Re: [secdir] Secdir last call review of draft-ietf-trill-p2mp-bfd-07

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 29 December 2017 23:53 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E95861201F8; Fri, 29 Dec 2017 15:53:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AMzgklOTaBfl; Fri, 29 Dec 2017 15:53:10 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9025A1200F1; Fri, 29 Dec 2017 15:53:09 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 1DD23BDF9; Fri, 29 Dec 2017 23:53:08 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lfZfLYhNpKsx; Fri, 29 Dec 2017 23:53:07 +0000 (GMT)
Received: from [10.244.2.100] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id C4A41BDD8; Fri, 29 Dec 2017 23:53:06 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1514591587; bh=41ZzSPdm0AcjExy/oA/loYrZofaoEYTjhr8raK7ABlM=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=tKz+sw/PzeI9CRwaCnFLNc5UvHjTvkZ9o2u47Knac6yuTzrGQZr+J+pO3NUPxugKA HdRo68pHghDnh52eIKTB5FFWd/JmRXLSon7ixnYEI8vZEP7M0WcZUwTRZu6BBEH1nE yc141KBdMjePFLKyjYCbjQEavE0/PpsjjNxCRM2U=
To: Donald Eastlake <d3e3e3@gmail.com>
Cc: secdir@ietf.org, draft-ietf-trill-p2mp-bfd.all@ietf.org, IETF Discussion <ietf@ietf.org>, trill@ietf.org
References: <151447284096.3404.9799585674492282627@ietfa.amsl.com> <CAF4+nEHryN5xUcR-sQrzTyC+g+1R0E=caZcDoVShYbwpMso_+A@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url=
Message-ID: <9064e8bb-57d8-04ad-a515-3114323c4052@cs.tcd.ie>
Date: Fri, 29 Dec 2017 23:53:06 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <CAF4+nEHryN5xUcR-sQrzTyC+g+1R0E=caZcDoVShYbwpMso_+A@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="H6MWkScb7Uw75HAxmriRsWkyIT4pRWIMD"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/KAZevWuVQAiukpRBKgjm7YIATRg>
Subject: Re: [secdir] Secdir last call review of draft-ietf-trill-p2mp-bfd-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Dec 2017 23:53:13 -0000

Hiya,

On 29/12/17 23:37, Donald Eastlake wrote:
> OLD
>                                                    However, [RFC7978],
>    while it provides both authentication and encryption for point-to-
>    point extended RBridge Channel messages, provides only authentication
>    for multipoint RBridge Channel messages. Thus, there is little reason
>    to use the [RFC7978] security mechanisms at this time. However, it is
>    expected that a future document will provide for group keying; when
>    that occurs, the use of RBridge Channel security will also be able to
>    provide encryption and may be desirable.
> 
> NEW
>    [RFC7978] provides encryption only for point-to-point extended
>    RBridge Channel messages so its encryption facilities are not
>    applicable to this draft. However [RFC7978] provides stronger
>    authentication than that currently provided in BFD. Thus, there is
>    little reason to use the BFD security mechanisms if [RFC7978]
>    authentication is in use. It is expected that a future TRILL
>    document will provide for group keying; when that occurs, the use
>    of [RFC7978] RBridge Channel security will be able to provide both
>    encryption and authentication.

Were that change acceptable to the WG, I'd be supportive,
and it'd clearly solve what I thought was an issue with
the current spec.

Cheers,
S.


-- 
PGP key change time for me.
New-ID 7B172BEA; old-ID 805F8DA2 expires Jan 24 2018.
NewWithOld sigs in keyservers.
Sorry if that mucks something up;-)