Re: [Isis-wg] Genart last call review of draft-ietf-isis-auto-conf-04

Robert Sparks <rjsparks@nostrum.com> Mon, 10 April 2017 17:35 UTC

Return-Path: <rjsparks@nostrum.com>
X-Original-To: isis-wg@ietfa.amsl.com
Delivered-To: isis-wg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E747B129ABD for <isis-wg@ietfa.amsl.com>; Mon, 10 Apr 2017 10:35:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.881
X-Spam-Level:
X-Spam-Status: No, score=-1.881 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CoipJbtskC8m for <isis-wg@ietfa.amsl.com>; Mon, 10 Apr 2017 10:35:48 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA4CA12955D for <isis-wg@ietf.org>; Mon, 10 Apr 2017 10:35:43 -0700 (PDT)
Received: from unescapeable.local ([148.87.66.203]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id v3AHZgY8051381 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 10 Apr 2017 12:35:42 -0500 (CDT) (envelope-from rjsparks@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host [148.87.66.203] claimed to be unescapeable.local
To: "Alvaro Retana (aretana)" <aretana@cisco.com>, "Les Ginsberg (ginsberg)" <ginsberg@cisco.com>, "Liubing (Leo)" <leo.liubing@huawei.com>, "gen-art@ietf.org" <gen-art@ietf.org>
References: <149159669211.11107.3275242226580240988@ietfa.amsl.com> <814d03ced1c64f18b20d23c65e7cdf04@XCH-ALN-001.cisco.com> <8469f915-7e13-dead-7a4e-ab36506948da@nostrum.com> <1fd1507c9d5442d0a944e35da9b38b1d@XCH-ALN-001.cisco.com> <EDD33B73-CDF2-42AB-AE8A-96073F449997@cisco.com> <db59f122a2d84c28851944a50f1564a2@XCH-ALN-001.cisco.com> <8AE0F17B87264D4CAC7DE0AA6C406F45C2ED8506@nkgeml514-mbs.china.huawei.com> <c3a3a16110cb44c182413d993377de6d@XCH-ALN-001.cisco.com> <DC9299D1-F989-471C-A7AC-1A5E9C9288AB@cisco.com>
Cc: "draft-ietf-isis-auto-conf.all@ietf.org" <draft-ietf-isis-auto-conf.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "isis-wg@ietf.org" <isis-wg@ietf.org>
From: Robert Sparks <rjsparks@nostrum.com>
Message-ID: <adbc350e-f516-75da-ae9c-458cae1b91da@nostrum.com>
Date: Mon, 10 Apr 2017 13:35:39 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <DC9299D1-F989-471C-A7AC-1A5E9C9288AB@cisco.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/isis-wg/tBSQ4J3JrEd7ja-Q-on38ba94xA>
Subject: Re: [Isis-wg] Genart last call review of draft-ietf-isis-auto-conf-04
X-BeenThere: isis-wg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF IS-IS working group <isis-wg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/isis-wg/>
List-Post: <mailto:isis-wg@ietf.org>
List-Help: <mailto:isis-wg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Apr 2017 17:35:51 -0000

+1


On 4/10/17 1:32 PM, Alvaro Retana (aretana) wrote:
> Works for me!
>
> Thanks!
>
> Alvaro.
>
>
>
>
>
> On 4/10/17, 10:34 AM, "Les Ginsberg (ginsberg)" <ginsberg@cisco.com> wrote:
>
> Bing/Robert/Alvaro -
>
> Here is the existing text of the Security Section:
>
>    "In general, the use of authentication is incompatible with auto-
>     configuration as it requires some manual configuration.
>
>     For wired deployment, the wired connection itself could be considered
>     as an implicit authentication in that unwanted routers are usually
>     not able to connect (i.e. there is some kind of physical security in
>     place preventing the connection of rogue devices); for wireless
>     deployment, the authentication could be achieved at the lower
>     wireless link layer."
>
>
> Proposed revision:
>
> "In the absence of cryptographic authentication it is possible for an attacker to inject  a PDU falsely indicating
> there is a duplicate system-id. This may trigger automatic restart of the protocol using the duplicate-id
> resolution procedures defined in this document.
>
> Note that the use of authentication is incompatible with auto-
> configuration as it requires some manual configuration.
>
>     For wired deployment, the wired connection itself could be considered
>     as an implicit authentication in that unwanted routers are usually
>     not able to connect (i.e. there is some kind of physical security in
>     place preventing the connection of rogue devices); for wireless
>     deployment, the authentication could be achieved at the lower
>     wireless link layer."
>
> ???
>
>
>
>