Re: Comments on secure sequence number draft

Ashesh Mishra <> Sun, 01 April 2018 14:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id ADFD9126B7E; Sun, 1 Apr 2018 07:07:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8u8vjn8mh_os; Sun, 1 Apr 2018 07:07:05 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0800312422F; Sun, 1 Apr 2018 07:07:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=kRglhTZyhupClK90jmuQokVwg9vdSDYpbS31b86FhVM=; b=jNtodmeK+OmyWj8TKv3+HsEovWY9Cg0PfS7Xnj7vT+Stqi0KYrjOJBrRQ+tQzwphORhE/57JO+T+MQsNkb01eWIB7GuDG4bHkOsqw/nucDidy6jpVIE59sDkbf+EGV2mz3mVqhgmnA5Aqk/sBGMvOrEDr3LaNF9wYzzXgBZz8rB+CRZ3l39d1+DVWWmCWRRFGUhoNi0Ct4LnNSdwDst381kHwwolzNOaJv/pUvxh2UdIaDauOhy19x0X5/U+h5GrRirrl/EZrvlr/SQ9MkwQniNk1s4H8bav1Xzn+GS9tO5kfWKStC3hsaI/XTjTatcszAMsnFK4bkefmSLwZWwQqg==
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.631.7; Sun, 1 Apr 2018 14:07:04 +0000
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.631.7 via Frontend Transport; Sun, 1 Apr 2018 14:07:04 +0000
Received: from ([fe80::a5f3:348:c9a1:1754]) by ([fe80::a5f3:348:c9a1:1754%3]) with mapi id 15.20.0631.013; Sun, 1 Apr 2018 14:07:04 +0000
From: Ashesh Mishra <>
To: Jeffrey Haas <>, "" <>, "" <>
Subject: Re: Comments on secure sequence number draft
Thread-Topic: Comments on secure sequence number draft
Thread-Index: AQHTxrauLV/wJdX/MEqu8zTlAaSnU6Pr9Tre
Date: Sun, 01 Apr 2018 14:07:03 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-incomingtopheadermarker: OriginalChecksum:F2EE71DD01AC022823A158B6C028C68B63C09C7978398F761CDA2E8D73D2BCA7; UpperCasedChecksum:A8910FBADCAFE3D497956BF66D43EA6AC5FA04FE6BB37501F756644BFA684D8E; SizeAsReceived:7150; Count:46
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [cJJAxLk1W07M6KlR2Ef04ckX4+daTh0Y]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BY2NAM03HT032; 7:Fw4ZOp/eh0IPChoGK1FgLfT1nqlWIZN24IKgUatfPwZn2IMPY6EX3HbfndC0fr/Ym4zkd0GZAOdRX8fWd2esvr1+tXHkmxwnwN63TsNOOlfypaoXvksOiJ2Dr/GlWt4hcwpGVRHT/qKSmkNMb2DJv16FyDbwtzQRoY8NJ0F7ZU+BWeYrRX2rWQJ4+h05hNG40yWG0Iuco5s/IArnd2XgyixSgZl0998M4TpNwldx4Ec5xSwpa/WMqRBACc5QdQRv
x-incomingheadercount: 46
x-eopattributedmessage: 0
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1601125374)(1603101448)(1701031045); SRVR:BY2NAM03HT032;
x-ms-traffictypediagnostic: BY2NAM03HT032:
x-ms-office365-filtering-correlation-id: 56dd6e44-5a80-4f01-cf16-08d597d9d8a5
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(444000031); SRVR:BY2NAM03HT032; BCL:0; PCL:0; RULEID:; SRVR:BY2NAM03HT032;
x-forefront-prvs: 06290ECA9D
x-forefront-antispam-report: SFV:NSPM; SFS:(7070007)(98901004); DIR:OUT; SFP:1901; SCL:1; SRVR:BY2NAM03HT032;; FPR:; SPF:None; LANG:;
x-microsoft-antispam-message-info: rnOGD5sOV9aKzN/elL5i5s9gnltPC3p0EpFvkKK7SUWW30Sux0Ygx6rTXWCm5GmtImlF1EmiEguAsxyIXm/n9c/7qFQ1Stgfdrk/XKCvN+WCAf61wctkxOBuimggyxPYg947e2OQTHTkhjYzA/ZRLMNR4Aqe63mxnFXquPSpRFstjE5XMYR1Hs5qmARFhSRl
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BL0PR0102MB3345E7EC829E7C74BE5A41A0FAA70BL0PR0102MB3345_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 56dd6e44-5a80-4f01-cf16-08d597d9d8a5
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Apr 2018 14:07:03.7329 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2NAM03HT032
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 01 Apr 2018 14:07:07 -0000

Hi Jeff,

You noted a couple if great questions. Since there aren't any more fields left in the BFD packet or TLVs to overload for this function (the AUTH TYPE field, which is the only usable field for overloading, is being used for defining new TLVs so we didn't want to use it as this method doesn't change the packet format), the clean way to configure secure sequence numbers is by coordinating configuration on the two end-points (the keys will need to be configured on each end point, so the knob to turn the feature on can reside there as well).

It would have been infinitely simpler if there was an "experimental" or "future use" field in the BFD packet :)

I'll defer the YANG question to our YANG expert author, Mahesh.

I'll add text to the security considerations.



From: Rtg-bfd <> on behalf of Jeffrey Haas <>
Sent: Wednesday, March 28, 2018 10:03:35 AM
Subject: Comments on secure sequence number draft


A few comments on your draft in no particular order:

Operational Considerations:
- How do you go about enabling this feature?
  + It's independent of, but recommended for, optimizing BFD authentication.
- What are the yang considerations?
  + Similar point - changes to the yang model for optimizing authentication
    likely need this as a separate knob.

- The Security Considerations section is empty.  That needs to be fixed.

-- Jeff