Hi, Alan!
Furthermore, I would like to suggest going back to original ordering with digest/hash
verification being done before examining Sequence Number, because it simplifies the
algorithm. I don't think that checking Sequence Number first provides much protection
against CPU exhaustion attacks, because Sequence Numbers are transmitted in clear text
and it wouldn't be that difficult for an attacker to come up with a valid Sequence Number
to pass "cheap" check.
Yes.
The "secure sequence numbers" draft attempts to address these issues.
Thank you for the pointer. It seems that the "secure sequence numbers"
draft makes the same mistake as RFC 5880 of putting bfd.AuthSeqKnown and
bfd.RcvAuthSeq manipulations before FNV-1a digest calculation in Section
7.
<https://www.ietf.org/archive/id/draft-ietf-bfd-secure-sequence-numbers-09.html#name-meticulous-keyed-fnv1a-auth>
"Meticulous Keyed FNV1A Authentication" (part "Receipt Using Meticulous
Keyed FNV1A Authentication"):
Otherwise (bfd.AuthSeqKnown is 0), bfd.AuthSeqKnown MUST be set to
1, and bfd.RcvAuthSeq MUST be set to the value of the received
Sequence Number field.
Replace the contents of the Digest field with zeros, and calculate
the FNV-1a digest as described below. If the calculated FNV-1a
digest is equal to the received value of the Digest field, the
received packet MUST be accepted. Otherwise (the digest does not
match the Digest field), the received packet MUST be discarded.
Best regards,
Glebs
