draft-ietf-bfd-optimizing-authentication-02.txt   draft-ietf-bfd-optimizing-authentication-03.txt 
Network Working Group M. Jethanandani Network Working Group M. Jethanandani
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Standards Track A. Mishra Intended status: Standards Track A. Mishra
Expires: July 9, 2017 A. Saxena Expires: December 29, 2017 O3b Networks
A. Saxena
Ciena Corporation Ciena Corporation
M. Bhatia M. Bhatia
Ionos Networks Ionos Networks
January 5, 2017 June 27, 2017
Optimizing BFD Authentication Optimizing BFD Authentication
draft-ietf-bfd-optimizing-authentication-02 draft-ietf-bfd-optimizing-authentication-03
Abstract Abstract
This document describes an optimization to BFD Authentication as This document describes an optimization to BFD Authentication as
described in Section 6.7 of BFD [RFC5880]. described in Section 6.7 of BFD [RFC5880].
Requirements Language Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
skipping to change at page 1, line 41 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 9, 2017. This Internet-Draft will expire on December 29, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 22 skipping to change at page 2, line 25
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Authentication Mode . . . . . . . . . . . . . . . . . . . . . 3 2. Authentication Mode . . . . . . . . . . . . . . . . . . . . . 3
3. NULL Auth TLV . . . . . . . . . . . . . . . . . . . . . . . . 4 3. NULL Auth TLV . . . . . . . . . . . . . . . . . . . . . . . . 4
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
6.1. Normative References . . . . . . . . . . . . . . . . . . 5 6.1. Normative References . . . . . . . . . . . . . . . . . . 5
6.2. Informative References . . . . . . . . . . . . . . . . . 6 6.2. Informative References . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
Authenticating every BFD [RFC5880] packet with a Simple Password, or Authenticating every BFD [RFC5880] packet with a Simple Password, or
with a MD5 Message-Digest Algorithm [RFC1321] , or Secure Hash with a MD5 Message-Digest Algorithm [RFC1321] , or Secure Hash
Algorithm (SHA-1) algorithms is computationally intensive process, Algorithm (SHA-1) algorithms is computationally intensive process,
making it difficult if not impossible to authenticate every packet - making it difficult if not impossible to authenticate every packet -
particularly at faster rates. Also, the recent escalating series of particularly at faster rates. Also, the recent escalating series of
attacks on MD5 and SHA-1 [SHA-1-attack1] [SHA-1-attack2] raise attacks on MD5 and SHA-1 [SHA-1-attack1] [SHA-1-attack2] raise
concerns about their remaining useful lifetime as outlined in Updated concerns about their remaining useful lifetime as outlined in Updated
skipping to change at page 4, line 45 skipping to change at page 4, line 49
Auth TL) Auth TL)
Auth Len: The length of the NULL Auth TLV, in bytes i.e. 8 bytes Auth Len: The length of the NULL Auth TLV, in bytes i.e. 8 bytes
Auth Key ID: The authentication key ID in use for this packet. Must Auth Key ID: The authentication key ID in use for this packet. Must
be set to zero. be set to zero.
Reserved: The authentication key ID in use for this packet. This Reserved: The authentication key ID in use for this packet. This
allows multiple keys to be active simultaneously. allows multiple keys to be active simultaneously.
Sequence Number: The sequence number for this packet. This value is Sequence Number: The sequence number for this packet. Implementation
incremented for each successive packet transmitted for a session. may use sequence numbers as defined in [RFC5880], or secure sequence
This provides protection against replay attacks. Must use the same numbers as defined in [I-D.ietf-bfd-secure-sequence-numbers].
sequence number counter as the authenticated frames.
The NULL Auth TLV must be used for all frames that are not The NULL Auth TLV must be used for all frames that are not
authenticated. This protects against replay-attacks by allowing the authenticated. This protects against replay-attacks by allowing the
session to maintain an incrementing sequence number for all frames session to maintain an incrementing sequence number for all frames
(authenticated and un-authenticated). (authenticated and un-authenticated).
In the future, if a new scheme is adopted for changing the sequence In the future, if a new scheme is adopted for changing the sequence
number, this method can adopt the new scheme without any impact. number, this method can adopt the new scheme without any impact.
4. IANA Considerations 4. IANA Considerations
skipping to change at page 5, line 42 skipping to change at page 5, line 45
[FIPS-180-2] [FIPS-180-2]
National Institute of Standards and Technology, FIPS PUB National Institute of Standards and Technology, FIPS PUB
180-2, "The Keyed-Hash Message Authentication Code 180-2, "The Keyed-Hash Message Authentication Code
(HMAC)", August 2002. (HMAC)", August 2002.
[FIPS-198] [FIPS-198]
National Institute of Standards and Technology, FIPS PUB National Institute of Standards and Technology, FIPS PUB
198, "The Keyed-Hash Message Authentication Code (HMAC)", 198, "The Keyed-Hash Message Authentication Code (HMAC)",
March 2002. March 2002.
[I-D.ashesh-bfd-stability]
Mishra, A., Jethanandani, M., Saxena, A., Networks, J.,
Chen, M., and P. Fan, "BFD Stability", draft-ashesh-bfd-
stability-04 (work in progress), March 2016.
[I-D.ietf-bfd-generic-crypto-auth] [I-D.ietf-bfd-generic-crypto-auth]
Bhatia, M., Manral, V., Zhang, D., and M. Jethanandani, Bhatia, M., Manral, V., Zhang, D., and M. Jethanandani,
"BFD Generic Cryptographic Authentication", draft-ietf- "BFD Generic Cryptographic Authentication", draft-ietf-
bfd-generic-crypto-auth-06 (work in progress), April 2014. bfd-generic-crypto-auth-06 (work in progress), April 2014.
[I-D.ietf-bfd-secure-sequence-numbers]
Jethanandani, M., Agarwal, S., Mishra, A., Saxena, A., and
A. DeKok, "Secure BFD Sequence Numbers", draft-ietf-bfd-
secure-sequence-numbers-00 (work in progress), May 2017.
[I-D.ietf-bfd-stability]
Mishra, A., Jethanandani, M., Saxena, A., Networks, J.,
Chen, M., and P. Fan, "BFD Stability", draft-ietf-bfd-
stability-00 (work in progress), May 2017.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC6039] Manral, V., Bhatia, M., Jaeggli, J., and R. White, "Issues [RFC6039] Manral, V., Bhatia, M., Jaeggli, J., and R. White, "Issues
with Existing Cryptographic Protection Methods for Routing with Existing Cryptographic Protection Methods for Routing
Protocols", RFC 6039, DOI 10.17487/RFC6039, October 2010, Protocols", RFC 6039, DOI 10.17487/RFC6039, October 2010,
<http://www.rfc-editor.org/info/rfc6039>. <http://www.rfc-editor.org/info/rfc6039>.
skipping to change at page 8, line 14 skipping to change at page 8, line 21
Mahesh Jethanandani Mahesh Jethanandani
Cisco Systems Cisco Systems
170 W. Tasman Drive 170 W. Tasman Drive
San Jose, CA 95134 San Jose, CA 95134
USA USA
Phone: +1 (408) 526-8763 Phone: +1 (408) 526-8763
Email: mjethanandani@gmail.com Email: mjethanandani@gmail.com
Ashesh Mishra Ashesh Mishra
Ciena Corporation O3b Networks
3939 North 1st Street
San Jose, CA 95134
USA
Email: mishra.ashesh@gmail.com Email: mishra.ashesh@gmail.com
Ankur Saxena Ankur Saxena
Ciena Corporation Ciena Corporation
3939 N 1st Street 3939 N 1st Street
San Jose, CA 95134 San Jose, CA 95134
USA USA
Email: ankurpsaxena@gmail.com Email: ankurpsaxena@gmail.com
 End of changes. 9 change blocks. 
18 lines changed or deleted 20 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/