IETF Logo Mail Archive

Re: Request for WG adoption of draft-mahesh-bfd-authentication

"Rajeev G Nair (rajeenai)" <rajeenai@cisco.com> Thu, 26 November 2015 05:35 UTC

Return-Path: <rajeenai@cisco.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CDB51ACE5D; Wed, 25 Nov 2015 21:35:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.485
X-Spam-Level:
X-Spam-Status: No, score=-14.485 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, J_CHICKENPOX_51=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RQATLWgiHq9i; Wed, 25 Nov 2015 21:35:34 -0800 (PST)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7579B1ACE5C; Wed, 25 Nov 2015 21:35:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18032; q=dns/txt; s=iport; t=1448516134; x=1449725734; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=WTsondjuOvxe5DOk60skn/H4XvwTLuePLuDCkKxSsHk=; b=B00EkQlhs2TuFIOoBSGQPKBgsu1QPbao6Vbfa9YkiCClJDy81SRB62V4 12u2S4tLSwqmxGGCvgnleYagYYkdPrvXptC2zMEdCGN7Ldox8XwoqCo4x Vg0WoOAH+qpdxwUk42YsUCDNpxAed5qfh/4MGy5gB4ruQITV1mypojQUr M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ApAgAhmVZW/4QNJK1egm5NU28GvhwBDYFkIYVuAoFAOBQBAQEBAQEBgQqENAEBAQRuCxACAQgOAwMBAigHIREUCQgCBA4FiBkDEg25SA2EYwEBAQEBAQEDAQEBAQEBAQEBARUEhlSEfoJTgigNhDEFjVuFFINoAYUnhheBdoFchEGDJoYShTODZINxAR8BAUKEBHKEWYEHAQEB
X-IronPort-AV: E=Sophos; i="5.20,345,1444694400"; d="scan'208,217"; a="50319702"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 26 Nov 2015 05:35:32 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by alln-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id tAQ5ZWWm032702 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 26 Nov 2015 05:35:32 GMT
Received: from xch-aln-002.cisco.com (173.36.7.12) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Wed, 25 Nov 2015 23:35:32 -0600
Received: from xch-aln-002.cisco.com ([173.36.7.12]) by XCH-ALN-002.cisco.com ([173.36.7.12]) with mapi id 15.00.1104.000; Wed, 25 Nov 2015 23:35:32 -0600
From: "Rajeev G Nair (rajeenai)" <rajeenai@cisco.com>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
Subject: Re: Request for WG adoption of draft-mahesh-bfd-authentication
Thread-Topic: Request for WG adoption of draft-mahesh-bfd-authentication
Thread-Index: AQHRI4t1BhxwWi4DrkqzzQbDKMhgLp6sDquAgAFeBgCAAEMzgA==
Date: Thu, 26 Nov 2015 05:35:31 +0000
Message-ID: <D27BD707.106066%rajeenai@cisco.com>
References: <D2747638.109021%rrahman@cisco.com> <D27A74CD.10520C%rajeenai@cisco.com> <ED7433C2-8198-4D82-87BF-4F4FEA94080A@gmail.com>
In-Reply-To: <ED7433C2-8198-4D82-87BF-4F4FEA94080A@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.2.150604
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.92.9]
Content-Type: multipart/alternative; boundary="_000_D27BD707106066rajeenaiciscocom_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtg-bfd/zp_ZjPkmOjliEMoM9uKFfJAil4s>
Cc: "Reshad Rahman (rrahman)" <rrahman@cisco.com>, "draft-mahesh-bfd-authentication@ietf.org" <draft-mahesh-bfd-authentication@ietf.org>, "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2015 05:35:38 -0000

Pls see tagged Rajeev>

thanks
~Rajeev

From: Mahesh Jethanandani <mjethanandani@gmail.com<mailto:mjethanandani@gmail.com>>
Date: Wednesday, November 25, 2015 at 9:34 AM
To: Rajeev Nair <rajeenai@cisco.com<mailto:rajeenai@cisco.com>>
Cc: "Reshad Rahman (rrahman)" <rrahman@cisco.com<mailto:rrahman@cisco.com>>, "rtg-bfd@ietf.org<mailto:rtg-bfd@ietf.org>" <rtg-bfd@ietf.org<mailto:rtg-bfd@ietf.org>>, "draft-mahesh-bfd-authentication@ietf.org<mailto:draft-mahesh-bfd-authentication@ietf.org>" <draft-mahesh-bfd-authentication@ietf.org<mailto:draft-mahesh-bfd-authentication@ietf.org>>
Subject: Re: Request for WG adoption of draft-mahesh-bfd-authentication

Rajeev,

See comments inline.

On Nov 24, 2015, at 8:42 PM, Rajeev G Nair (rajeenai) <rajeenai@cisco.com<mailto:rajeenai@cisco.com>> wrote:

Jeff & Reshad,

 Read through the document. Interesting concept.

Here is my understanding:-
 1) Current scheme. Both switches are configured to use same auth. Currently, no packets will be accepted unless all received pkts match with configured auth.
 2) Proposal is to come up with a scheme to authenticate only a subset of packets (those signaling a state change as mentioned).

Questions:-
Q1) Doesn't acceptance of non-auth packets dictates state of the session (e.g. Keep it still up UP) ?

There are a few aspects of the proposal that mitigate such a situation. The scenario you are describing is that the session has actually gone down but non-auth packets keep it up.


- The authenticated packet that brings the session down would have to be trapped and dropped by MiM.

Rajeev> What happens when the router indeed got disconnected from each other(a legitimate failure BFD is supposed to detect), but MiM can talk to both ? I think here you are assuming they can always talk.

- The sequence number of the subsequent UP packets would have to correspond to the next expected sequence number.
- The occasional authentication of three UP packet would have to pass the test by MiM.


Q2) These non-auth packets are not protected from MiM attacks, right?

See above.


Q3) Doesn't mixing authenticated & non-authenticated packed make proposed scheme equivalent to non-authenticated mode ? I mean, unless every packet is authenticated, isn't benefit of bfd-auth nullified ?

Not really. The whole idea behind the proposal is that state transitions are significant in BFD, come at a slower interval and should be authenticated. Most other packets are liveliness check packets, and their authentication is not significant. They come at a fast interval (the defined interval), inundate the authentication capability of the system, but do not affect the state of the session, other than when they are dropped. Intentional or unintentional dropping of packets indicates a problem, but their authentication does not convey any more information.

Rajeev > IMO, liveliness pkts are as important as other packet.

Even if MiM was to take over a session, it can at best replay a few of the UP packets till it hits the next set of occasional authenticated UP packet or it hits a authenticated state transition packet. At that point it gets exposed.

Rajeev > Again, this approach breaks BFD failure detection interval guarantee. MiM can theoretically delay the failure detection.

Preserving the authentication system for state transition packet and occasional UP packets allows one to scale not only the number of BFD sessions, but also allows us to introduce a stronger form of authentication.

Rajeev > I completely understand, this may relieve CPU burden. What I am worried about the effectiveness of authentication. To me, if requirement for authentication is relaxed for a subset of packets, BFD session itself is not authenticated. I am not saying there are no use cases for this, but draft needs to call it out.



thanks
~Rajeev

From: Rtg-bfd <rtg-bfd-bounces@ietf.org<mailto:rtg-bfd-bounces@ietf.org>> on behalf of "Reshad Rahman (rrahman)" <rrahman@cisco.com<mailto:rrahman@cisco.com>>
Date: Friday, November 20, 2015 at 4:03 AM
To: "rtg-bfd@ietf.org<mailto:rtg-bfd@ietf.org>" <rtg-bfd@ietf.org<mailto:rtg-bfd@ietf.org>>, "draft-mahesh-bfd-authentication@ietf.org<mailto:draft-mahesh-bfd-authentication@ietf.org>" <draft-mahesh-bfd-authentication@ietf.org<mailto:draft-mahesh-bfd-authentication@ietf.org>>
Subject: Request for WG adoption of draft-mahesh-bfd-authentication

BFD WG members,

Please indicate to the WG mailing list whether you would support or not support BFD WG adoption of the following document.

https://datatracker.ietf.org/doc/draft-mahesh-bfd-authentication/

Authors, as was mentioned at IETF94, you should get your proposal reviewed by the security group.

Regards,
Jeff & Reshad.

Mahesh Jethanandani
mjethanandani@gmail.com<mailto:mjethanandani@gmail.com>

v2.23.0 | Report a Bug | By Email