Re: Regarding keyed MD5/SHA1 authentication for BFD (RFC 5880)

2022-04-28 Thread Alan DeKok
On Apr 28, 2022, at 5:37 AM, Gļebs Ivanovskis wrote: > Thank you for the pointer. It seems that the "secure sequence numbers" draft > makes the same mistake as RFC 5880 of putting bfd.AuthSeqKnown and > bfd.RcvAuthSeq manipulations before FNV-1a digest calculation in Section 7. > "Meticulous Ke

Re: Regarding keyed MD5/SHA1 authentication for BFD (RFC 5880)

2022-04-28 Thread Alan DeKok
On Apr 27, 2022, at 7:58 PM, Greg Mirsky wrote: > you've suggested > It would be good to say that packets which fail authentication MUST NOT > affect the BFD state. > I think that a BFD Control message that failed validation, and I consider > authentication is a part of the validation process, M

Re: Regarding keyed MD5/SHA1 authentication for BFD (RFC 5880)

2022-04-28 Thread Gļebs Ivanovskis
Hi, Alan! Furthermore, I would like to suggest going back to original ordering with digest/hash verification being done before examining Sequence Number, because it simplifies the algorithm. I don't think that checking Sequence Number first provides much protection against CPU exhaustion attac

Re: Regarding keyed MD5/SHA1 authentication for BFD (RFC 5880)

2022-04-27 Thread Greg Mirsky
Hi Alan, you've suggested It would be good to say that packets which fail authentication MUST NOT affect the BFD state. I think that a BFD Control message that failed validation, and I consider authentication is a part of the validation process, MUST be discarded. If the number of consecutively d

Re: Regarding keyed MD5/SHA1 authentication for BFD (RFC 5880)

2022-04-27 Thread Alan DeKok
On Apr 25, 2022, at 6:23 AM, Gļebs Ivanovskis wrote: > I have a question regarding the order of operations during receipt of BFD > control packet using keyed MD5/SHA1 authentication. Both Section 6.7.3. > "Keyed MD5 and Meticulous Keyed MD5 Authentication" and Section 6.7.4. "Keyed > SHA1 and M

Regarding keyed MD5/SHA1 authentication for BFD (RFC 5880)

2022-04-25 Thread Gļebs Ivanovskis
Hi, I have a question regarding the order of operations during receipt of BFD control packet using keyed MD5/SHA1 authentication. Both Section 6.7.3. "Keyed MD5 and Meticulous Keyed MD5 Authentication" and Section 6.7.4.