On Oct 29, 2025, at 5:34 PM, Deb Cooley <[email protected]> wrote: > > Wait, let me attempt to rephrase this... if you are using MD5, SHA-1 or > whatever w/ sequence numbers, then it has to be meticulous. That definitely > does not come across in Section 6. Here is my attempt to clarify the > paragraph: > ... > I will freely admit that the above is one hell of a long sentence... Feel > free to fix that.
Perhaps inverting the sense would work: BFD has a number of operational modes which are subject to attacks. Sessions using NULL authentication are vulnerable to trivial forgery. Sessions using Simple Password authentication expose the password for all to see, and are also vulnerable to forgery. Even packets using MD5 or SHA-1 authentication can be trivially replayed when a non-meticulous mode is used. As such, when MD5 or SHA-1 pr any other authentication is used, it MUST be used in a Meticulous Keyed mode. Authentication types that provide for meticulously increasing sequence numbers can also be used, such as Meticulous Keyed ISAAC for BFD Authentication [I-D.ietf-bfd-secure-sequence-numbers]." Alan DeKok.
