Optimizing BFD Authentication
draft-ietf-bfd-optimizing-authentication-11
Network Working Group M. Jethanandani
Internet-Draft Kloud Services
Updates: 5880 (if approved) A. Mishra
Intended status: Standards Track SES Networks
Expires: January 29, 2021 A. Saxena
Ciena Corporation
M. Bhatia
Nokia
July 28, 2020
Optimizing BFD Authentication
draft-ietf-bfd-optimizing-authentication-11
Abstract
This document describes an optimization to BFD Authentication as
described in Section 6.7 of BFD RFC 5880. This document updates RFC
5880.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 29, 2021.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Jethanandani, et al. Expires January 29, 2021 [Page 1]
Internet-Draft BFD Authentication Optimization July 2020
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Authentication Mode . . . . . . . . . . . . . . . . . . . . . 4
3. NULL Auth Type . . . . . . . . . . . . . . . . . . . . . . . 5
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 7
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
6.1. Normative References . . . . . . . . . . . . . . . . . . 7
6.2. Informative References . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction
Authenticating every BFD [RFC5880] control packet with a Simple
Password, or with a MD5 Message-Digest Algorithm [RFC1321] , or
Secure Hash Algorithm (SHA-1) algorithms is a computationally
intensive process. This makes it difficult, if not impossible to
authenticate every packet - particularly at faster rates. Also, the
recent escalating series of attacks on MD5 and SHA-1 described in
Finding Collisions in the Full SHA-1 [SHA-1-attack1] and New
Collision Search for SHA-1 [SHA-1-attack2] raise concerns about their
remaining useful lifetime as outlined in Updated Security
Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithm
[RFC6151] and Security Considerations for the SHA-0 and SHA-1
Message-Digest Algorithm [RFC6194]. If replaced by stronger
algorithms, the computational overhead, will make the task of
authenticating every packet even more difficult to achieve.
This document proposes that only BFD control packets that signal a
state change, a demand mode change (to D bit) or a poll sequence
change (P or F bit change) in a BFD control packet be categorized as
a significant change. This document also proposes that all BFD
control packets which signal a significant change MUST be
authenticated if the session's bfd.AuthType is non-zero. Other BFD
control packets MAY be transmitted and received without the A bit
set.
Most packets that are transmitted and received have no state change
associated with them. Limiting authentication to packets that affect
a BFD session state allows more sessions to be supported with this
optimized method of authentication. Moreover, most BFD control
Show full document text