Mahesh,
> On Jan 22, 2024, at 5:15 PM, Mahesh Jethanandani <[email protected]> > wrote: > >> On Jan 19, 2024, at 4:14 PM, Mahesh Jethanandani <[email protected] >> <mailto:[email protected]>> wrote: >> At the same time, if 'secure-seq-num' is configured as ’true’, the sequence >> number is generated as defined by I-D.ietf-bfd-secure-sequence-numbers, and >> inserted into the packet. The only question I ask is, if “optimized auth” is >> enabled, and when there is a state transition, the packet is “fully” >> authenticated by selecting bfd.AuthType as one of the non-zero values (but >> not NULL-auth). Do we need to generate a secure sequence number at that >> time? Or is it easier/simpler to let it continue generating the secure >> sequence number, and not deal with “lost” packets as the session transitions >> from bfd.AuthType with a non-zero value and NULL-auth. > > Want to make sure that this is clear enough (here), and if you think text to > that effect should be added to the draft. I'm not really looking for text that says the procedure sets specific bfd variables in order to say what is going on the wire. However, what's needed is discussing that we're switching from a primary configuration for authentication with "strong" properties to a "weaker" one for the optimization. We also need to discuss that for certain "weaker" authentications, like NULL, we may need to periodically do the strong authentication to ensure we haven't been MITMed. And for that periodic strong auth check, what's the configuration element and what's the recommended time to do it? For example, a few times an hour? I suspect we'll pick a value and it'll immediately get hate mail from the security directorate no matter what so my recommendation is to pick something the authors think is reasonable and we'll iterate that conversational point in that thread. -- Jeff
