Presentation is loading. Please wait.

Presentation is loading. Please wait.

Optimizing BFD Authentication draft-mahesh-bfd-authentication-00 Mahesh Jethanandani, Ashesh Mishra Manav Bhatia, Ankur Saxena.

Published byBlaise Stafford Modified over 8 years ago

Similar presentations

Presentation on theme: "Optimizing BFD Authentication draft-mahesh-bfd-authentication-00 Mahesh Jethanandani, Ashesh Mishra Manav Bhatia, Ankur Saxena."— Presentation transcript:

1 Optimizing BFD Authentication draft-mahesh-bfd-authentication-00 Mahesh Jethanandani, Ashesh Mishra Manav Bhatia, Ankur Saxena

2 Problem Authentication is computationally intensive process Limits scale and stability of BFD sessions Soon, MD5 and SHA1 will no longer be adequately secure

3 Solution Authenticate only a small subset of BFD frames – All frames that are intended for triggering a change in the BFD session Down, Admin_Down, Init, P-F sequence – Periodic BFD frames when the session state is UP Once frame every 10 seconds?

4 Benefits Authenticating a significantly smaller set of frames reduces the computational stress on the systems Stronger algorithms can be used in BFD authentication without a significant performance degradation

5 Open Issues There is a small window for man-in-the- middle attack between two authenticated BFD frames when the session is in state UP. – The rate of BFD-UP frame authentication can be increased (up to the negotiated Tx interval) to minimize such window (or eliminate it by authenticating every frame). Not a solution we prefer because of the performance degradation.

6 Open Issues Requires change in the BFD frame handling logic. – Simple change in software-only BFD implementations – May be complex to implement in certain hardware engines (particularly when using 3rd party ASICs) – Simple change in hybrid implementations where only frame Tx/Rx is hardware accelerated.

7 Open Issues Method for negotiating “optimized BFD authentication” capability between BFD peers requires further discussion. – Using the Auth-bit may not be adequate if some frames have the bit set and the others do not.

8 Open Issues System is open to DoS attacks if attacker injects auth frames. – Rate-limiting auth frames is an option (no more than 2-3 auth frames per-session per-second are expected) – Other ideas?

9 Open Issues When many sessions change state from UP to DOWN around the same time, the auth system load will be large – No larger than the load expected in full auth methods – Session establishment can be rate-limited to prevent clogging the CPU

10 Open Issues Why not cache the last well-known auth frame and compare new auth frames with the cached copy? – Can’t use sequence numbers in auth-tlv – Not a major security upgrade over the proposed method

11 Questions / Comments ? Mahesh Jethanandani (mjethanandani@gmail.com)mjethanandani@gmail.com Ashesh Mishra (mishra.ashesh@outlook.com)mishra.ashesh@outlook.com Manav Bhatia (manav@ionosnetworks.com)manav@ionosnetworks.com Ankur Saxena (ankurpsaxena@gmail.com)ankurpsaxena@gmail.com

Download ppt "Optimizing BFD Authentication draft-mahesh-bfd-authentication-00 Mahesh Jethanandani, Ashesh Mishra Manav Bhatia, Ankur Saxena."

Similar presentations

Doc.: IEEE 802.11-08/1021r1 Submission September 2008 Luke Qian etc.Slide 1 A Simplified Solution For Critical A-MPDU DoS Issues Date: 2008-09-04 Authors:

Doc.: IEEE /1021r1 Submission September 2008 Luke Qian etc.Slide 1 A Simplified Solution For Critical A-MPDU DoS Issues Date: Authors:
Tuning of Loop Cache Architectures to Programs in Embedded System Design Susan Cotterell and Frank Vahid Department of Computer Science and Engineering.

Tuning of Loop Cache Architectures to Programs in Embedded System Design Susan Cotterell and Frank Vahid Department of Computer Science and Engineering.
CSUN Engineering Management Six Sigma Quality Engineering Week 11 Improve Phase.

CSUN Engineering Management Six Sigma Quality Engineering Week 11 Improve Phase.
Resource Management §A resource can be a logical, such as a shared file, or physical, such as a CPU (a node of the distributed system). One of the functions.

Resource Management §A resource can be a logical, such as a shared file, or physical, such as a CPU (a node of the distributed system). One of the functions.
TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.

TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.
Virtual Memory Introduction to Operating Systems: Module 9.

Virtual Memory Introduction to Operating Systems: Module 9.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Chapter XI Reduced Instruction Set Computing (RISC) CS 147 Li-Chuan Fang.

Chapter XI Reduced Instruction Set Computing (RISC) CS 147 Li-Chuan Fang.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
1 COMP 206: Computer Architecture and Implementation Montek Singh Wed, Nov 9, 2005 Topic: Caches (contd.)

1 COMP 206: Computer Architecture and Implementation Montek Singh Wed, Nov 9, 2005 Topic: Caches (contd.)
15-447 Computer ArchitectureFall 2008 © November 3 rd, 2008 Nael Abu-Ghazaleh CS-447– Computer.

Computer ArchitectureFall 2008 © November 3 rd, 2008 Nael Abu-Ghazaleh CS-447– Computer.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.

Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.

Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.
Adaptive Video Coding to Reduce Energy on General Purpose Processors Daniel Grobe Sachs, Sarita Adve, Douglas L. Jones University of Illinois at Urbana-Champaign.

Adaptive Video Coding to Reduce Energy on General Purpose Processors Daniel Grobe Sachs, Sarita Adve, Douglas L. Jones University of Illinois at Urbana-Champaign.
Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.

Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.
Private Cloud: Application Transformation Business Priorities Presentation.

Private Cloud: Application Transformation Business Priorities Presentation.
Microsoft ® Application Virtualization 4.6 Infrastructure Planning and Design Published: September 2008 Updated: February 2010.

Microsoft ® Application Virtualization 4.6 Infrastructure Planning and Design Published: September 2008 Updated: February 2010.
Memory Management ◦ Operating Systems ◦ CS550. Paging and Segmentation  Non-contiguous memory allocation  Fragmentation is a serious problem with contiguous.

Memory Management ◦ Operating Systems ◦ CS550. Paging and Segmentation  Non-contiguous memory allocation  Fragmentation is a serious problem with contiguous.
Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication.

Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication.
The Need for Speed. The PDF-4+ database is designed to handle very large amounts of data and provide the user with an ability to perform extensive data.

The Need for Speed. The PDF-4+ database is designed to handle very large amounts of data and provide the user with an ability to perform extensive data.

Similar presentations

Ads by Google