethanandani@gmail.com> wrote: > >> >>> On Mar 22, 2017, at 12:35 PM, Jeffrey Haas <jhaas@pfrc.org> wrote: >>> >>> This update is scheduled to be discussed at the upcoming session at >>> IETF-98 >>> in Chicago. >>> >>> The likely discussion is whether the new draft from Sonal should be >>> specifically tied to the advancement of the optimization draft. Our >>> prior >>> discussion with Alan had suggested some concern about the sequence >>> number >>> issues when we're using NULL authentication. >>> >>> I suspect some good discussion will happen on this topic at the upcoming >>> session and encourage the members of the Working Group to read both >>> drafts >>> in preparation. >> >> Yes, it would be helpful to read both the drafts in preparation for the >> discussion. >> >> Optimized authentication is not a substitute for sequence number >> obfuscation draft, and vice-versa. They offer different levels of >> cost/benefit, where >> >> Draft Cost Benefit >> ==== ==== ====== >> sequence number obfuscation Low Medium (does not authenticate >> the complete packet) >> optimized authentication Medium High (authenticates >> entire ³state change² packets) >> full authentication High High >> (authenticates all packets) >> >>> >>> -- Jeff >>> >>>> On Jan 3, 2017, at 4:37 PM, internet-drafts@ietf.org wrote: >>>> >>>> >>>> A new version of I-D, draft-ietf-bfd-optimizing-authentication-02.txt >>>> has been successfully submitted by Mahesh Jethanandani and posted to >>>> the >>>> IETF repository. >>>> >>>> Name: draft-ietf-bfd-optimizing-authentication >>>> Revision: 02 >>>> Title: Optimizing BFD Authentication >>>> Document date: 2017-01-05 >>>> Group: bfd >>>> Pages: 8 >>>> URL: >>>> https://www.ietf.org/internet-drafts/draft-ietf-bfd-optimizing-authentic >>>> ation-02.txt >>>> Status: >>>> https://datatracker.ietf.org/doc/draft-ietf-bfd-optimizing-authenticatio >>>> n/ >>>> Htmlized: >>>> https://tools.ietf.org/html/draft-ietf-bfd-optimizing-authentication-02 >>>> Diff: >>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-bfd-optimizing-authenticati >>>> on-02 >>>> >>>> Abstract: >>>> This document describes an optimization to BFD Authentication as >>>> described in Section 6.7 of BFD [RFC5880]. >>>> >>>> >>>> >>>> >>>> >>>> Please note that it may take a couple of minutes from the time of >>>> submission >>>> until the htmlized version and diff are available at tools.ietf.org. >>>> >>>> The IETF Secretariat >
- Re: New Version Notification for draft-ietf-bfd-o… Jeffrey Haas
- Re: New Version Notification for draft-ietf-bfd-o… Mahesh Jethanandani
- Re: New Version Notification for draft-ietf-bfd-o… Reshad Rahman (rrahman)
- Re: New Version Notification for draft-ietf-bfd-o… Greg Mirsky
- Re: New Version Notification for draft-ietf-bfd-o… Mahesh Jethanandani
- Re: New Version Notification for draft-ietf-bfd-o… Reshad Rahman (rrahman)