IETF Logo Mail Archive

Re: I-D Action: draft-ietf-bfd-secure-sequence-numbers-08.txt

Mahesh Jethanandani <mjethanandani@gmail.com> Mon, 19 September 2022 17:40 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92B10C14CF11; Mon, 19 Sep 2022 10:40:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SrSJFGTADeVK; Mon, 19 Sep 2022 10:39:57 -0700 (PDT)
Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40776C14F74C; Mon, 19 Sep 2022 10:39:57 -0700 (PDT)
Received: by mail-pl1-x631.google.com with SMTP id l10so28527992plb.10; Mon, 19 Sep 2022 10:39:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date; bh=vdsAlANleeIcpd0I5lMbtxF2w6zTPyhZrcscXyzDlNc=; b=J8n6rcuTt2VIzUWXObkRwbnvLqzF31ZTY2eZOXtaG+NVE8PD0ursMyFMTcmPcgM5Tl Z35Ht1xVsR+K44wNtMNhC500h4dVNA+KgKx1Z0xZrNv9xJ23h6FbLL7mdDq/78RhlV8o NopRlcTeMfHymck97MJGIkpt0b04aX5qB+khLHFjAI2rvoqzYKDQTEBusJpi87Fpe2os IIFyLWIW1/uoOFTzHjN0qHmcRzckXs+vpDZxxbiNRgCCImcNO6/B/ESyXSthsP+dSsAM mxXknzUrBiYsz14DDaVe9psrteqgEVqbp6Bk/WpyBAD4O1hTaP0xpCvvGgSJoyywFJ22 gBZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date; bh=vdsAlANleeIcpd0I5lMbtxF2w6zTPyhZrcscXyzDlNc=; b=7lhh1oHLARhEVmXcpGqoAH1M3wNhy41fDtjREtGYX+mtJhJjDyQmQktPKc9OeuP/5I UF9Rg1K6ptKzMI6NLCVviTBsVkqcguNq0TWbyQEPCPWWWT6FoZ4JpTe4CgTA5yeOm7nK JHcTd6eTAfEmaFNzjoQdWlNLKdXQkywM6A3VrJQLwiEa+y4IAg6YEYW9JikzcJaVJoE0 oeRUolhfuU08Kjk8E0zcEnlJYKrAchywdvYIL9PsJkEtjPG2RsRzLe1FyjeFPbMAVY8w PQZ1USoZvcr09jTo3cRg5kwCWd931splTRhe6KLpjJihDNIpWA3AuqrKGnQG1Sdjl9iY 6zDw==
X-Gm-Message-State: ACrzQf3o1np5LR9ui6ntdw3HJQtfvBI2iPyPFhB7Nu+ARLH/cqpX8rDk rhf0PZydlNxgQSAgkqEEjPO/jJYD4jA=
X-Google-Smtp-Source: AMsMyM4rj1WgKDvRYeEQ34kNy//xG2UcE+nwOGmOfxke1R1S3qd2LXUkNneEpxXRMe0k5VVtqFNopw==
X-Received: by 2002:a17:902:ec84:b0:176:c1e3:3ad7 with SMTP id x4-20020a170902ec8400b00176c1e33ad7mr888849plg.24.1663609196198; Mon, 19 Sep 2022 10:39:56 -0700 (PDT)
Received: from [192.168.1.186] (c-69-181-169-15.hsd1.ca.comcast.net. [69.181.169.15]) by smtp.gmail.com with ESMTPSA id d23-20020a170902b71700b00178143a728esm20663074pls.275.2022.09.19.10.39.55 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Sep 2022 10:39:55 -0700 (PDT)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <166DD252-AFD6-44ED-8B8B-BA5C303B2D18@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D603AE81-132B-45C1-A5E6-F01DA1950F07"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
Subject: Re: I-D Action: draft-ietf-bfd-secure-sequence-numbers-08.txt
Date: Mon, 19 Sep 2022 10:39:54 -0700
In-Reply-To: <20210831181255.GB2820@pfrc.org>
Cc: "rtg-bfd@ietf. org" <rtg-bfd@ietf.org>, Reshad Rehman <reshad@yahoo.com>, draft-ietf-bfd-secure-sequence-numbers@ietf.org, Jeffrey Haas <jhaas@pfrc.org>
To: Alan DeKok <aland@freeradius.org>
References: <20210405184656.GE12257@pfrc.org> <468C7D1D-7BE2-4759-9D81-0E18725FCA90@freeradius.org> <20210405190821.GF12257@pfrc.org> <14A4DD6D-7002-45A9-8FE4-42B512E97318@freeradius.org> <D48909A0-D7E9-40DA-83DA-CB0327D2D586@gmail.com> <096BC9E7-8877-4EF3-A94B-394AFE0E76E7@freeradius.org> <20210726141455.GA32584@pfrc.org> <211EC22C-F4AB-4FE6-98AB-511C5CE4EB8B@freeradius.org> <20210726144826.GB32584@pfrc.org> <173DA06B-21E7-42A4-8EFF-82AA3D84B338@gmail.com> <20210831181255.GB2820@pfrc.org>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/zSJKwBazCYPCouVh6NzPQG2VFFc>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Sep 2022 17:40:01 -0000

Hi Alan,

Since you asked what can be done to move this document forward, I went digging to find out what was the last communication about it. Here is one of the last e-mail exchange we had on the subject. While the procedure of how sequence numbers could be secured was clear, there were lingering questions on how it would fit within the framework of existing specification and what was the overlap with optimizing authentication.

> On Aug 31, 2021, at 11:12 AM, Jeffrey Haas <jhaas@pfrc.org> wrote:
> 
> Mahesh,
> 
> Sorry for long delay.
> 
> On Mon, Jul 26, 2021 at 04:25:25PM -0700, Mahesh Jethanandani wrote:
>>> On Jul 26, 2021, at 7:48 AM, Jeffrey Haas <jhaas@pfrc.org> wrote:
>>> What's being requested is that our specifications have some specificity and
>>> a proposal be made for a suitable mechanism and how it integrates into BFD.
>>> :-)
>> 
>> Here are the set of changes that I propose we make to the draft to bring
>> the specificity that you are requesting. For the introductory part of the
>> document there is no reference to the method being applied to come up with
>> a sequence number. It just states that the sequence number inserted is not
>> the monotonically increasing sequence number. As such no changes are
>> needed there.
> 
> I agree.
> 
>> The change therefore starts in Section 3 - Theory of operation. There are
>> two changes that I see. One has to do with carrying of nonce in the first
>> packet, and the other has to do with existing text in the section.
>> 
>> For the carrying of nonce in the first packet, Alan has already suggested
>> adding the authentication section in the first packet. We will add text to
>> that effect.
> 
> Since this mechanism is intended to work along with
> optimizing-authentication, which implies that we'll be using existing
> authentication mechanisms, how would this be carried?
> 
> A core detail we're dealing with is establishing the expected sequence
> number to run through our hash.  Consider the text from RFC 5880, §6.7.3
> for keyed MD5:
> 
> :     If bfd.AuthSeqKnown is 1, examine the Sequence Number field.  For
> :     Keyed MD5, if the sequence number lies outside of the range of
> :     bfd.RcvAuthSeq to bfd.RcvAuthSeq+(3*Detect Mult) inclusive (when
> :     treated as an unsigned 32-bit circular number space), the received
> :     packet MUST be discarded.  For Meticulous Keyed MD5, if the
> :     sequence number lies outside of the range of bfd.RcvAuthSeq+1 to
> :     bfd.RcvAuthSeq+(3*Detect Mult) inclusive (when treated as an
> :     unsigned 32-bit circular number space) the received packet MUST be
> :     discarded.
> :
> :     Otherwise (bfd.AuthSeqKnown is 0), bfd.AuthSeqKnown MUST be set to
> :     1, and bfd.RcvAuthSeq MUST be set to the value of the received
> :     Sequence Number field.
> 
> Until the implementation is ready to accept sequence numbers, the
> authentication sequence number is unknown.  To use the secure sequence
> number procedures, we have to enter a state where the sequence number is
> known and then we can switch over to the new procedure.

This was one of the questions that we have not addressed in the document. More on it below. I do not know if this overlaps with the seeding of ISAAC question, which we marked as outside the scope of the document.

> 
>> As far as the existing text in the section is concerned, we will replace
>> reference to “symmetric key algorithm” and “symmetric algorithm” with
>> “hash”. As a result, the sender will include a ciphertext that is a 32-bit
>> hash computed using one of the algorithms Alan has suggested using a
>> shared key (that is not necessarily symmetric) and inserted in-lieu of the
>> sequence number of the packet.
> 
> Please make sure the text discusses how that interacts with the
> authenticated packets.  For example, if that authentication over the
> expected sequence number or the computed hash?
> 
> But see below for some alternative thinking.
> 
>> Yes, this draft is about obfuscation of the
>> sequence number field of the packet, not the entire packet.  On reception
>> of the BFD Control packet, the receiver instead of decrypting the
>> ciphertext inserted in-place of the sequence number, will instead compare
>> the ciphertext to pre-computed set of hashes using the same shared key, on
>> the next k expected sequence numbers that are within the BFD Detect
>> Multiplier range. If there is a match, the receiver will replace the
>> ciphertext in the packet with the expected sequence number and pass the
>> frame for further processing. In the case there is no match, it will drop
>> the packet.
> 
> This works for the case where we're having a series of next expected packets
> that do NOT differ from the prior ones aside from sequence number.  That's
> the case we're trying to cover in the optimizing-authentication draft.
> 
> One possibility to consider is that the core use-case for secure sequence
> numbers is to protect in cases where NULL auth was intended to be used.  If
> the the procedure for secure sequence numbers is only intended to cover that
> use case, standard authenticated packets could use clear-text sequence
> numbers.  This provides an entraining step where the sequence numbers are
> known.  Once we're not authenticating the packets and would otherwise shift
> to NULL auth, we move specifically to secure-seq-auth and apply the
> procedures to those packets only.  
> 
> When a state change is necessary, this is indicated by moving to the prior
> expected authentication per optimizing-authentication.

I like this suggestion. We could limit the use of secure-sequence-number when NULL is intended to be used, whereas authenticated packets could use clear-text sequence numbers.

> 
>> There are some similar updates to the Security Considerations section to
>> replace “symmetric algorithm” with “hash”.
>> 
>> Are these set of changes enough to bring the specificity that you are
>> looking for?
> 
> I think we're starting to get there.
> 
> And please note: We really do need a reference light-weight hash function to
> use in this draft before we can publish as an RFC, or perhaps a suite of
> them identified by a registry.  

I am assuming the light-weight hash function you have specified in -09 version of this draft satisfies this requirement.

> 
> If the text above about how we arrive at commonly understood sequence
> numbers seems reasoanble to the draft authors, we can discuss how we encode
> this in the BFD PDU.  Perhaps as one or more auth types that aren't the NULL
> auth type.

I am not clear on how using some other auth type will work. Is the idea to use some other auth mechanism to arrive at a commonly understood sequence number before switching to using secure-sequence-number with NULL auth?

Thanks.

> 
> -- Jeff


Mahesh Jethanandani
mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email