IETF Logo Mail Archive

[secdir] Re: Secdir early review of draft-ietf-bfd-stability-13

Reshad Rahman <reshad@yahoo.com> Thu, 13 June 2024 15:46 UTC

Return-Path: <reshad@yahoo.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 226B4C151997 for <secdir@ietfa.amsl.com>; Thu, 13 Jun 2024 08:46:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wWFp9kqw4I8S for <secdir@ietfa.amsl.com>; Thu, 13 Jun 2024 08:46:09 -0700 (PDT)
Received: from sonic302-2.consmr.mail.bf2.yahoo.com (sonic302-2.consmr.mail.bf2.yahoo.com [74.6.135.41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C3D0C1840CA for <secdir@ietf.org>; Thu, 13 Jun 2024 08:46:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1718293568; bh=hNOZcLoLIal/FeOsTnkMnFW11VdLvabpkmN/VRlGahg=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject:Reply-To; b=AptXeIKZ4mF2u0fVIrBWjpl+YhN+zJX59F+uKdYFsvOCZxnVyAoJ7hc+KZM/K/MyqIIBFHbv5kKDtzhm/POSce/vUd9oVzP9X9SI42ekzxMEhOJVb8Oz6rauMlM4m9SjxrlmEtncOZnrMx05WBNPG56gNFIykDMzaC+y96ARmUVHxuUH6w6ww2O1mrU2NhjAHni2+Q7/K7XGwjf50ToLSBo/YpPfmJsuCGqioiPwbC0WpYPBWqhhfFkYl7DRjFDwZczHNUhpRTXAyoxpFjI9W5SNHvQ3mmsbSrowpX8u6rsqhNcPQzECRZa2cT8JMFkibthRsiVMcG/xv2k3e3MwBg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1718293568; bh=UYIj7EUeouC7jDz6RYGjz1nh5ZDtfPvHDKFfMec5ick=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=DAiR4hM09QT6TstxhNZETBg7mtid2omeTfyQEFTlGYFuIUgEsgDRUDmnEH30e7nD07u7widgpCYpMiaYM5CmjANY3nAygP9HUXdZfQiYVZWwBfCwAbUCsIwcu1uQY/qd5jU6iMQCiUjuQxYV5hGQ7bRpBwR0yTNroWNAOlgll2C7w6ebiwHl6W9IFog/n2AbMv31pEAPOTLUgXM16k9Vr+RKFCRaR456QfWzN3wP4x2xTia0MDqsrtFKk9IgpDh1Ma/a0fWX9FUjpGcjwX2B0VrsSUs7MqPaJCEXCCyEBeHusSjaoCM7Odl/1SNvYaAvj8x4UjNKBNpP/eQXv3tCaQ==
X-YMail-OSG: 50PO9mUVM1l23pahK8t7k3KkOSn2ZpATm.HwEFLbBiDCMAtNyNfEtUKuzEalzB_ dKfmgWVbes0aqdwRqNarhFHvqPQ8Gbuw2BDedBa1yaKtro3NGjgbWxtLnMJeYxgwLTK.GO6t2mzK Id4B6mqvk1YCcMvVbyI.Jh5NbGm.APj7ndvKqElfjlNLFlX0OWO01.R5jcwAiUmR3N0ziO4pWclo Hy6J5IuAC63_nFvvO54.2e8OGdARK4krzZkb9gwTt_KcdJlmoxcKEZ3qg8NIqhkIvtq15Ac7B9l0 ltJjGUKFjAhachYdMSCLlyT92IKy.gwxOgRQmVWucEsdSTlN.2FXhjdslICvaqAcYlyYztHk0YOu fskVorXn1enk5wZRwrFbtAuSOb2cgdlit5bntRKyQyFeWui4NmYpvAdKLLg.0j8PBKok9eHqZ_B. DJhT6uumNIBhg2XK4Ree82vKGk6XBwaMF4R7T8CtaJi9SAiqyHzIHfvBvncjAqTpqCSCx9hcLmYj sNJ94qc9xUMF.VU0lj20qY5ywwRFulk5.xHL4fDiibwUVyApm_3Ci1tQDfq5QdEFbi7WsAR8LFFq 83mdWsO1c7kLhnvaMXjPwEdA8m0ikMixXjN5oJvndsYGIimgx_yD_ripr6RTLB2KW_YKlBpOEUqP tON37DDdM1gxjDCC9lsjF54rlQMIkkRzoD7ls43_is2IGxi8knnema3gS7OBEH4WjojiPiEfpEZM 9cwjmLSrzYSLIm8CIl_Ha3ZTvwlIEdUOb39WOKbHcQ_tPE5wGaB5kiLkR6FDYyc0srrVM7RPjbCL 7OWude8qvXcpsbr3Bx0BRilJE6h4qYJTyErz3TmWpZRnPrAS5Cg95WNuGBd9canBrpogqfc3901E JgJJMxEpp5xJ9vPtfv1JzA3XVBouTNHePh7Q3tqzkwj1_tvgMh0Im4ZFrV7xPVdL6IKI9hjCxLrp 8m2HJ5glAr6LyZoSamz.yNkaE.L_Ci4ef2X1X23tJ4vd27fQEQ6k71vhbC_nvh2WRIz4H1Kfpw0x Sl1EwFNzOk59XvCOjbyxHv__bnFQoXnWJtyDRoE2DIW9938w6wJsqDCx7BQKYEAfDyyyZ1ZKgykZ V0SZX4olRDRrf4ZJHNiw3.1OZf02SffDvKCAfip8bVUmHHRfaJ76uttJRYM9hI8vQRzHuoWRoVnj FH9MkV0qXzjHLwtHwcTiAQI9UnuWH8zNDWl5sCUMtIOawMhbp.cen4DvZhlNdZmhVa3uh0SrGc._ 5b3a6Ll7N5kNDtKgvpfEGpU6VhnlEu37_T4nQFSz9YEKVJFuGKTL83GMhQ05bo.x5Drqod3e9W8L 1DNp9XkEX67TvKQGRtpU7XusvaeZcoJPSpy.QUPOJlgTgJQWdzXn7Aflfqy.wwQvNY5wyVcU7hRr Xgc_ymlcRayMihHA3oSz9AG_QWN8_X2F8sSoqvnPHBzLZfxLWLTLxuSI6Us_7TcDqFsb7VoYQuoZ SjDoh2Pvp5l1SmqVtOGJRNiTCL7ssnVd0yYX4pgm6y2Ygd5gYIPmzKPvRpML8WRARVmN862RE.jz i.hHykICsk6eCGOZ0Wihi207B_e7.tlYYtHZsjVUT6.5OXjuuUvjU6anJKsnQODPIdIojeP0z3ZS zmbMxkTwECNNHHN47ZqZtj03zvZja4WcvWQLW2Tvq_sD0SsGpNc9pTiGgqVD2On_F_KBQq7md8iv scceBYITHSatkh1lhIVJnWtt2KhndqJY3sUQOZDgquzhWSaV0FEzWNqPPn0kEGwUjM_vV9s6hLrJ zKjkmlratwbXVWYTtzl4Ofz.jWkbSKP4ug.TK4.h5e3rOL_xnkmRcU8CiG1TD56VVKwYHyimSdnm SouB.n4DnX8ZddawpVxUKmsLxa5yfVbONe4esrPPa1bdNGMAJhG1zJUa_fY.zp5SXj.yN_ZlYZo7 hGGoPh.1hWGivGqBdXmZXQnV3j.0AatwSvknex0z8jJvKtrVTsP1q0d6SlgwnZgiceNOKG8xcGp8 Isi8amLKrvtSBtY4NRpAqfbTmNw8YTC3MdVXhb_Bc_W_CfsXy.Xw0ZirZ0PrZC60ut_iZMROCmWk i_UUvMHEvHd_eEk5e7diy_QEirW2MND6BrqLM.VfQch.2hBljqV50AEpBf9FFeyRVl12s8I3OdLM QzhBHpoDzRsXHLqaRD8s8IJjKnGoXwmYa4JyxDiWGwFDxSK3nu_5RrqSOM7D9n40HnbuSY0kBC7p zhH8Xm9D8CCIgLifehbZ5ifsNJ2P96Eqc7D8dJ3p7XvTOfAd4UyLmXTIzPpR.gqTHzeQBMaw.ale naHxDuZy4yM4D3QtDFfYMd6BsgtvJokuxlU7V9LgwYQLeY1LFDuwyd88-
X-Sonic-MF: <reshad@yahoo.com>
X-Sonic-ID: e33bfc9e-d2b8-4ec0-a3b3-9d53d434ac2a
Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.bf2.yahoo.com with HTTP; Thu, 13 Jun 2024 15:46:08 +0000
Date: Thu, 13 Jun 2024 15:46:03 +0000
From: Reshad Rahman <reshad@yahoo.com>
To: Christian Huitema <huitema@huitema.net>, Jeffrey Haas <jhaas@pfrc.org>
Message-ID: <1813362471.3032669.1718293563050@mail.yahoo.com>
In-Reply-To: <20240610162206.GA1459@pfrc.org>
References: <171782249784.25815.7552423038264617535@ietfa.amsl.com> <20240610162206.GA1459@pfrc.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_3032668_487473205.1718293563049"
X-Mailer: WebService/1.1.22407 YMailNorrin
Message-ID-Hash: CJQCF6WP55BWJR4VURRR4PEWXEKVBAHH
X-Message-ID-Hash: CJQCF6WP55BWJR4VURRR4PEWXEKVBAHH
X-MailFrom: reshad@yahoo.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-bfd-stability.all@ietf.org" <draft-ietf-bfd-stability.all@ietf.org>, "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Reply-To: Reshad Rahman <reshad@yahoo.com>
Subject: [secdir] Re: Secdir early review of draft-ietf-bfd-stability-13
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/o7OzQHmSqew_P8LqH1MV0dGU2PU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>

 Chiming in late. Inline.
    On Monday, June 10, 2024, 12:22:13 PM EDT, Jeffrey Haas <jhaas@pfrc.org> wrote:  
 
 Christian,

Thanks for your review.  Some of my comments will overlap those from Alan.

On Fri, Jun 07, 2024 at 09:54:57PM -0700, Christian Huitema via Datatracker wrote:
> The authentication sequence number is a 32 bit field. Such numbers can roll
> over, either after a long duration session or due to a packet injection attack.

As Alan points out, normal rollover is something we're usually unbothered by
in the existing authentication algorithms.

The point you have here is far more about the underlying issue for the null
authentication procedures:

> There is some text about that in the description of the NULL authentication. It
> says:
> 
>    If bfd.AuthSeqKnown is 1, and the received Sequence Number field is
>    not equal to bfd.RcvAuthSeq + 1 (in a circular number space), then
>    the loss count is incremented by one and bfd.RcvAuthSeq is set to the
>    received Sequence Number.
> 
> That does not look quite right. Suppose that due to out of order delivery, the
> packets are received in order 1-3-2-4. Upon reception of packet 3, the
> algorithm counts one loss and set the next expected value to 4. After packet 2,
> another loss and expected value to 3. After packet 4, another loss and expected
> value to 5. So, three losses when none actually occurred.

Agreed.  We do mention this here:

: Implementations MAY provide mechanisms wherein all expected packets received
: across an expected interval but delivered out of order are not considered
: lost packets.

We indeed discussed the option about how to avoid some of these out of order
issues as part of active attacks vs. BFD sessions with NULL authentication.
The conclusion from that thread is we simply CANNOT leverage the sequence
numbers for purposes of "do we pass the authentication checks".  As you note
here:

<RR> Was there any consideration to change the procedure to increment the loss count so that if we get 1-3-2-4, we increment loss count when we receive 3 (2 is deemed lost) but not when we receive 2 (2 < 3 so that means out of order). Also when we receive 2, since 2 < 3 (OOO) if we don't update bfd.RcvAuthSeq, then when we receive 4 we won't increment loss count. So it'd be counted as 1 loss.
Regards,Reshad.

v2.46.0 | Report a Bug | By Email | System Status