Authors, WG,
The writeup is available at
https://datatracker.ietf.org/doc/draft-ietf-bfd-secure-sequence-numbers/shepherdwriteup/
For convenience I’ve copied the comments on the document below.
Regards,
Reshad.
This document updates RFC5880. This is missing from the title page header.
Abstract
s/a security enhancements/a security enhancement/
Suggestion: “This document describes a security enhancement for the sequence
number used in BFD control packets”.
Requirements Language
Please put this later in the document, e.g. after introduction. Add RFC8174,
and add it as normative reference.
Introduction
Don’t use Authentication TLV, instead use “Authentication Section”. E.g.
s/in BFD authentication TLVs/in the BFD authentication section/
s/pseudo-random sequence numbers on the frame/pseudo-random sequence numbers in
BFD control packets/
I’m not sure I understood the last sentence starting with “Further security may
be ….”. What is “resetting un-encrypted sequence”? Does it mean that when the
sequence numbers rolls over, it’s reset to a pseudo-random number?
Section 2
Rename to “Theory of operation”
Suggest splitting the 1st sentence, e.g.
Instead of inserting a monotonically, sometimes occasionally, increasing
sequence number in BFD control packets, a hash is inserted instead.
The hash is computed, using a shared key, on the sequence number. That
computed hash is then inserted into the sequence number field of the
packet.
In the following sentence, the part “used in computing an authenticated packet”
is referring to computing the SHA1/MD5 hash/digest for the packet? That
sentence should be clarified then.
In
case of BFD Authentication [I-D.ietf-bfd-optimizing-authentication],
the sequence number used in computing an authenticated packet would
be this new computed hash.
Also, when referring to the optimization draft, better to use e.g. “optimized
BFD authentication” than “BFD authentication”. The latter implies per-RFC5880
BFD authentication.
s/psuedo/pseudo/
s/ scope of this draft/ scope of this document/
s/seuquence/sequence/
Not clear to me what the following means.
Note: The first sequence number can
be obtained using the same logic as the My Discriminator value.
The diagram reads well for regular authentication. For secure sequence number,
I think the diagram would gain clarity from an ordered list of steps on the
sender and receiver. The current list before the diagram is useful, I believe
the sender steps would start at “H1:” and the receiver steps at hash’. And yes,
hash’ needs an explanation. On the receiver side, for validating that ’s’ is a
good sequence number, the range has to be checked as mentioned in the previous
paragraph.
Section 5
s/ stabiluty/ stability/
s/admistratively/administratively/
s/Sequential nature/The sequential nature/
