Hi Stephen,
Please see inline.
Original
From: StephenFarrell <stephen.farrell@xxxxxxxxx>
To: 肖敏10093570;
Cc: secdir@xxxxxxxx <secdir@xxxxxxxx>;draft-ietf-bfd-unaffiliated-echo.all@xxxxxxxx <draft-ietf-bfd-unaffiliated-echo.all@xxxxxxxx>;last-call@xxxxxxxx <last-call@xxxxxxxx>;rtg-bfd@xxxxxxxx <rtg-bfd@xxxxxxxx>;
Date: 2024年10月08日 20:34
Subject: [Last-Call] Re: Secdir last call review of draft-ietf-bfd-unaffiliated-echo-11
Hiya,
On 10/8/24 08:56, xiao.min2@xxxxxxxxxx wrote:
> [XM]>>> In theory it would happen, however in the real deployment I
> doubt it would happen. Currently we have two specific use cases of
> the Unaffiliated BFD Echo, one is between RG and IP Edge (as
> described in Section 6.2.2 of BBF TR-146), another one is between DC
> Gateway and VM of Server (as described in draft-wang-bfd-one-arm-use-
> case). For the two use cases it seems difficult for a bad-device-A
> to send packets to B.
Well, if it's only "difficult" then that'd imply it's possible
in some configurations and hence worth at least noting.
I don't really understand the 1st example you give, but in the
2nd, if another VM (as bad-device-A) in a data centre can send
to B then the attack may be realistic perhaps?
[XM]>>> In the 2nd example, device A is DC Gateway and device B is VM, so VM can't be a bad-device-A.
> section it says "the "Authentication Section" as defined in
> [RFC5880] for BFD Control packet is RECOMMENDED to be included
> within the Unaffiliated BFD Echo packet", is that an effective way
> to mitigate this kind of DoS attack?
I'm not sure. I wasn't clear if you expect B to validate that
control packet or not, but my assumption was that B is not
likely to, given it only does the echo thing. If real-A does
validate that's something, but the reflection attack has already
happened at that point (if there is an attack).
[XM]>>> You may have a read on what Erik Auerswald said in his post. I fully agree with him. To address your comments, I propose to add some text as below.
OLD
As specified in Section 5 of [RFC5880], since BFD Echo packets may be spoofed, some form of authentication SHOULD be included.
NEW
As specified in Section 5 of [RFC5880], BFD Echo packets may be spoofed. Specifically for Unaffiliated BFD Echo, a DoS attacker may send spoofed Unaffiliated BFD Echo packets to the loop-back device, so some form of authentication SHOULD be included.
Best Regards,
Xiao Min
Cheers,
S.--
last-call mailing list -- last-call@xxxxxxxx
To unsubscribe send an email to last-call-leave@xxxxxxxx
-- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
