Re: Comments on draft-ietf-bfd-secure-sequence-numbers-12.txt

Wed, 17 Jan 2024 08:19:35 -0800 

On Jan 17, 2024, at 11:13 AM, Jeffrey Haas <[email protected]> wrote:
> I'd recommend this specific text be dropped from the secure sequence number 
> document.  The expected procedure for doing the periodic stronger 
> authentication is part of the optimizing BFD text.

  Sure.  My concern is that this document should define how to use ISAAC in 
that process.

> The test present currently in draft-ietf-bfd-optimizing-authentication-13 is:
> 
> "Most packets transmitted on a BFD session are BFD UP packets. Authenticating 
> a small subset of these packets, for example, a detect multiplier number of 
> packets per configured interval, significantly reduces the computational 
> demand for the system while maintaining security of the session across the 
> configured interval. A minimum of Detect Multiplier packets MUST be 
> transmitted per configured interval. This ensures that the BFD session should 
> see at least one authenticated packet during that interval."
> 
> If you must have anything in the secure-sequence draft, I suggest no more 
> than:
> 
> "It is RECOMMENDED that implementations periodically use a strong Auth Type 
> for packets which maintain the session in an Up state.  See [optimizing-bfd] 
> for appropriate procedures."
> 
> Any tweaks to the procedure can be discussed in the context of that document, 
> which will handle not only secure-sequence, but NULL and future options.

  OK.

  Perhaps then this text.  Which both refers to the other draft, and then also 
says how such a switch impacts ISAAC.

      <t>It is RECOMMENDED that implementations periodically use a
      strong Auth Type for packets which maintain the session in an Up
      state.  See <xref
      target="I-D.ietf-bfd-optimizing-authentication">BFD
      Authentication</xref> for appropriate procedures.</t>

      <t>The nature of the Meticulous Keyed ISAAC method means that
      there is no issue with this switch, so long as it is for a small
      number of packets.  From the point of view of the Meticulous
      Keyed ISAAC state machine, this switch can be handled similarly
      to a lost packet.  The state machine simply notices that instead
      of Sequence Number value being one more than the last value used
      for ISAAC, it is larger by two.  The ISAAC state machine then
      calculates the index into the current "page", and uses the found
      number to validate (or send) the Auth Key.</t>

Reply via email to