[ixpmanager] BFD on Route Servers

Richard Laager rlaager at wiktel.com
Sun Jun 11 21:27:56 IST 2023 

On 2023-06-08 01:53, André Grüneberg wrote:
> In case you feel lucky to enable unauthenticated BFD (I wouldn't),

How is unauthenticated BFD making security significantly worse?

Right now, you could simply ARP poison or whatever on the fabric, and 
people would have a bad time. I take your point on that more generally 
(i.e. maybe we should configure anti-spoofing ACLs, possibly with 
automation from IXP Manager), but that doesn't seem specific to BFD or 
something we need to solve as part of a BFD pull request.


> During Euro-IX in May 2022 we recommended to use an interval of 1s and 
> a multiplier of 5. Part of the rationale are platform convergence time 
> and recommendations from RFC7419 
> <https://datatracker.ietf.org/doc/rfc7419/>.

If I'm understanding you correctly, you are recommending 1s because of 
RFC7419. If I understand RFC7419 correctly, it is attempting to 
standardize supported intervals. So given RFC7419, it seems reasonable 
choices are 100ms or 1s. Of those, my recollection is 100ms is too 
aggressive for some vendors. So we can either specify 100ms and let the 
participant negotiate up, or use 1s. Of those choices, I can see how a 
simple 1s make sense.

But why a multiple of 5, vs 3? It seemed to me that 3 was pretty typical.


> If you were adding support for (self service) parameter customisation, 
> I'd find a knob to enable/disable BFD for a session sensible.

Because you want the ability to explicitly force it off for a particular 
customer (session) for security reasons, rather than allowing 
unauthenticated BFD for someone that is not using BFD, which you see as 
a security risk? Or some other reason?

I assume this would be per VLAN Interface, like "Route Server Client" is 
now.


> I'd also add an option to define the authentication key.

I assume this would be per VLAN Interface per address family, like BGP 
MD5 is now.


> In case you are exposing interval or multiplier, they should be 
> configurable as range verified against globally defined bounds.

Do you think that needs to be per-customer or just globally (i.e. per 
Router)?

For those bounds, probably this:

3 <= multiplier <= 255

10 <= interval <= 10000 # where interval is in ms, so 10ms to 10s, inclusive


If you are against unauthenticated BFD, then it seems you would be 
against any approach where this gets enabled by default. So then we need 
a (presumably per-Router) configuration option to enable BFD that 
defaults to off. The multiplier and interval can default to something 
sane (e.g. 5 * 1s) because they are moot if BFD is disabled. The default 
is then completely safe for upgrades, as it is opt-in.

But I would make the per-customer default on. For upgrades, this is 
still safe, since it will be off globally anyway.

Someone like you can either leave it off, or you could disable it on 
every customer, then enable it globally, then enable it per-customer as 
desired/requested setting an auth key at that time.

Someone like me can enable it, and adjust the interval/multiplier if 
desired.

-- 
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.inex.ie/pipermail/ixpmanager/attachments/20230611/a643e1a9/attachment.htm>

More information about the ixpmanager mailing list