> On Mar 24, 2017, at 1:33 PM, Reshad Rahman (rrahman) <[email protected]> > wrote: > > Hi Mahesh, > > Couple of questions/comments: > > 1) I thought the secure sequence number was needed for the NULL Auth TLV > in the optimizing-authentication draft (to make NULL Auth TLV more secure > as per comments from security folks). I guess it could be used with full > authentication also. So I don¹t understand how secure sequence number can > be used ³standalone² as seems to be implied by your cost/benefit table > below.
Sequence number obfuscation is not a replacement for optimized or full authentication. On a spectrum from no authentication to full authentication, I view obfuscation of sequence numbers, deployed by itself, somewhere in the middle to prevent a MITM attack. It does not prevent the packet from being modified, but the session cannot be taken over by MITM, therefore the medium benefit. It's true benefit, however, comes from it being used in optimized authentication. I do not see a particular advantage when full authentication is done. > 2) Section 2 mentions ³If the two ends have not previously negotiated > which frames they will transmit or receive with authentication enabled, > then the BFD session will fail to come up, because at least one end will > expect every frame to be authenticated.² How is this negotiation done? Or > is this done via configuration aka outside the scope of this document? That is correct. Mahesh Jethanandani [email protected] > > > Regards, > Reshad. > > On 2017-03-22, 9:57 PM, "Rtg-bfd on behalf of Mahesh Jethanandani" > <[email protected] on behalf of [email protected]> wrote: > >> >>> On Mar 22, 2017, at 12:35 PM, Jeffrey Haas <[email protected]> wrote: >>> >>> This update is scheduled to be discussed at the upcoming session at >>> IETF-98 >>> in Chicago. >>> >>> The likely discussion is whether the new draft from Sonal should be >>> specifically tied to the advancement of the optimization draft. Our >>> prior >>> discussion with Alan had suggested some concern about the sequence >>> number >>> issues when we're using NULL authentication. >>> >>> I suspect some good discussion will happen on this topic at the upcoming >>> session and encourage the members of the Working Group to read both >>> drafts >>> in preparation. >> >> Yes, it would be helpful to read both the drafts in preparation for the >> discussion. >> >> Optimized authentication is not a substitute for sequence number >> obfuscation draft, and vice-versa. They offer different levels of >> cost/benefit, where >> >> Draft Cost Benefit >> ==== ==== ====== >> sequence number obfuscation Low Medium (does not authenticate >> the complete packet) >> optimized authentication Medium High (authenticates >> entire ³state change² packets) >> full authentication High High >> (authenticates all packets) >> >>> >>> -- Jeff >>> >>>> On Jan 3, 2017, at 4:37 PM, [email protected] wrote: >>>> >>>> >>>> A new version of I-D, draft-ietf-bfd-optimizing-authentication-02.txt >>>> has been successfully submitted by Mahesh Jethanandani and posted to >>>> the >>>> IETF repository. >>>> >>>> Name: draft-ietf-bfd-optimizing-authentication >>>> Revision: 02 >>>> Title: Optimizing BFD Authentication >>>> Document date: 2017-01-05 >>>> Group: bfd >>>> Pages: 8 >>>> URL: >>>> https://www.ietf.org/internet-drafts/draft-ietf-bfd-optimizing-authentic >>>> ation-02.txt >>>> Status: >>>> https://datatracker.ietf.org/doc/draft-ietf-bfd-optimizing-authenticatio >>>> n/ >>>> Htmlized: >>>> https://tools.ietf.org/html/draft-ietf-bfd-optimizing-authentication-02 >>>> Diff: >>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-bfd-optimizing-authenticati >>>> on-02 >>>> >>>> Abstract: >>>> This document describes an optimization to BFD Authentication as >>>> described in Section 6.7 of BFD [RFC5880]. >>>> >>>> >>>> >>>> >>>> >>>> Please note that it may take a couple of minutes from the time of >>>> submission >>>> until the htmlized version and diff are available at tools.ietf.org. >>>> >>>> The IETF Secretariat >
