"Thus, if we're in no-auth, injecting anything other than "I'm still up!" gets
ignored. You can keep the session up, but you can't change parameters or take
the session down. State changes require strong auth anyway."
Ah right, I forgot about that. I think the text you're referring might be in
section 1 now, at least part of it.
Regards,Reshad.
On Wednesday, February 7, 2024, 12:59:13 PM EST, Jeffrey Haas
<jh...@pfrc.org> wrote:
On Feb 7, 2024, at 12:48 PM, Reshad Rahman <res...@yahoo.com> wrote:
Jeff,
"No authentication also thus means you can't attack the system by sending a
sequence number".
I agree. But you don't need a seq number with no auth, you just attack by
sending a packet to take the session down. That's why I still view NULL auth as
(slightly) better than no auth.
I think I see the problem. At some point in the github merges, we lost text
that effectively asserts that in the Up state, you cannot change the BFD
control packet contents excluding the auth section without flipping to the
strong auth mode.
Basically:If state is Up: If authentication is Optimized mode:
Validate authentication, if any, and discard on fail. Validate control
packet contents have not changed. We are still Up and haven't been convinced
to change BFD parameters.
Thus, if we're in no-auth, injecting anything other than "I'm still up!" gets
ignored. You can keep the session up, but you can't change parameters or take
the session down. State changes require strong auth anyway. The clarification
is we don't let other parameters get tweaked because portions of the 5880 state
machinery didn't require either a state change or a poll sequence to happen.
I'll open a github issue to track this point.
I see also that we have some zombie text:"Implementations supporting this
feature will send BFD packets with authentications that always carry a
meticulously increasing sequence number. This meticulously increasing sequence
number prevents replay attacks"
Since we're deciding to support no-auth, this sentence is wrong. I'll pen a
second issue.
-- Jeff
