Deb, Glad to hear we're largely converged. A minor clarification here may help - or might suggest the need for a minor tweak to verbiage:
> On Oct 29, 2025, at 4:16 PM, Deb Cooley <[email protected]> wrote: > > [DC] I really have no idea what the point of the second para is in Section 6 > (the rest of the subsections are fine, and the first sentence/para in the > section is fine too). Why does this even need to be mentioned? There is > literally no mention of any of these techniques anywhere else in the > specification. It appears here, out of the blue. Personally, I'd delete it. > But these aren't blocking comments, so if you all think it is clear, then > I'm good. > In RFC 5880, we support the following authentication types: 1 Simple Password 2 Keyed MD5 3 Meticulous Keyed MD5 4 Keyed SHA1 5 Meticulous Keyed SHA1 The distinction is MD5 and SHA1 also are permitted to operate in NON-meticulous mode. The distinction is that the same auth seq# can be used more than once. The motivation for that behavior is we still provide BFD messages saying "we're up!" but we're only requiring authentication to be re-done when the sequence number changes. Otherwise, you effectively can do a memcmp and be satisfied that nothing has changed state-wise or security-wise. For BFD stability purposes, the requirement is to use the meticulous mode in order to provide detection of lost packets. Non-meticulous mode can't give us that. With that explanation, is everything clear or do you have rewording you'd find helpful? -- Jeff
