Re: Review of draft-ietf-trill-over-ip-08

Donald Eastlake <d3e3e3@gmail.com> Thu, 05 January 2017 01:43 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 875EC1294C6; Wed, 4 Jan 2017 17:43:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.45
X-Spam-Level:
X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XjKLHSYD72R7; Wed, 4 Jan 2017 17:43:27 -0800 (PST)
Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25882129421; Wed, 4 Jan 2017 17:43:26 -0800 (PST)
Received: by mail-io0-x233.google.com with SMTP id d9so468246069ioe.0; Wed, 04 Jan 2017 17:43:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=shYu8Lzejr0kqXrUueN31nYnZk9TQtaMo+crB2KPSWM=; b=QjfzUT3pGYyOscfjfq2vLi5Z8LZ8ACRyO/0R6BxUmrP+3HKSy1YLxFEKP1CFaeE4OA zLXZKS7hJZeCG17WBcsdMzNbzq8Vt886gI2I+RLfYbYAr9rMiVr12aHBAs/nTVhO3SOR y88+LilYYyvBUeLV0cMfmcGLkzi73VyvRyUERg2v9W3Jf5xvGgXYk90L4JQJ8GBxrDtz 8DjsbvGTbWqw5fKh+sw46yniHzOTj6huxbXm4rPtL2v+536myZR6vNsREAne0aejUS3D /Ub4N8dyak4ZzAsJ3ognkvQ62+Sy++p+ekDRAVFYrPZqEtmKgJ0INap1Utsmmvf8nqBC 0Btg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=shYu8Lzejr0kqXrUueN31nYnZk9TQtaMo+crB2KPSWM=; b=rctzrY0VOw/1LJ1cueja/EbSlseSUz/eVG/sbgUUQJGVjkheBMfBeV4AN1ydeqU1FL VNFGOzQs7i0VtXRAiet6O94IA3PEK1ZBqVofiNbXvaVBK7/s1zrKdjao4rOYYcTTepts 5lAM8O6Ubs/N113snaXKexJAh5sfCeYsl7hmiM6Nkwng3lZQY8a7Aqkd71GZOiToycg6 egu326SiGu/iTP+R4JmWiMsqaLxHeAweFUS2e5CN+LVogWNgrCqa3dbY+xxll0QCYa71 x1sKNiSwu/EdTXOZ6g4qU433FYmd6hyWI2lLdqXlf6BB7NDjv0ZtFXlgpuZCOy3v5Vwb shtg==
X-Gm-Message-State: AIkVDXKt1CgGvefTozN9XlJ/CXfATB8SYR1/YOmrOX/B9/9ukwdO2fkqbU91rEmFeDHeNa4hMR+VpztWgiifOw==
X-Received: by 10.107.175.80 with SMTP id y77mr50675142ioe.12.1483580606237; Wed, 04 Jan 2017 17:43:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.41.136 with HTTP; Wed, 4 Jan 2017 17:43:10 -0800 (PST)
In-Reply-To: <9bbd1c40-a983-e85c-5656-ef17d50b8605@isi.edu>
References: <148290260152.14213.11124890517026127285.idtracker@ietfa.amsl.com> <9bbd1c40-a983-e85c-5656-ef17d50b8605@isi.edu>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Wed, 4 Jan 2017 20:43:10 -0500
Message-ID: <CAF4+nEFu26=YgZnRnW6rhoObkMWP0g22Rn1jUVv+FtYfBpQk-A@mail.gmail.com>
Subject: Re: Review of draft-ietf-trill-over-ip-08
To: Joe Touch <touch@isi.edu>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/ZUYkgeDXKi0S1DDQo1vRbpP9Oyc>
Cc: "rtg-dir@ietf.org" <rtg-dir@ietf.org>, "trill@ietf.org" <trill@ietf.org>, IETF Discussion <ietf@ietf.org>, draft-ietf-trill-over-ip.all@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2017 01:43:28 -0000

Hi Joe,

Thanks for the comments.

On Tue, Jan 3, 2017 at 1:56 PM, Joe Touch <touch@isi.edu>; wrote:
>
> Some observations:
>
> - the title is misleading; this is TRILL over UDP, not trill over IP.

Humm... The two encapsulations specified do use UDP and it seems
implausible that TCP would be used. But it is possible someone would
want to use SCTP or some other non-UDP IP encapsulation. That would
presumably be via some future document. So I guess, on balance it
would be better to change the title as you suggest.

> - the use of two different ports invites some potentially unintended
> problems, e.g., selective blocking of the control vs. data plane. IMO,
> given that TRILL's purpose is to extend Ethernet (not IP), this service
> would be better served using a single port and differentiated
> encapsulated traffic by whatever method TRILL nodes use internally.
> Otherwise, this spec needs to include specific description of unexpected
> behavior, e.g., data frames on the IS-IS port and IS-IS frames on the
> data port.

I guess I don't see this.

As for selective blocking, if someone can control the passing of
traffic through links connecting TRILL switches, they can always block
a subset of traffic based on whatever criteria they want. I don't
think it makes significant difference what header field they look at.

Similarly, if someone can modify traffic passing through links between
TRILL switches, if the traffic is IP they could swap around port
numbers, but they could also swap around other header fields.
Presumably it is a policy decision for network managers based on their
threat model whether or not to use facilities by TRILL or otherwise to
provided to secure control traffic and/or use link security to protect
all traffic over a link. (Similarly, it is a matter for end system
users/managers to decide whether to use end-to-end security.)

I suppose we could throw in a few sentences saying that if security is
not being used and data or control is mislabeled as the other and it
happens to be parseable as the other, you will get junk in the data
stream or screwed up control information. But I don't think the
mislabeling of control and data as the other by TRILL code is a
realistic problem. It would be detected by the crudest of testing.

> - regardless of whether one or two ports are requested, this doc should
> provide the needed information for IANA (e.g., a service name and
> description compliant with RFC6335).

OK.

> - the section on MTU handling might benefit from informationally citing
> intarea-tunnels, and consider using the recommendations there. In
> particular, it's not sufficient to assume IPv4 supports 576 byte MTUs
> (that's the minimum receiver reassembly MTU, not the transit MTU). That
> section should also address issues of PMTUD and PLMTUD.

I'll take a look at that draft in this context.

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com

> FWIW.
>
> Joe