Hi, I have gone through rev-11 and my comments have been addressed. Thank you.
Regards, Reshad. From: Rtg-bfd <rtg-bfd-boun...@ietf.org> on behalf of "Reshad Rahman (rrahman)" <rrahman=40cisco....@dmarc.ietf.org> Date: Sunday, June 14, 2020 at 2:51 PM To: "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>, "draft-ietf-bfd-optimizing-authenticat...@ietf.org" <draft-ietf-bfd-optimizing-authenticat...@ietf.org> Subject: Shepherd writeup for draft-ietf-bfd-optimizing-authentication Authors, WG, The writeup is available at https://datatracker.ietf.org/doc/draft-ietf-bfd-optimizing-authentication/ For convenience I’ve copied the comments on the document below. Regards, Reshad. General: * Updates RFC5880 missing from title page * Replace BFD frames by BFD packets or BFD control packets. Don’t use frames since RFC5880 uses packets. * Use of term Null-authentication TLV. RFC5880 uses authentication section, doesn’t mention auth TLV. Abstract: Mention that this document updates RFC5880. Requirements Language Please put this is a separate (sub)section later, e.g. after introduction. Introduction First paragraph: s/is computationally intensive process/is a computationally intensive process/ Split first sentence into 2, e.g. Authenticating every BFD [RFC5880] packet with a Simple Password, or with a MD5 Message-Digest Algorithm [RFC1321], or Secure Hash Algorithm (SHA-1) algorithms is a computationally intensive process. This makes it difficult, if not impossible, to authenticate every packet, particularly at faster rates. 2nd paragraph: “… only BFD frames that signal a state change in BFD be authenticated.” State change is not 100% correct since P/F/D bit changes aren’t state changes (as mentioned in more detail below in section 2 comments). What about this instead: “State change, a demand mode change (to D bit) or a poll sequence change (P or F bit change) in a BFD packet are categorized as a significant BFD change. This document proposes that all BFD control packets which signal a significant BFD change MUST be authenticated if the session’s bfd.AuthType is non-zero. Other BFD control packets MAY be transmitted and received without the A bit set.” If you do use “significant BFD change”, add it to terminology section. s/non-state change frame/BFD control packets without state or D/F/P bit change/, e.g. “To detect a Man In the Middle (MITM) attack, it is also proposed that BFD control packets without a significant change be authenticated occasionally. The interval of these control packets…” Section 2 POLL and DEMAND are NOT strictly states. POLL refers to “Poll sequence” as specified in section 6.5 of RFC5880. DEMAND refers to “Demand mode” as specified in section 6.6 of RFC5880. In the table, the POLL entry refers to polling sequence enabled and in any BFD state. Likewise, the DEMAND entry refers to Demand mode. This means that a session in UP state, in demand mode and polling sequence enabled will match 3 entries in that table. It’s a bit confusing. Here’s what I suggest instead: 1. Take POLL out of the table. Add a paragraph mentioning that if P or F bit changes value, the packet MUST be authenticated 2. Take DEMAND out of the table. Add a paragraph mentioning that if D bit changes value, the packet MUST be authenticated Another comment on the table. The text says it should be read as state change from column to row. Column INIT to row UP is n/a whereas column UP to row INIT is Auth. INIT to UP is a valid transition, UP to INIT is not (has to go through DOWN first). So I think those entries should be reversed in the table. Last paragraph: CC frames is not defined in BFD, use “control packets” instead? Section 3 Sequence number mentions “as defined in [RFC5880]”. Suggest mentioning bfd.XmitAuthSeq Security Considerations. I believe this needs to be beefed up: 1. Use of sequence number for non-authenticated frames. Secure sequence numbers even better. 2. Mention (again) that non-authenticated BFD packets which have a significant change (state, D/F/P) are dropped. So if someone injects a non-authenticated packet with Down state to take down the session, that won’t work. Section 6.2 RFC5880 should be a normative reference.
