Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis of BFD Security According to KARP Design Guide draft-ietf-karp-bfd-analysis-01 draft-ietf-karp-bfd-analysis-01 Manav Bhatia Dacheng Zhang Mahesh.

Published byAdela Webb Modified over 7 years ago

Similar presentations

Presentation on theme: "Analysis of BFD Security According to KARP Design Guide draft-ietf-karp-bfd-analysis-01 draft-ietf-karp-bfd-analysis-01 Manav Bhatia Dacheng Zhang Mahesh."— Presentation transcript:

1 Analysis of BFD Security According to KARP Design Guide draft-ietf-karp-bfd-analysis-01 draft-ietf-karp-bfd-analysis-01 Manav Bhatia Dacheng Zhang Mahesh Jethanandani 1

2 Agenda Why KARP Analysis Existing algorithms Recommended algorithms Impact Conclusions Questions Last presented at IETF 87 (Berlin) 2

3 Why? BFD used for liveliness check IP BFD Next hop liveliness check IS-IS, OSPFv2, RIPv2 LSP BFD MPLS(-TP) End-to-end tunnel check 3

4 Why (cont.)? BFD used for liveliness check In lieu of routing protocols “hellos” 3 x 30 sec Something shorter Across AS boundaries eBGP 4

5 KARP Analysis of BFD KARP threat analysis [RFC 6862] Replay Protection 32 bit sequence number Incremented every 3.3 ms in Meticulous mode 24 weeks Weak authentication algorithms MD5 or SHA-1 based DoS attacks Authentication packet send at a short interval 5

6 Existing Authentication Mechanisms [RFC5880] describes five authentication mechanisms Authentication Mechanisms FeaturesSecurity Strength Simple Password Password transported in plain text weak Keyed MD5 sequence member required to increase occasionally Subject to both intra and inter -session replay attacks Keyed SHA-1 Same as Keyed MD5 Meticulous Keyed MD5 sequence member required to increase monotonically Subject to inter-session replay attacks Meticulous Keyed SHA-1 Same as Meticulous Keyed MD5 6

7 Recommended Authentication Algorithms SHA-2 SHA-256 SHA-384 SHA-512 HMAC FIPS-198 GMAC 7

8 Impact of Authentication Requirement BFD session in software BFD session is offloaded (hardware assist) BFD session is implemented in hardware 8

9 Impact of Authentication BFD in software CPU 500 MHz – Dual Core Cavium Meticulous algorithm No hardware support for authentication Entirely in software SHA-256 and HMAC 9

10 Impact of Authentication BFD in software (cont.) Time interval 10 ms 30 ms detection No authentication 16 sessions (tx + rx) With authentication in software 2 sessions (tx + rx) (prediction) Time interval of 1 s. 3 s detection No authentication 1K sessions (tx + rx) With authentication 125 sessions (tx + rx) (prediction) 10

11 Impact of Authentication BFD with hw assist Meticulous algorithm SHA-2 and HMAC No hardware support for authentication Hardware does tx and rx Packet constructed in software FSM in software 11

12 Impact of Authentication BFD offloaded to hardware (cont.) Time interval 3.3 ms 10 ms detection No authentication 2K sessions (tx + rx) With authentication in software 1 sessions (tx + rx) (prediction) Time interval of 10ms. 30 ms detection No authentication 8K sessions (tx + rx) With authentication 2 sessions (tx + rx) (prediction) 12

13 Impact of Authentication BFD implemented in hw Meticulous algorithm SHA-1 “Hardware support” for authentication Hardware manages entire session in hardware Including FSM 13

14 Impact of Authentication BFD implemented in hw (cont.) Time interval 3.3 ms 10 ms detection No authentication 128 sessions (tx + rx) With authentication in software 16 sessions (tx + rx) Time interval of 10ms. 30 ms detection No authentication 800 sessions (tx + rx) With authentication 100 sessions (tx + rx) GMAC 14

15 Conclusions Carefully evaluate why and where Be willing to pay for it In performance By adding hardware auth support 15

16 Questions? 16

Download ppt "Analysis of BFD Security According to KARP Design Guide draft-ietf-karp-bfd-analysis-01 draft-ietf-karp-bfd-analysis-01 Manav Bhatia Dacheng Zhang Mahesh."

Similar presentations

IS-IS ESN TLV draft-chunduri-isis-extended-sequence-no-tlv-01 Uma Chunduri, Wenhu Lu, Albert Tian Ericsson Inc. Naiming Shen Cisco Systems, Inc. IETF 83,

IS-IS ESN TLV draft-chunduri-isis-extended-sequence-no-tlv-01 Uma Chunduri, Wenhu Lu, Albert Tian Ericsson Inc. Naiming Shen Cisco Systems, Inc. IETF 83,
Mutual OATH HOTP Variants 65th IETF - Dallas, TX March 2006.

Mutual OATH HOTP Variants 65th IETF - Dallas, TX March 2006.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
TRILL over IP draft-ietf-trill-over-ip-01.txt IETF 91, Honolulu Margaret Wasserman Donald Eastlake, Dacheng Zhang.

TRILL over IP draft-ietf-trill-over-ip-01.txt IETF 91, Honolulu Margaret Wasserman Donald Eastlake, Dacheng Zhang.
Simplified BFD Procedures for Bi-Directional LSPs.

Simplified BFD Procedures for Bi-Directional LSPs.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
2003-2004 - Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)

Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
Optimizing BFD Authentication draft-mahesh-bfd-authentication-00 Mahesh Jethanandani, Ashesh Mishra Manav Bhatia, Ankur Saxena.

Optimizing BFD Authentication draft-mahesh-bfd-authentication-00 Mahesh Jethanandani, Ashesh Mishra Manav Bhatia, Ankur Saxena.
Karlstad University IP security Ge Zhang

Karlstad University IP security Ge Zhang
Network Security David Lazăr.

Network Security David Lazăr.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.

IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
7/11/2006IETF-66 MSEC IPsec composite groups page 1 George Gross IdentAware ™ Multicast Security IETF-66, Montreal, Canada July.

7/11/2006IETF-66 MSEC IPsec composite groups page 1 George Gross IdentAware ™ Multicast Security IETF-66, Montreal, Canada July.
1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.

1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.

Similar presentations

Ads by Google