Secure BFD Sequence Numbers
draft-ietf-bfd-secure-sequence-numbers-06

Document Type Active Internet-Draft (bfd WG)
Last updated 2020-08-05
Replaces draft-sonal-bfd-secure-sequence-numbers
Stream IETF
Intended RFC status Proposed Standard
Formats plain text xml pdf htmlized (tools) htmlized bibtex
Stream WG state Held by WG
Other - see Comment Log
Document shepherd Reshad Rahman
Shepherd write-up Show (last changed 2020-06-14)
IESG IESG state I-D Exists
Consensus Boilerplate Yes
Telechat date
Responsible AD (None)
Send notices to Reshad Rahman <rrahman@cisco.com>
Network Working Group                                    M. Jethanandani
Internet-Draft                                            Kloud Services
Updates: 5880 (if approved)                                   S. Agarwal
Intended status: Standards Track                      Cisco Systems, Inc
Expires: February 6, 2021                                      A. Mishra
                                                            O3b Networks
                                                               A. Saxena
                                                       Ciena Corporation
                                                                A. Dekok
                                                     Network RADIUS SARL
                                                          August 5, 2020

                      Secure BFD Sequence Numbers
               draft-ietf-bfd-secure-sequence-numbers-06

Abstract

   This document describes a security enhancement for the sequence
   number used in BFD control packets.  This document updates RFC 5880.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on February 6, 2021.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect

Jethanandani, et al.    Expires February 6, 2021                [Page 1]
Internet-Draft        Securing next sequence number          August 2020

   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Language . . . . . . . . . . . . . . . . . . . .   2
   3.  Theory of operation . . . . . . . . . . . . . . . . . . . . .   2
   4.  Impact of using a hash  . . . . . . . . . . . . . . . . . . .   4
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   5
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   5
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   6

1.  Introduction

   BFD [RFC5880] section 6.7 describes the use of monotonically
   incrementing 32-bit sequence numbers for use in authentication of BFD
   packets.  While this method protects against simple replay attacks,
   the monotonically incrementing sequence numbers are predictable and
   vulnerable to more complex attack vectors.  This document proposes
   the use of non-monotonically-incrementing sequence numbers in the BFD
   authentication section to enhance the security of BFD sessions.
   Specifically, the document presents a method to generate pseudo-
   random sequence numbers on the frame by algorithmically hashing
   monotonically increasing sequence numbers.  Since the monotonically
   increasing sequence number does not appear on the wire, it is
   difficult for a third party to launch a replay attack.

2.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

3.  Theory of operation

   Instead of inserting a monotonically, sometimes occasionally,
   increasing sequence number in BFD control packets, a hash is
   inserted.  The hash is computed, using a shared key, on the sequence
   number.  That computed hash is then inserted into the sequence number
   field of the packet.  In case of BFD Authentication
   [I-D.ietf-bfd-optimizing-authentication], the sequence number used in

Jethanandani, et al.    Expires February 6, 2021                [Page 2]
Show full document text