Re: Authentication Question

To: Shahram Davari <davari at broadcom.com>
Subject: Re: Authentication Question
From: Dave Katz <dkatz at juniper.net>
Date: Mon, 17 Aug 2009 22:34:35 -0600
Cc: "rtg-bfd at ietf.org" <rtg-bfd at ietf.org>
Delivered-to: rtg-bfd at core3.amsl.com
In-reply-to: <2C2F1EBA8050E74EA81502D5740B4BD681573708D8 at SJEXCHCCR02.corp.ad.broadcom.com>
List-archive: <http://www.ietf.org/mail-archive/web/rtg-bfd>
List-help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-post: <mailto:rtg-bfd@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
References: <77ead0ec0908171649h67a18ec4ic76d0a48f6f92013 at mail.gmail.com> <2C2F1EBA8050E74EA81502D5740B4BD681573708D8 at SJEXCHCCR02.corp.ad.broadcom.com>

On Aug 17, 2009, at 7:23 PM, Shahram Davari wrote:

Hi,

For BFD processing, the Base text says:
"If the A bit is set and no authentication is in use (bfd.AuthTypeis zero), the packet MUST be discarded."
Isn't the bdf.AuthType set based on the A bit? If so then isn't thisstatement a circular logic? Shouldn't it be changed to:
"If the A bit is set and no authentication is in use (Authenticationheader is not present), the packet MUST be discarded."

No. bfd.AuthType is the local authentication setting; the text yourefer to deals with received packet processing. The check ensuresthat if the remote system is specifying authentication (A bit set) butthe local system isn't doing authentication (bfd.AuthType is zero) thepacket is tossed.

The Authentication Header consistency check with the A bit comes a bitearlier in the acceptance tests (by examining the packet length.)

And a general question. Since each packet is Authenticated on itsown, can Authentication type change in the middle of a Session? Orcan some BFD packets be transmitted with Authentication and somewithout (off course with proper setting of A flag)?

No, because bfd.AuthType is going to be static and unsynchronized withthe far end. See section 6.7.1 for a discussion on enabling anddisabling authentication.


--Dave


Thanks,
Shahram

References:
- BFD For MPLS LSPs
  - From: Vishwas Manral
- Authentication Question
  - From: Shahram Davari

Prev by Date: Re: Authentication Question
Next by Date: BFD Authentication
Previous by thread: Re: Authentication Question
Next by thread: Re: BFD For MPLS LSPs
Index(es):
- Date
- Thread

Re: Authentication Question

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.