Jeff & Reshad, Read through the document. Interesting concept.
Here is my understanding:- 1) Current scheme. Both switches are configured to use same auth. Currently, no packets will be accepted unless all received pkts match with configured auth. 2) Proposal is to come up with a scheme to authenticate only a subset of packets (those signaling a state change as mentioned). Questions:- Q1) Doesn't acceptance of non-auth packets dictates state of the session (e.g. Keep it still up UP) ? Q2) These non-auth packets are not protected from MiM attacks, right? Q3) Doesn't mixing authenticated & non-authenticated packed make proposed scheme equivalent to non-authenticated mode ? I mean, unless every packet is authenticated, isn't benefit of bfd-auth nullified ? thanks ~Rajeev From: Rtg-bfd <[email protected]<mailto:[email protected]>> on behalf of "Reshad Rahman (rrahman)" <[email protected]<mailto:[email protected]>> Date: Friday, November 20, 2015 at 4:03 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Request for WG adoption of draft-mahesh-bfd-authentication BFD WG members, Please indicate to the WG mailing list whether you would support or not support BFD WG adoption of the following document. https://datatracker.ietf.org/doc/draft-mahesh-bfd-authentication/ Authors, as was mentioned at IETF94, you should get your proposal reviewed by the security group. Regards, Jeff & Reshad.
