[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Interesting BFD discussion on reddit

Subject: Interesting BFD discussion on reddit
From: saku at ytti.fi (Saku Ytti)
Date: Mon, 16 Feb 2015 00:25:40 +0200
In-reply-to: <CAARSoVzjf9n_2sYmuOMVRzx=Q7kAWXjgyGRC2PmkgwU-Nt_B=w@mail.gmail.com>
References: <CAARSoVzjf9n_2sYmuOMVRzx=Q7kAWXjgyGRC2PmkgwU-Nt_B=w@mail.gmail.com>

On (2015-02-15 21:34 +0530), Dave Waters wrote:

Hey,

> http://www.reddit.com/r/networking/comments/2vxj9u/very_elegant_and_a_simple_way_to_secure_bfd/
> 
> Authentication mechanisms defined for IGPs cannot be used to protect BFD
> since the rate at which packets are processed in BFD is very high.

Not sure I understand the draft[0] correctly, but I suppose it only protects
you from forced state-change attack. Attacker can't force you to go from
up=>down or down=>up, but attacker could force routers to keep BFD state?

I wonder if Trio, EZChip and friends could do SHA in NPU, my guess is yes they
could, but perhaps there is even more appropriate hash for this use-case.
I'm not entirely convinced doing hash for each BFD packet is impractical.

[0] http://www.ietf.org/id/draft-mahesh-bfd-authentication-00.txt
-- 
  ++ytti

Follow-Ups:
- Interesting BFD discussion on reddit
  - From: glen.kent at gmail.com (Glen Kent)

References:
- Interesting BFD discussion on reddit
  - From: davewaters1970 at gmail.com (Dave Waters)

Prev by Date: PCH INOC DBA
Next by Date: [OT] Re: Intellectual Property in Network Design
Previous by thread: Interesting BFD discussion on reddit
Next by thread: Interesting BFD discussion on reddit
Index(es):
- Date
- Thread