> On Sep 27, 2024, at 4:44 AM, [email protected] wrote: > > Section 4, question... > > Could an attacker interpose themselves between the two nodes and perform > loopback? Loopback is an easy function with no requirement to generate > any additional security, so it is easier than impersonating a full BFD > implementation. > [XM]>>> In theory it would happen, however in the real deployment I doubt it > would happen. Currently we have two specific use cases of the Unaffiliated > BFD Echo, one is between RG and IP Edge (as described in Section 6.2.2 of BBF > TR-146), another one is between DC Gateway and VM of Server (as described in > draft-wang-bfd-one-arm-use-case). For the two use cases it seems difficult > for an attacker to interpose itself between the two nodes. > >
As a potentially closing note, unaffiliated BFD PDUs require GTSM procedures validating the TTL. In order for such an attacker to interpose themselves in such a fashion, it would have to be an attacker that appears one IP hop away, typically an on-link attacker. In such a case, the attack is the expected destination being taken down but the BFD session being kept up. Unaffiliated BFD can't detect such imposters. BFD using one of the stronger authentications such as SHA-1 will have better resiliency against talking to such imposters. In scenarios where this is a concern, unaffiliated BFD should not be used. Even when stronger BFD authentication is in use, it shouldn't be used as a mechanism to try to provide application level authentication of the endpoints. -- Jeff
