Diff: draft-ietf-bfd-secure-sequence-numbers-01.txt - draft-ietf-bfd-secure-sequence-numbers-02.txt

	draft-ietf-bfd-secure-sequence-numbers-01.txt	draft-ietf-bfd-secure-sequence-numbers-02.txt

	Network Working Group M. Jethanandani	Network Working Group M. Jethanandani
	Internet-Draft S. Agarwal	Internet-Draft S. Agarwal
	Intended status: Standards Track Cisco Systems, Inc	Intended status: Standards Track Cisco Systems, Inc

	Expires: May 25, 2018 A. Mishra	Expires: November 26, 2018 A. Mishra
	O3b Networks	O3b Networks
	A. Saxena	A. Saxena
	Ciena Corporation	Ciena Corporation
	A. Dekok	A. Dekok
	Network RADIUS SARL	Network RADIUS SARL

	November 21, 2017	May 25, 2018

	Secure BFD Sequence Numbers	Secure BFD Sequence Numbers

	draft-ietf-bfd-secure-sequence-numbers-01	draft-ietf-bfd-secure-sequence-numbers-02

	Abstract	Abstract

	This document describes a security enhancements for the BFD packet's	This document describes a security enhancements for the BFD packet's
	sequence number.	sequence number.

	Requirements Language	Requirements Language

	The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",	The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
	"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this	"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this

	skipping to change at page 1, line 43 ¶	skipping to change at page 1, line 43 ¶
	Internet-Drafts are working documents of the Internet Engineering	Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute	Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-	working documents as Internet-Drafts. The list of current Internet-
	Drafts is at https://datatracker.ietf.org/drafts/current/.	Drafts is at https://datatracker.ietf.org/drafts/current/.

	Internet-Drafts are draft documents valid for a maximum of six months	Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any	and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference	time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."	material or to cite them other than as "work in progress."


	This Internet-Draft will expire on May 25, 2018.	This Internet-Draft will expire on November 26, 2018.

	Copyright Notice	Copyright Notice


	Copyright (c) 2017 IETF Trust and the persons identified as the	Copyright (c) 2018 IETF Trust and the persons identified as the
	document authors. All rights reserved.	document authors. All rights reserved.

	This document is subject to BCP 78 and the IETF Trust's Legal	This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents	Provisions Relating to IETF Documents
	(https://trustee.ietf.org/license-info) in effect on the date of	(https://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents	publication of this document. Please review these documents
	carefully, as they describe your rights and restrictions with respect	carefully, as they describe your rights and restrictions with respect
	to this document. Code Components extracted from this document must	to this document. Code Components extracted from this document must
	include Simplified BSD License text as described in Section 4.e of	include Simplified BSD License text as described in Section 4.e of
	the Trust Legal Provisions and are provided without warranty as	the Trust Legal Provisions and are provided without warranty as
	described in the Simplified BSD License.	described in the Simplified BSD License.

	Table of Contents	Table of Contents

	1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2	1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
	2. Theory of operations . . . . . . . . . . . . . . . . . . . . 2	2. Theory of operations . . . . . . . . . . . . . . . . . . . . 2
	3. Impact of using a hash . . . . . . . . . . . . . . . . . . . 4	3. Impact of using a hash . . . . . . . . . . . . . . . . . . . 4
	4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4	4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
	5. Security Considerations . . . . . . . . . . . . . . . . . . . 4	5. Security Considerations . . . . . . . . . . . . . . . . . . . 4

	6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4	6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5
	7. References . . . . . . . . . . . . . . . . . . . . . . . . . 4	7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
	7.1. Normative References . . . . . . . . . . . . . . . . . . 4	7.1. Normative References . . . . . . . . . . . . . . . . . . 5
	7.2. Informative References . . . . . . . . . . . . . . . . . 5	7.2. Informative References . . . . . . . . . . . . . . . . . 5
	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5

	1. Introduction	1. Introduction

	BFD [RFC5880] section 6.7 describes the use of monotonically	BFD [RFC5880] section 6.7 describes the use of monotonically
	incrementing 32-bit sequence numbers for use in authentication of BFD	incrementing 32-bit sequence numbers for use in authentication of BFD
	packets. While this method protects against simple replay attacks,	packets. While this method protects against simple replay attacks,
	the monotonically incrementing sequence numbers are predictable and	the monotonically incrementing sequence numbers are predictable and
	vulnerable to more complex attack vectors. This document proposes	vulnerable to more complex attack vectors. This document proposes

	skipping to change at page 4, line 37 ¶	skipping to change at page 4, line 37 ¶

	4. IANA Considerations	4. IANA Considerations

	This document makes no request of IANA.	This document makes no request of IANA.

	Note to RFC Editor: this section may be removed on publication as an	Note to RFC Editor: this section may be removed on publication as an
	RFC.	RFC.

	5. Security Considerations	5. Security Considerations


		While the proposed mechanism improves overall security of BFD
		mechanism, the security consderations are listed below:

		Because of the fast rate of BFD sesions and it is difficult to change
		the keys (used for hashing the sequence number) during the operation
		of a BFD session without affecting the stabiluty of the BFD session.
		It is, therefore, recommended to admistratively disable the BFD
		session before changing the keys. If the keys are not changed, an
		attacker can use a replay attack.

		Using this method allows the BFD end-points to detect a malicious
		packet (the decrypted sequence number will not be in sequence) the
		behavior of the session when such a packet is detected is based on
		the implementation. A flood of such malicious packets may cause a
		session to report BFD session to be operationally down.

		The hashing algorithm and key size will determine the difficulty for
		an attacker to decipher the key from the transmitted BFD frames.
		Sequential nature of the payload (sequence numbers) simplifies the
		decoding of the key. It is, therefore, recommended to use longer
		keys or more secure hashing algorithms.

	6. Acknowledgements	6. Acknowledgements

	7. References	7. References

	7.1. Normative References	7.1. Normative References

	[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate	[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
	Requirement Levels", BCP 14, RFC 2119,	Requirement Levels", BCP 14, RFC 2119,
	DOI 10.17487/RFC2119, March 1997,	DOI 10.17487/RFC2119, March 1997,
	<https://www.rfc-editor.org/info/rfc2119>.	<https://www.rfc-editor.org/info/rfc2119>.

	[RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection	[RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection
	(BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010,	(BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010,
	<https://www.rfc-editor.org/info/rfc5880>.	<https://www.rfc-editor.org/info/rfc5880>.

	7.2. Informative References	7.2. Informative References

	[I-D.ietf-bfd-optimizing-authentication]	[I-D.ietf-bfd-optimizing-authentication]
	Jethanandani, M., Mishra, A., Saxena, A., and M. Bhatia,	Jethanandani, M., Mishra, A., Saxena, A., and M. Bhatia,
	"Optimizing BFD Authentication", draft-ietf-bfd-	"Optimizing BFD Authentication", draft-ietf-bfd-

	optimizing-authentication-03 (work in progress), June	optimizing-authentication-04 (work in progress), November
	2017.	2017.

	Authors' Addresses	Authors' Addresses

	Mahesh Jethanandani	Mahesh Jethanandani
	Cisco Systems, Inc	Cisco Systems, Inc
	170 West Tasman Drive	170 West Tasman Drive
	San Jose, CA 95070	San Jose, CA 95070
	USA	USA


	skipping to change at page 6, line 4 ¶	skipping to change at page 6, line 16 ¶

	Email: mishra.ashesh@gmail.com	Email: mishra.ashesh@gmail.com

	Ankur Saxena	Ankur Saxena
	Ciena Corporation	Ciena Corporation
	3939 North First Street	3939 North First Street
	San Jose, CA 95134	San Jose, CA 95134
	USA	USA

	Email: ankurpsaxena@gmail.com	Email: ankurpsaxena@gmail.com


	Alan DeKok	Alan DeKok
	Network RADIUS SARL	Network RADIUS SARL
	100 Centrepointe Drive #200	100 Centrepointe Drive #200
	Ottowa, ON K2G 6B1	Ottowa, ON K2G 6B1
	Canada	Canada


	Email: aland@networkradious.com	Email: aland@freeradius.org

End of changes. 10 change blocks.
	9 lines changed or deleted	32 lines changed or added
This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/