[178106] in North American Network Operators' Group
Re: Interesting BFD discussion on reddit
daemon@ATHENA.MIT.EDU (Saku Ytti)
Sun Feb 15 17:25:47 2015
X-Original-To: nanog@nanog.org
Date: Mon, 16 Feb 2015 00:25:40 +0200
From: Saku Ytti <saku@ytti.fi>
To: nanog@nanog.org
In-Reply-To: <CAARSoVzjf9n_2sYmuOMVRzx=Q7kAWXjgyGRC2PmkgwU-Nt_B=w@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
On (2015-02-15 21:34 +0530), Dave Waters wrote:
Hey,
> http://www.reddit.com/r/networking/comments/2vxj9u/very_elegant_and_a_simple_way_to_secure_bfd/
>
> Authentication mechanisms defined for IGPs cannot be used to protect BFD
> since the rate at which packets are processed in BFD is very high.
Not sure I understand the draft[0] correctly, but I suppose it only protects
you from forced state-change attack. Attacker can't force you to go from
up=>down or down=>up, but attacker could force routers to keep BFD state?
I wonder if Trio, EZChip and friends could do SHA in NPU, my guess is yes they
could, but perhaps there is even more appropriate hash for this use-case.
I'm not entirely convinced doing hash for each BFD packet is impractical.
[0] http://www.ietf.org/id/draft-mahesh-bfd-authentication-00.txt
--
++ytti
