Re: [RTG-DIR] RtgDir review: draft-ietf-bfd-multipoint-active-tail-08.txt

Jeffrey Haas <> Mon, 18 June 2018 20:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8F61D1277BB; Mon, 18 Jun 2018 13:47:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 59UHPfhY4qyU; Mon, 18 Jun 2018 13:47:48 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6E65E130E63; Mon, 18 Jun 2018 13:47:48 -0700 (PDT)
Received: by (Postfix, from userid 1001) id 05AA21E3D0; Mon, 18 Jun 2018 16:47:44 -0400 (EDT)
Date: Mon, 18 Jun 2018 16:47:44 -0400
From: Jeffrey Haas <>
To: Stig Venaas <>
Cc: Greg Mirsky <>, "<>" <>,,,
Message-ID: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <>
Subject: Re: [RTG-DIR] RtgDir review: draft-ietf-bfd-multipoint-active-tail-08.txt
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Routing Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 18 Jun 2018 20:47:51 -0000


On Mon, Jun 18, 2018 at 11:58:21AM -0700, Stig Venaas wrote:
> >> It should perhaps be emphasized that BFD authentication
> >> mechanisms are important?
> >
> > GIM>>  Per Bob Briscoe suggestions, in Section 6 of
> > draft-ietf-bfd-multipoint stated:
> >    Shared keys in multipoint scenarios allow any tail to spoof the head
> >    from the viewpoint of any other tail.  For this reason, using shared
> >    keys to authenticate BFD Control packets in multipoint scenarios is a
> >    significant security exposure unless all tails can be trusted not to
> >    spoof the head.  Otherwise, asymmetric message authentication would
> >    be needed, e.g., protocols that use Timed Efficient Stream Loss-
> >    Tolerant Authentication (TESLA) as described in [RFC4082].
> I agree there are issues with shared keys, but it might still be
> better than no key.
> Asymmetric authentication would be ideal.

Keys are better than no key, but given that the life of the keys may be
long, there's still potential concern.

Based on my brief reading of TESLA, it's likely not suited in its exact form
for BFD since it may involve buffering some number of packets.  However,
given that BFD supports non-meticulous increasing sequence number mode, it's
possible that the sequence number could be adapted for similar purpose as
the loosely coupled clocks.

However, I believe the need for additional bootstrapping would require new
procedures around setup of the BFD sessions.  This would be new work.

> >> Also perhaps have some rate
> >> limiting in clients in case the head polls at an unreasonably high rate?
> I think it could be useful to have an option where tails only respond
> to authenticated polls, and also some kind of rate limiting, but I
> leave it to you and the IESG to consider that. I guess the security
> considerations in the main multipoint draft will be expanded as well.
> The main thing in this draft I would think, is that the tail responses
> may open up some potential attack vectors.

It is worth considering that the BFD group already has work chartered for
occasional authentication, albeit for different scenarios.  This isn't
completely suited for multipoint, but may serve as the basis for future

-- Jeff