IETF Logo Mail Archive

Re: Regarding keyed MD5/SHA1 authentication for BFD (RFC 5880)

Alan DeKok <aland@deployingradius.com> Thu, 28 April 2022 13:19 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5E01C159A39 for <rtg-bfd@ietfa.amsl.com>; Thu, 28 Apr 2022 06:19:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KRzZCrTRgCvn for <rtg-bfd@ietfa.amsl.com>; Thu, 28 Apr 2022 06:19:28 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8260C15E403 for <rtg-bfd@ietf.org>; Thu, 28 Apr 2022 06:19:28 -0700 (PDT)
Received: from smtpclient.apple (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id C11D0216; Thu, 28 Apr 2022 13:19:23 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\))
Subject: Re: Regarding keyed MD5/SHA1 authentication for BFD (RFC 5880)
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CA+RyBmW2URPyYQ5H+gD8_M5occEMRnqVcXZHW8Bj5Mbr-saP_Q@mail.gmail.com>
Date: Thu, 28 Apr 2022 09:19:22 -0400
Cc: Gļebs Ivanovskis <glebs@mikrotik.com>, rtg-bfd WG <rtg-bfd@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C64BB1FF-388D-4DBA-8A77-D11CFD78C024@deployingradius.com>
References: <b4a3419f-b465-90fd-0f92-7385fa5595c4@mikrotik.com> <03DC02BB-FBC4-4820-83D3-AAC309E16117@deployingradius.com> <CA+RyBmW2URPyYQ5H+gD8_M5occEMRnqVcXZHW8Bj5Mbr-saP_Q@mail.gmail.com>
To: Greg Mirsky <gregimirsky@gmail.com>
X-Mailer: Apple Mail (2.3693.60.0.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/y3LklNe8_tsAmbk-XiZTP0RdXNk>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2022 13:19:30 -0000

On Apr 27, 2022, at 7:58 PM, Greg Mirsky <gregimirsky@gmail.com> wrote:
> you've suggested
> It would be good to say that packets which fail authentication MUST NOT affect the BFD state.
> I think that a BFD Control message that failed validation, and I consider authentication is a part of the validation process, MUST be discarded. If the number of consecutively discarded packets causes the associated with the BFD session Detection Timer expiration, then the state of this BFD session MUST be changed to Down. Thus, I think that packets that failed authentication affect the BFD state in the same manner as packets that failed any other step of the validation process.

  I would phrase this carefully/

  Packets which fail authentication are treated as if they do not exist.  Since no valid packets are received, the BFD state may change due to timers.  But those timers are entirely unrelated to the bad packets, or the contents of those packets.

  The act of receiving a bad packet MUST NOT result in a change in BFD state.  The contents of a bad packet MUST NOT cause a change in BFD state.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email