[secdir] Security review of draft-ietf-trill-directory-assisted-encap-09.txt

"Hilarie Orman" <hilarie@purplestreak.com> Thu, 08 March 2018 03:53 UTC

Return-Path: <hilarie@purplestreak.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id A207E1271FD; Wed, 7 Mar 2018 19:53:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id PSPMm_DTX2NX; Wed, 7 Mar 2018 19:53:46 -0800 (PST)
Received: from out01.mta.xmission.com (out01.mta.xmission.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C380126BF7; Wed, 7 Mar 2018 19:53:46 -0800 (PST)
Received: from in01.mta.xmission.com ([]) by out01.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from <hilarie@purplestreak.com>) id 1etmcj-0006aR-4H; Wed, 07 Mar 2018 20:53:45 -0700
Received: from [] (helo=rumpleteazer.rhmr.com) by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from <hilarie@purplestreak.com>) id 1etmci-0002dy-0q; Wed, 07 Mar 2018 20:53:44 -0700
Received: from rumpleteazer.rhmr.com (localhost []) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id w283rEG1016591; Wed, 7 Mar 2018 20:53:14 -0700
Received: (from hilarie@localhost) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Submit) id w283rEZi016590; Wed, 7 Mar 2018 20:53:14 -0700
Date: Wed, 7 Mar 2018 20:53:14 -0700
Message-Id: <201803080353.w283rEZi016590@rumpleteazer.rhmr.com>
From: "Hilarie Orman" <hilarie@purplestreak.com>
Reply-To: "Hilarie Orman" <hilarie@purplestreak.com>
To: iesg@ietf.org, secdir@ietf.org
Cc: draft-ietf-trill-directory-assisted-encap.all@tools.ietf.org
X-XM-SPF: eid=1etmci-0002dy-0q; ; ; mid=<201803080353.w283rEZi016590@rumpleteazer.rhmr.com>; ; ; hst=in01.mta.xmission.com; ; ; ip=; ; ; frm=hilarie@purplestreak.com; ; ; spf=none
X-XM-AID: U2FsdGVkX18pwKFuWyzwAS01FS1jGAoa
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-Spam-DCC: XMission; sa02 1397; Body=1 Fuz1=1 Fuz2=1
X-Spam-Combo: ***;iesg@ietf.org, secdir@ietf.org
X-Spam-Timing: total 606 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 7 (1.2%), b_tie_ro: 6 (0.9%), parse: 1.81 (0.3%), extract_message_metadata: 8 (1.3%), get_uri_detail_list: 2.6 (0.4%), tests_pri_-1000: 6 (0.9%), tests_pri_-950: 2.5 (0.4%), tests_pri_-900: 1.90 (0.3%), tests_pri_-400: 30 (4.9%), check_bayes: 28 (4.5%), b_tokenize: 10 (1.7%), b_tok_get_all: 7 (1.1%), b_comp_prob: 4.6 (0.8%), b_tok_touch_all: 2.5 (0.4%), b_finish: 0.90 (0.1%), tests_pri_0: 534 (88.2%), check_dkim_signature: 1.29 (0.2%), check_dkim_adsp: 29 (4.8%), tests_pri_500: 9 (1.5%), rewrite_mail: 0.00 (0.0%)
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/1cM8x9ec9ClH6KLbnM67uVw6Mk8>
Subject: [secdir] Security review of draft-ietf-trill-directory-assisted-encap-09.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Mar 2018 03:53:47 -0000

Security review of Directory Assisted TRILL Encapsulation

(A day late and a dollar short, sorry)

Do not be alarmed.  I have reviewed this document as part of the
security directorate's ongoing effort to review all IETF documents
being processed by the IESG.  These comments were written primarily
for the benefit of the security area directors.  Document editors and
WG chairs should treat these comments just like any other last call

The document describes "the benefits of and a scheme for non-RBridge
nodes performing TRILL encapsulation."  The scheme uses TRILL
directories to help with the scaling issues for large TRILL networks
that co-exist with non-TRILL networks.  Non-RBridge nodes can
find a TRILL directory and properly encapsulate packets with TRILL
headers to guide them to and from the network edges.  The method
reduces the amount of node information that might otherwise be
assigned and flooded through the network.

There are security considerations that mandate that the directory
server and the TRILL encapsulating nodes "properly authenticate with
each other to protect sensitive information," but there is no
discussion what is "proper" or how the propriety is maintained.
How does the directory server know which entities are authorized to
be encapsulating nodes and what information are they allowed to
see (or change)?  How do the encapsulating nodes know how to
authenticate the directory nodes?  Is this essential configuration
that has to be built in before the network can function with directory
assisted encapsulation?  Does it require cooperation between
administrators in different parts of a campus?

In some place the behavior of the nodes depends on whether or not
the directory is "known to be complete".  This seems like transient
information that has to be communicated in some unspecified way at
unspecified times.  It may not affect security, but it might affect

Nits about grammar are many, but the one that interferes with
comprehension is the split infinitive in "it is still necessary to
designate AF ports to, for example, be sure that multi-destination