Interesting BFD discussion on reddit

Saku Ytti saku at ytti.fi
Sun Feb 15 22:25:40 UTC 2015


On (2015-02-15 21:34 +0530), Dave Waters wrote:

Hey,

> http://www.reddit.com/r/networking/comments/2vxj9u/very_elegant_and_a_simple_way_to_secure_bfd/
> 
> Authentication mechanisms defined for IGPs cannot be used to protect BFD
> since the rate at which packets are processed in BFD is very high.

Not sure I understand the draft[0] correctly, but I suppose it only protects
you from forced state-change attack. Attacker can't force you to go from
up=>down or down=>up, but attacker could force routers to keep BFD state?

I wonder if Trio, EZChip and friends could do SHA in NPU, my guess is yes they
could, but perhaps there is even more appropriate hash for this use-case.
I'm not entirely convinced doing hash for each BFD packet is impractical.

[0] http://www.ietf.org/id/draft-mahesh-bfd-authentication-00.txt
-- 
  ++ytti



More information about the NANOG mailing list