Thanks Mahesh. Then should the sequence number obfuscation be part of the optimizing-authentication draft? If we keep them as 2 separate documents, then the optimizing-authentication draft should refer to the sequence number draft and basically the 2 docs would be tied together?
Regards, Reshad. On 2017-03-25, 12:10 PM, "Rtg-bfd on behalf of Mahesh Jethanandani" <[email protected] on behalf of [email protected]> wrote: > >> On Mar 24, 2017, at 1:33 PM, Reshad Rahman (rrahman) >><[email protected]> wrote: >> >> Hi Mahesh, >> >> Couple of questions/comments: >> >> 1) I thought the secure sequence number was needed for the NULL Auth TLV >> in the optimizing-authentication draft (to make NULL Auth TLV more >>secure >> as per comments from security folks). I guess it could be used with full >> authentication also. So I don¹t understand how secure sequence number >>can >> be used ³standalone² as seems to be implied by your cost/benefit table >> below. > >Sequence number obfuscation is not a replacement for optimized or full >authentication. On a spectrum from no authentication to full >authentication, I view obfuscation of sequence numbers, deployed by >itself, somewhere in the middle to prevent a MITM attack. It does not >prevent the packet from being modified, but the session cannot be taken >over by MITM, therefore the medium benefit. > >It's true benefit, however, comes from it being used in optimized >authentication. I do not see a particular advantage when full >authentication is done. > >> 2) Section 2 mentions ³If the two ends have not previously negotiated >> which frames they will transmit or receive with authentication enabled, >> then the BFD session will fail to come up, because at least one end will >> expect every frame to be authenticated.² How is this negotiation done? >>Or >> is this done via configuration aka outside the scope of this document? > >That is correct. > >Mahesh Jethanandani >[email protected] >> >> >> Regards, >> Reshad. >> >> On 2017-03-22, 9:57 PM, "Rtg-bfd on behalf of Mahesh Jethanandani" >> <[email protected] on behalf of [email protected]> wrote: >> >>> >>>> On Mar 22, 2017, at 12:35 PM, Jeffrey Haas <[email protected]> wrote: >>>> >>>> This update is scheduled to be discussed at the upcoming session at >>>> IETF-98 >>>> in Chicago. >>>> >>>> The likely discussion is whether the new draft from Sonal should be >>>> specifically tied to the advancement of the optimization draft. Our >>>> prior >>>> discussion with Alan had suggested some concern about the sequence >>>> number >>>> issues when we're using NULL authentication. >>>> >>>> I suspect some good discussion will happen on this topic at the >>>>upcoming >>>> session and encourage the members of the Working Group to read both >>>> drafts >>>> in preparation. >>> >>> Yes, it would be helpful to read both the drafts in preparation for the >>> discussion. >>> >>> Optimized authentication is not a substitute for sequence number >>> obfuscation draft, and vice-versa. They offer different levels of >>> cost/benefit, where >>> >>> Draft Cost Benefit >>> ==== ==== ====== >>> sequence number obfuscation Low Medium (does not >>>authenticate >>> the complete packet) >>> optimized authentication Medium High (authenticates >>> entire ³state change² packets) >>> full authentication High High >>> (authenticates all packets) >>> >>>> >>>> -- Jeff >>>> >>>>> On Jan 3, 2017, at 4:37 PM, [email protected] wrote: >>>>> >>>>> >>>>> A new version of I-D, draft-ietf-bfd-optimizing-authentication-02.txt >>>>> has been successfully submitted by Mahesh Jethanandani and posted to >>>>> the >>>>> IETF repository. >>>>> >>>>> Name: draft-ietf-bfd-optimizing-authentication >>>>> Revision: 02 >>>>> Title: Optimizing BFD Authentication >>>>> Document date: 2017-01-05 >>>>> Group: bfd >>>>> Pages: 8 >>>>> URL: >>>>> >>>>>https://www.ietf.org/internet-drafts/draft-ietf-bfd-optimizing-authent >>>>>ic >>>>> ation-02.txt >>>>> Status: >>>>> >>>>>https://datatracker.ietf.org/doc/draft-ietf-bfd-optimizing-authenticat >>>>>io >>>>> n/ >>>>> Htmlized: >>>>> >>>>>https://tools.ietf.org/html/draft-ietf-bfd-optimizing-authentication-0 >>>>>2 >>>>> Diff: >>>>> >>>>>https://www.ietf.org/rfcdiff?url2=draft-ietf-bfd-optimizing-authentica >>>>>ti >>>>> on-02 >>>>> >>>>> Abstract: >>>>> This document describes an optimization to BFD Authentication as >>>>> described in Section 6.7 of BFD [RFC5880]. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Please note that it may take a couple of minutes from the time of >>>>> submission >>>>> until the htmlized version and diff are available at tools.ietf.org. >>>>> >>>>> The IETF Secretariat >> >
