Optimizing BFD Authentication
draft-ietf-bfd-optimizing-authentication-11

Document Type Active Internet-Draft (bfd WG)
Last updated 2020-07-27
Replaces draft-mahesh-bfd-authentication
Stream IETF
Intended RFC status Proposed Standard
Formats plain text xml pdf htmlized (tools) htmlized bibtex
Stream WG state WG Consensus: Waiting for Write-Up
Document shepherd Reshad Rahman
Shepherd write-up Show (last changed 2020-07-23)
IESG IESG state I-D Exists
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to Reshad Rahman <rrahman@cisco.com>
Network Working Group                                    M. Jethanandani
Internet-Draft                                            Kloud Services
Updates: 5880 (if approved)                                    A. Mishra
Intended status: Standards Track                            SES Networks
Expires: January 29, 2021                                      A. Saxena
                                                       Ciena Corporation
                                                               M. Bhatia
                                                                   Nokia
                                                           July 28, 2020

                     Optimizing BFD Authentication
              draft-ietf-bfd-optimizing-authentication-11

Abstract

   This document describes an optimization to BFD Authentication as
   described in Section 6.7 of BFD RFC 5880.  This document updates RFC
   5880.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 29, 2021.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must

Jethanandani, et al.    Expires January 29, 2021                [Page 1]
Internet-Draft       BFD Authentication Optimization           July 2020

   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
     1.2.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Authentication Mode . . . . . . . . . . . . . . . . . . . . .   4
   3.  NULL Auth Type  . . . . . . . . . . . . . . . . . . . . . . .   5
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     6.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     6.2.  Informative References  . . . . . . . . . . . . . . . . .   7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   Authenticating every BFD [RFC5880] control packet with a Simple
   Password, or with a MD5 Message-Digest Algorithm [RFC1321] , or
   Secure Hash Algorithm (SHA-1) algorithms is a computationally
   intensive process.  This makes it difficult, if not impossible to
   authenticate every packet - particularly at faster rates.  Also, the
   recent escalating series of attacks on MD5 and SHA-1 described in
   Finding Collisions in the Full SHA-1 [SHA-1-attack1] and New
   Collision Search for SHA-1 [SHA-1-attack2] raise concerns about their
   remaining useful lifetime as outlined in Updated Security
   Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithm
   [RFC6151] and Security Considerations for the SHA-0 and SHA-1
   Message-Digest Algorithm [RFC6194].  If replaced by stronger
   algorithms, the computational overhead, will make the task of
   authenticating every packet even more difficult to achieve.

   This document proposes that only BFD control packets that signal a
   state change, a demand mode change (to D bit) or a poll sequence
   change (P or F bit change) in a BFD control packet be categorized as
   a significant change.  This document also proposes that all BFD
   control packets which signal a significant change MUST be
   authenticated if the session's bfd.AuthType is non-zero.  Other BFD
   control packets MAY be transmitted and received without the A bit
   set.

   Most packets that are transmitted and received have no state change
   associated with them.  Limiting authentication to packets that affect
   a BFD session state allows more sessions to be supported with this
   optimized method of authentication.  Moreover, most BFD control
Show full document text