Hiya,
On 10/8/24 08:56, xiao.min2@xxxxxxxxxx wrote:
[XM]>>> In theory it would happen, however in the real deployment I
doubt it would happen. Currently we have two specific use cases of
the Unaffiliated BFD Echo, one is between RG and IP Edge (as
described in Section 6.2.2 of BBF TR-146), another one is between DC
Gateway and VM of Server (as described in draft-wang-bfd-one-arm-use-
case). For the two use cases it seems difficult for a bad-device-A
to send packets to B.
Well, if it's only "difficult" then that'd imply it's possible
in some configurations and hence worth at least noting.
I don't really understand the 1st example you give, but in the
2nd, if another VM (as bad-device-A) in a data centre can send
to B then the attack may be realistic perhaps?
Furthermore, in the security considerations
section it says "the "Authentication Section" as defined in
[RFC5880] for BFD Control packet is RECOMMENDED to be included
within the Unaffiliated BFD Echo packet", is that an effective way
to mitigate this kind of DoS attack?
I'm not sure. I wasn't clear if you expect B to validate that
control packet or not, but my assumption was that B is not
likely to, given it only does the echo thing. If real-A does
validate that's something, but the reflection attack has already
happened at that point (if there is an attack).
Cheers,
S.
--
last-call mailing list -- last-call@xxxxxxxx
To unsubscribe send an email to last-call-leave@xxxxxxxx
