On (2015-02-15 21:34 +0530), Dave Waters wrote: Hey,
http://www.reddit.com/r/networking/comments/2vxj9u/very_elegant_and_a_simple...
Authentication mechanisms defined for IGPs cannot be used to protect BFD since the rate at which packets are processed in BFD is very high.
Not sure I understand the draft[0] correctly, but I suppose it only protects you from forced state-change attack. Attacker can't force you to go from up=>down or down=>up, but attacker could force routers to keep BFD state? I wonder if Trio, EZChip and friends could do SHA in NPU, my guess is yes they could, but perhaps there is even more appropriate hash for this use-case. I'm not entirely convinced doing hash for each BFD packet is impractical. [0] http://www.ietf.org/id/draft-mahesh-bfd-authentication-00.txt -- ++ytti