Re: [secdir] secdir review of draft-ietf-karp-bfd-analysis-06

[Sam Hartman <hartmans-ietf@mit.edu>]

My comments are prompted by Sam noting that he was hoping others would
jump in.

>>>>> "Samuel" == Samuel Weiler <weiler@watson.org> writes:


    Samuel> Summary: I'm not seeing anything that's grossly incorrect,
    Samuel> but I wonder if this doc is taking the right approach.

I'm skeptical this doc is taking the right approach, but was involved in
the KARP discussions and had an opportunity to raise comments there and
chose not to.
In general, I was not able to come up with a concrete articulation of
why I thought this document wasn't quite in the right direction.

However, on your two specific points, I think the doc is correct, so
it's probably not the case that we're in agreement about what's wrong
with the approach.


    Samuel> The security consideration section acknowledges that
    Samuel> increasing the length of the sequence number or connecting
    Samuel> the sequence numbers to clock time could reduce the risk of
    Samuel> replay attacks as, presumably, could moving to the
    Samuel> "meticulous" approaches that require an increasing sequence
    Samuel> number (and recomputation) at every packet, at the possible
    Samuel> cost of needing special hardware or having to increase the
    Samuel> time between BFD packets.  These seem like simpler fixes
    Samuel> that adding a new hash algorithm, which is what the doc
    Samuel> ultimately suggests, and I wonder if adding GMAC is really
    Samuel> needed.

There were extensive discussions of the performance arguments.
My understanding is that something like GMAC might allow performance to
be good enough to increase the sequence numbers fairly often, and that
clearly is not true with SHA-1.
There were a number of people in the KARP sessions arguing that given
the performance constraints SHA-1 was the wrong security algorithm,
myself included.


    Samuel> One thing that's not explicitly discussed, and which I would
    Samuel> like to see, is a general analysis of algorithm agility -
    Samuel> how hard is it to add a new algorithm?  The doc says that
    Samuel> BFD has no key rollover mechanism - I suspect that adding
    Samuel> that and algorithm agility are more important, in the long
    Samuel> run, than just adding a stronger hash algorithm.  (Which
    Samuel> isn't to say that we even need to improve those, just that
    Samuel> they may be more important.)

This should be discussed.
The design guide to which this is an analysis document requires those
things be discussed.
Well, in particular, the design guide requires a discussion of a gap
analysis to the KARP requirements, and the KARP requirements mention
algorithm agility and key rollover explicitly.
          
    Samuel> I'm also somewhat skeptical of the premise that BFD needs to
    Samuel> use algorithms that match the routing algorithm strength:

    Samuel>    Moving the routing protocols to a stronger algorithm
    Samuel> while using weaker algorithm for BFD would allow the
    Samuel> attacker to bring down BFD in order to bring down the
    Samuel> routing protocol.  BFD therefore needs to match the routing
    Samuel> protocols in its strength of algorithm.

    Samuel> Are the attack models of the two really aligned?  

As best I can tell, yes.
In both cases you are concerned about integrity and replay.

    Samuel> Do the
    Samuel> keying models for both suggest that one or the other could
    Samuel> cope with weaker algorithms?  Can one be more easily
    Samuel> rekeyed, thus making it easier to cope with weaker
    Samuel> algorithms?

No.
They are both annoying to re-key.
It's  likely that the IETF will pretend that both use the KARP crypto
key table for keying. (Some of the glue to actualize this has not
happened and there seems to be a lack of energy to do that glue)


Hope this helps.

--Sam