Re: [secdir] secdir review of draft-ietf-karp-bfd-analysis-06

Samuel Weiler <> Tue, 04 November 2014 15:19 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 74E841A89A7; Tue, 4 Nov 2014 07:19:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.206
X-Spam-Status: No, score=0.206 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RP_MATCHES_RCVD=-0.594] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id q0zeHjfM7Uex; Tue, 4 Nov 2014 07:19:04 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id BC9FC1A8978; Tue, 4 Nov 2014 07:19:04 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTPS id B436646B2E; Tue, 4 Nov 2014 10:19:03 -0500 (EST)
Received: from ( []) by (8.14.9/8.14.9) with ESMTP id sA4FJ37Q020925; Tue, 4 Nov 2014 10:19:03 -0500 (EST) (envelope-from
Received: from localhost (weiler@localhost) by (8.14.9/8.14.9/Submit) with ESMTP id sA4FJ3db020922; Tue, 4 Nov 2014 10:19:03 -0500 (EST) (envelope-from
X-Authentication-Warning: weiler owned process doing -bs
Date: Tue, 04 Nov 2014 10:19:03 -0500
From: Samuel Weiler <>
To: manav bhatia <>
In-Reply-To: <>
Message-ID: <>
References: <> <>
User-Agent: Alpine 2.11 (BSF 23 2013-08-11)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="621616949-704623269-1414953574=:21474"
Content-ID: <>
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 ( []); Tue, 04 Nov 2014 10:19:03 -0500 (EST)
Subject: Re: [secdir] secdir review of draft-ietf-karp-bfd-analysis-06
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 04 Nov 2014 15:19:06 -0000

[Background for secdir's benefit: Manav recently said he was waiting a 
reply from me, as secdir reviewer, and a routing AD asked if a ball 
had been dropped.]

Keep in mind that secdir reviews are written for the benefit for of 
the security ADs.  While secdir reviewers will sometimes spot glaring 
errors that we have completely confidence about, we often lack the 
expertise on a particular document to be 100% sure of the right 
answer, and we often don't have a vested interest in the outcome. 
Both of those are obvious results of choosing to randomly assign 
reviewers to documents, as secdir has done for years.  Speaking for 
myself: when I'm uncertain or mildly skeptical about something in a 
doc, I prefer to flag it anyway, hoping that those with more expertise 
and vested interest will track it down, resulting in a better product.

The review here contains two clear examples of the above uncertainty 
and, looking back now, I can pretty clearly see why I did not reply. 
First, of the four questions I raised, you responded to two with "Will 
remove this in -07" and "I agree. This should be mentioned.". 
Particularly without the text for the second, there's not much to say. 
Waiting for the -07 seems called for.  The other two questions were 
about things I was skeptical about something but had not been 
following enough of the discussion to be absolutely sure about.  I was 
hoping that people more swapped in on the details would discuss and 
explain.  Having the discussion be solely between the doc editor and 
me, as the (potentially) non-expert secdir reviewer with (potentially) 
no vested interest in the document, seems less than ideal.

But since that's what you seem to be waiting for, I will happily try:

Again, for two of the items, there's nothing to respond to until I see 
the -07.

In the other other two cases, I am not satisfied with the discussion 
to date.

> Theoretically the two should use algorithms of similar strength.

Why?  (Explain your theory...)

> In fact one could argue that BFD needs stronger algorithm since an 
> attack on BFD can bring down all your control protocols.

Has the WG had that discussion?

>       Lastly, RFC5880 (the BFD spec) says:
>          An attacker who is in complete control of the link between
>       the
>          systems can easily drop all BFD packets but forward
>       everything else
>          (causing the link to be falsely declared down), or forward
>       only the
>          BFD packets but nothing else (causing the link to be falsely
>          declared up).  This attack cannot be prevented by BFD.
>       Given that, does it make sense to go to this pain to replace MD5
>       and SHA1?
> Sure, but such attacks are outside the scope of routing protocol 
> security.

Do we have a solid definition of that scope?  (Where?)

And how vulnerable would BFD be to off-link attackers anyway?  Are we 
doing all of this work solely to defend against on-link attackers who 
have only _incomplete_ control of the link?  (It may well be a stupid 
question, but, if it is stupid, then it should at least have an easy 
answer, right?)

-- Sam