Zahed, Oddly enough, it appears that mail from ietf.org delivered one of the two copies of mail from you in a corrupted form. This message replies to the missing piece of your question:
On Tue, Apr 18, 2023 at 12:44:13PM +0000, Zaheduzzaman Sarker wrote: > > The environment must be under reasonable operational control to satisfy the > > scaling of the impacted system. What words would you prefer to have there > > instead? How would those words change if you want to permit this feature to > > be utilized when the operational environment spans multiple entities, such > > as at an exchange point (IXP)? > > Calling it something else would not resolve the issue until that “something > else” is we defined or described. I have no issue with calling it trustworthy > when it is described well to that we can understand it, like you attribute it > as – “The environment must be under reasonable operational control to satisfy > the scaling of the impacted system”. I suggest we put some descriptive text > to explain what is makes the environment trustworthy. I don't believe that it will be possible to tersely state such a thing, partially because BFD is simply one element in a deep stack of such considerations. As an example, unsecured ARP may be utilized in an IXP environment. You can do far more damage by spoofing ARP than you can in BFD. Same for discovery components like LLDP. If you're looking for a particular term of art for such a trustworthy environment where multiple potentially semi-trustworthy parties are involved, we'll likely need to have such a thing supplied by current security practitioners. >From a general networking standpoint, some properties of such an environment seem obvious: - The network element that can be attacked is expected to be attacked by a device one IP hop away. (See GTSM considerations in the draft.) - Attackers must either be directly connected to the network element or on shared media with the network element, thus limiting the set of attackers. - Layer 2 control mechanisms such as 802.1X may limit the viability of attackers to known parties. In such circumstances, attackers in many circumstances are indistinguisable from misconfigured or misbehaving parties. When things go wrong, the IXP operator will simply chase it down. It's not like this would be the first such malfunction. Active attackers who are breaking into your racks just to mess with you imply security issues far beyond the scope of this protocol extension. -- Jeff
