On Apr 28, 2022, at 5:37 AM, Gļebs Ivanovskis <gl...@mikrotik.com> wrote: > Thank you for the pointer. It seems that the "secure sequence numbers" draft > makes the same mistake as RFC 5880 of putting bfd.AuthSeqKnown and > bfd.RcvAuthSeq manipulations before FNV-1a digest calculation in Section 7. > "Meticulous Keyed FNV1A Authentication" (part "Receipt Using Meticulous Keyed > FNV1A Authentication"): > > Otherwise (bfd.AuthSeqKnown is 0), bfd.AuthSeqKnown MUST be set to 1, and > bfd.RcvAuthSeq MUST be set to the value of the received Sequence Number field. > > Replace the contents of the Digest field with zeros, and calculate the FNV-1a > digest as described below. If the calculated FNV-1a digest is equal to the > received value of the Digest field, the received packet MUST be accepted. > Otherwise (the digest does not match the Digest field), the received packet > MUST be discarded.
Yes, the text should be updated to authenticate first, then change state. There's also additional text needed to clarify and finalize all of the issues around state / state changes with those authentication methods. Suggestions are welcome. I spent time getting the ISAAC / FNV text updated, but I'm less familiar with the rest of BFD. Alan DeKok.
