Hi Stephen, Please see inline.
Original From: StephenFarrell <[email protected]> To: 肖敏10093570; Cc: [email protected] <[email protected]>;[email protected] <[email protected]>;[email protected] <[email protected]>;[email protected] <[email protected]>; Date: 2024年10月08日 20:34 Subject: [Last-Call] Re: Secdir last call review of draft-ietf-bfd-unaffiliated-echo-11 Hiya, On 10/8/24 08:56, [email protected] wrote: > [XM]>>> In theory it would happen, however in the real deployment I > doubt it would happen. Currently we have two specific use cases of > the Unaffiliated BFD Echo, one is between RG and IP Edge (as > described in Section 6.2.2 of BBF TR-146), another one is between DC > Gateway and VM of Server (as described in draft-wang-bfd-one-arm-use- > case). For the two use cases it seems difficult for a bad-device-A > to send packets to B. Well, if it's only "difficult" then that'd imply it's possible in some configurations and hence worth at least noting. I don't really understand the 1st example you give, but in the 2nd, if another VM (as bad-device-A) in a data centre can send to B then the attack may be realistic perhaps? [XM]>>> In the 2nd example, device A is DC Gateway and device B is VM, so VM can't be a bad-device-A. > Furthermore, in the security considerations > section it says "the "Authentication Section" as defined in > [RFC5880] for BFD Control packet is RECOMMENDED to be included > within the Unaffiliated BFD Echo packet", is that an effective way > to mitigate this kind of DoS attack? I'm not sure. I wasn't clear if you expect B to validate that control packet or not, but my assumption was that B is not likely to, given it only does the echo thing. If real-A does validate that's something, but the reflection attack has already happened at that point (if there is an attack). [XM]>>> You may have a read on what Erik Auerswald said in his post. I fully agree with him. To address your comments, I propose to add some text as below. OLD As specified in Section 5 of [RFC5880], since BFD Echo packets may be spoofed, some form of authentication SHOULD be included.NEW As specified in Section 5 of [RFC5880], BFD Echo packets may be spoofed. Specifically for Unaffiliated BFD Echo, a DoS attacker may send spoofed Unaffiliated BFD Echo packets to the loop-back device, so some form of authentication SHOULD be included. Best Regards, Xiao Min Cheers, S. -- last-call mailing list -- [email protected] To unsubscribe send an email to [email protected]
