Re: [secdir] Review of draft-ietf-trill-rfc6439bis-03

Donald Eastlake <d3e3e3@gmail.com> Fri, 13 January 2017 15:55 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF19612947E for <secdir@ietfa.amsl.com>; Fri, 13 Jan 2017 07:55:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OO-s01U_7KFO for <secdir@ietfa.amsl.com>; Fri, 13 Jan 2017 07:55:04 -0800 (PST)
Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F1131293EB for <secdir@ietf.org>; Fri, 13 Jan 2017 07:55:04 -0800 (PST)
Received: by mail-it0-x231.google.com with SMTP id 203so35169982ith.0 for <secdir@ietf.org>; Fri, 13 Jan 2017 07:55:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Qo8P2Kmv7Djd2OWDikwWt2KjP29/QiSjpC54Xijfwyw=; b=J1Cn7C5rzujGxOSindUkWjkiQO/Zg/QkEly49d9bqlfSe4DTyU1MEnLBR7rcaQYz4C 2DyrHJ6vF0vlk5WBbozz9cktkO07ip8SICMDaeIFlzh++XR78dq0qL7k6Os3VzYVhbdE /24mhAAelHz3ej8nvZyiuKY+4qhNlKm9ulkrakoUiABmaucX8ktIuGqksH+6lCA1m5eU l3KGblPJnCjvv59+3zFX8qUCFcmU3ml3WCOfyN8YlUVir7MQmrRVQbt+zXkA205wItNG Lh+BIueH6jqBhvWY/zgBrhF3HUKSjh6sbjqHZSrPouN22GSIExD+f4zNKQByeGSnKL8h Ulvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Qo8P2Kmv7Djd2OWDikwWt2KjP29/QiSjpC54Xijfwyw=; b=rGC8+S3h6xmyZSN0Xw/ykoYL6kDleQlXLHYWzQ0OQmg8HYwhHUTKdhWF+GBrelMwIq WNbXtu1TLkhaFD1wF/lgJnCHTIefFsdN/WxWmc55Xtyv6tIZ7mo9cERggv1LwMfLs9dT qGXWndYftpbFaKQL4A7WMSHB5E4ahqdoS/nhhLCaS6FJSroa4xW2nLtTbC65Fs/kxMGi /QmIMf9pwKyACCBn6O5va5kidpO4hSeiEMP+NCVtUJ6C+Uy76KD5OL7c/e1aTXnXqkYI pxYKo4QkUcetOlHfjNTVYa4kLrXXx3miv0dhplK1DlkeE6d3mKqhGGz2lB9vlNw1pqmS Cgfw==
X-Gm-Message-State: AIkVDXL3H/RAEir7gkFcWpmp3Gix3Q2UA8kQE6uFxckerMziA21XwJm74t/0PCj04piqE/AJRxMsuFJBB+KQtQ==
X-Received: by 10.36.107.194 with SMTP id v185mr2971721itc.59.1484322903862; Fri, 13 Jan 2017 07:55:03 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.41.72 with HTTP; Fri, 13 Jan 2017 07:54:48 -0800 (PST)
In-Reply-To: <f2e1a301-bc2b-d8bc-6a79-aab83f70c737@oracle.com>
References: <92774159-d56b-cc7f-b5cd-b8e17d038475@oracle.com> <10ed6c45-a8a7-e62e-78fb-62631442f4b9@oracle.com> <CAF4+nEGv95DatWkjrFnh9H9qhwtc0fz+OOs-TqZhxaLeiGovyw@mail.gmail.com> <4a04ae5b-f30c-303e-e035-aa3819c1f691@oracle.com> <CAF4+nEEy6pqri=kA5U5EYYNPmfnMtEW3UKxvni2_wqVyktbZfw@mail.gmail.com> <f2e1a301-bc2b-d8bc-6a79-aab83f70c737@oracle.com>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Fri, 13 Jan 2017 10:54:48 -0500
Message-ID: <CAF4+nEFZoHt4Es3jwY-G11tkYDn6apbhd_8-YjyZtL-jWVEg+Q@mail.gmail.com>
To: Shawn M Emery <shawn.emery@oracle.com>
Content-Type: multipart/alternative; boundary=001a114ac2326ae2190545fbdbd7
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/dW5GNemcYuJctOeku-KL2p5grPE>
Cc: draft-ietf-trill-rfc6439bis.all@tools.ietf.org, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Review of draft-ietf-trill-rfc6439bis-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2017 15:55:07 -0000

Hi Shawn,

Those fixed look good to me. We should be able to implement them.

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com

On Thu, Jan 12, 2017 at 7:24 PM, Shawn M Emery <shawn.emery@oracle.com>
wrote:

> On 01/11/17 11:56 AM, Donald Eastlake wrote:
>
> Hi Shawn,
>
> A version -04 has been uploaded with these fixes.
>
>
> I have just one suggested update, provided that the update is an accurate
> statement:
>
> OLD:
> As such, they are securable through the addition to those PDUs
> Authentication TLVs [RFC5310] in the same way as Hellos or other IS-IS PDUs.
>
> NEW:
> Therefore, they are securable through the addition of Authentication TLVs
> [RFC5310] in the same way as Hellos or other IS-IS PDUs.
>
> and one editorial:
>
> s/It this case/In this case/
>
> The rest of the changes looks good to me.
>
> Thanks,
>
> Shawn.
> --
>
> On Wed, Jan 11, 2017 at 12:22 AM, Shawn M Emery <shawn.emery@oracle.com> <shawn.emery@oracle.com> wrote:
>
> On 01/10/17 06:03 PM, Donald Eastlake wrote:
>
> Hi Shawn,
>
> Thanks for your comments. See below.
>
> On Mon, Jan 9, 2017 at 12:11 AM, Shawn M Emery <shawn.emery@oracle.com> <shawn.emery@oracle.com>
> wrote:
>
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the IESG.
> These comments were written primarily for the benefit of the security
> area directors. Document editors and WG chairs should treat these
> comments just like any other last call comments.
>
> This draft updates the Appointed Forwarders mechanism (RFC 6439);
> which supports multiple TRILL switches that handle native traffic
> to and from end stations on a single link.
>
> The security considerations section does exist and states that this
> update does not change the security properties of the TRILL base
> protocol.  The section goes on to state that the Port-Shutdown message
> SHOULD be secured through the Tunnel Channel protocol (which is in draft
> state).  Was this intended to be a normative reference?
>
> That reference is out of date. draft-ietf-trill-channel-tunnel has
> issued as RFC 7978. That should be updated and I agree that this
> should be a normative reference.
>
> Thanks.
>
>
> The section quickly
> finishes with a reference to Authentication TLVs as a way to secure
> E-LICS
> FS-LSPs traffic.  I'm not a TRILL expert and therefore find it difficult
> to
> distinguish between the usage of Tunnel Channels and Authentication TLVs
> for
> securing Port Shutdown messaging.  Could you please clarify?
>
> "Channel Tunnel", although left in the draft name for convenience, was
> basically changed to RBridge Header Extension. This is a way to add a
> layer of header to RBridge Channel messages (specified in RFC 7178) to
> secure their content. The Authentication TLV is an IS-IS TLV and
> including that TLV in an IS-IS PDU can be used to secure the content
> of the PDU. Some text can be added to clarify this.
>
> Ah, I see.  Yes, clarifying text would be helpful for the nascent reader.
>
>
> General comments:
>
> None.
>
> Editorial comments:
>
> s/the need to "inhibition"/the need for "inhibition"/
> s/forarding/forwarding/
> s/two optimization/two optimizations/
> s/messages are build/messages are built/
>
> Thanks for spotting those. We'll fix them.
>
> No problem.
>
> Regards,
>
> Shawn.
> --
>
>
>