Hi Stephen, On Mon, Oct 07, 2024 at 09:48:56AM -0700, Stephen Farrell via Datatracker wrote: > Reviewer: Stephen Farrell > Review result: Has Issues > > I'm not sure if this is a real issue or not. If not, which is quite > possible, then this'd be ready. > > I wondered if this setup might create potential reflection attacks, but > am not sure. The attack might happen if bad-device-A sends packets to B, > as if those are from real-A, and then B sends those back to real-A. If > that could happen, it would seem like a reflection attack vector that > could be part of a DoS. If that can't happen, it might be no harm to > say why in the security considerations section. The "Unaffiliated BFD Echo" method makes use of normal IP routing, i.e., forwarding of IP packets by routers. It is nothing new that a router can send an IP packet received on a given interface out the same interface. Sending an IP packet to a router with the intent that the router forwards this packet towards its destination is not usually considered a "reflection attack." The "Security Considerations" section already addresses spoofed BFD Echo packets and recommends the use of BFD authentication to mitigate this. It does this explicitly in addition to referencing the BFD specification. As such, I do not see a new issue introduced by "Unaffiliated BFD Echo." Br, Erik -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
