Also regarding the simplification, normally this is operated in some ’trusted’ environment, e.g. in some trusted IXP subnet where the route server is at. Even the router does apply the ‘access control’ on the subnet, it is much simpler than pre-configuring hundreds of BFD peers on the subnet, just in case some of those peers will later send us data traffic and those BFD sessions will be used.
When MH is added in this draft, those recommendations will be more relevant. Tradeoffs need to be considered in operations also, maybe it is better in some cases to use regular BFD vs unsolicited BFD in some environment due to security concerns. thanks. - Naiming > Two recommendations in the Security Considerations section: > o Apply "access control" to allow BFD packets only from certain > subnets or hosts. > ... > o Use BFD authentication. > leave some serious doubts that the proposed model does bring any operational > simplification compared to explicitly configuring BFD on both systems > (especially to use authentication). > > <RR> Good point. I think it depends. e.g. if BFD authentication is already in > use, this is not an issue.
