nanog mailing list archives

Re: Interesting BFD discussion on reddit

From: Saku Ytti <saku () ytti fi>
Date: Mon, 16 Feb 2015 00:25:40 +0200

On (2015-02-15 21:34 +0530), Dave Waters wrote:

Hey,

http://www.reddit.com/r/networking/comments/2vxj9u/very_elegant_and_a_simple_way_to_secure_bfd/

Authentication mechanisms defined for IGPs cannot be used to protect BFD
since the rate at which packets are processed in BFD is very high.


Not sure I understand the draft[0] correctly, but I suppose it only protects
you from forced state-change attack. Attacker can't force you to go from
up=>down or down=>up, but attacker could force routers to keep BFD state?

I wonder if Trio, EZChip and friends could do SHA in NPU, my guess is yes they
could, but perhaps there is even more appropriate hash for this use-case.
I'm not entirely convinced doing hash for each BFD packet is impractical.

[0] http://www.ietf.org/id/draft-mahesh-bfd-authentication-00.txt
-- 
  ++ytti

Current thread:

Interesting BFD discussion on reddit Dave Waters (Feb 15)
- Re: Interesting BFD discussion on reddit Saku Ytti (Feb 15)
  - Re: Interesting BFD discussion on reddit Glen Kent (Feb 15)
    - Re: Interesting BFD discussion on reddit Saku Ytti (Feb 16)
    - Re: Interesting BFD discussion on reddit Eygene Ryabinkin (Feb 16)
    - Re: Interesting BFD discussion on reddit Glen Kent (Feb 16)
    - Re: Interesting BFD discussion on reddit Saku Ytti (Feb 16)
    - Re: Interesting BFD discussion on reddit Sudeep Khuraijam (Feb 20)
- Re: Interesting BFD discussion on reddit Rob Seastrom (Feb 16)
  - Re: Interesting BFD discussion on reddit Saku Ytti (Feb 16)
  - Re: Interesting BFD discussion on reddit Dave Waters (Feb 17)
    - Re: Interesting BFD discussion on reddit Rob Seastrom (Feb 16)

(Thread continues...)