Hi Stephen,
Thanks for your review and comments.
Please see inline.
Review result: Has Issues
I'm not sure if this is a real issue or not. If not, which is quite possible,
then this'd be ready.
I wondered if this setup might create potential reflection attacks, but am
not sure. The attack might happen if bad-device-A sends packets to B, as if
those are from real-A, and then B sends those back to real-A. If that could
happen, it would seem like a reflection attack vector that could be part of
a DoS. If that can't happen, it might be no harm to say why in the security
considerations section.
[XM]>>> In theory it would happen, however in the real deployment I doubt it would happen. Currently we have two specific use cases of the Unaffiliated BFD Echo, one is between RG and IP Edge (as described in Section 6.2.2 of BBF TR-146), another one is between DC Gateway and VM of Server (as described in draft-wang-bfd-one-arm-use-case). For the two use cases it seems difficult for a bad-device-A to send packets to B. Furthermore, in the security considerations section it says "the "Authentication Section" as defined in [RFC5880] for BFD Control packet is RECOMMENDED to be included within the Unaffiliated BFD Echo packet", is that an effective way to mitigate this kind of DoS attack?
Best Regards,
Xiao Min
-- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
