Re: [secdir] Review of draft-ietf-trill-irb-13

Shawn M Emery <shawn.emery@oracle.com> Wed, 29 June 2016 03:58 UTC

Return-Path: <shawn.emery@oracle.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D280012D9CB for <secdir@ietfa.amsl.com>; Tue, 28 Jun 2016 20:58:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.647
X-Spam-Level:
X-Spam-Status: No, score=-5.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Phblct5L_TXx for <secdir@ietfa.amsl.com>; Tue, 28 Jun 2016 20:58:24 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF4D712D0E6 for <secdir@ietf.org>; Tue, 28 Jun 2016 20:58:24 -0700 (PDT)
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u5T3wKVp016923 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 29 Jun 2016 03:58:20 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0021.oracle.com (8.13.8/8.13.8) with ESMTP id u5T3wIm9017199 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 29 Jun 2016 03:58:18 GMT
Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by userv0121.oracle.com (8.13.8/8.13.8) with ESMTP id u5T3wGxT002697; Wed, 29 Jun 2016 03:58:17 GMT
Received: from [10.159.68.123] (/10.159.68.123) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 28 Jun 2016 20:58:16 -0700
To: Donald Eastlake <d3e3e3@gmail.com>
References: <5729944D.4040403@oracle.com> <5770C231.9060301@oracle.com> <CAF4+nEGnsmr5+7z52w0Ea7E8Z+osET6sZQkaRQAhawsDqDVYyw@mail.gmail.com>
From: Shawn M Emery <shawn.emery@oracle.com>
Message-ID: <577347DF.2060202@oracle.com>
Date: Tue, 28 Jun 2016 22:00:31 -0600
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
MIME-Version: 1.0
In-Reply-To: <CAF4+nEGnsmr5+7z52w0Ea7E8Z+osET6sZQkaRQAhawsDqDVYyw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/iJ-4tCAQB8Ma1deXba_ptL6bq70>
Cc: draft-ietf-trill-irb.all@tools.ietf.org, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Review of draft-ietf-trill-irb-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2016 03:58:27 -0000

On 06/28/16 08:56 PM, Donald Eastlake wrote:
> Hi Shawan,
>
> Thanks for our comments.
>
> On Mon, Jun 27, 2016 at 2:05 AM, Shawn M Emery <shawn.emery@oracle.com> wrote:
>> I have reviewed this document as part of the security directorate's
>> ongoing effort to review all IETF documents being processed by the IESG.
>> These comments were written primarily for the benefit of the security
>> area directors. Document editors and WG chairs should treat these
>> comments just like any other last call comments.
>>
>> This draft specifies layer 3 (inter-subnet) gateway messaging of the
>> TRILL (Transparent Interconnection of Lots of Links) protocol.
>>
>> The security considerations section does exist and refers to Intermediate
>> System to Intermediate System (IS-IS) authentication (RFC 5310) for securing
>> information advertised by Routing Bridges.  For generic TRILL security the
>> draft refers to RFC 6325.  For sensitive data, it prescribes end-to-end
>> security, but does not reference or provide details on how this is done in
>> a layer 3 deployment.
> Would you think it helpful if it gave IPsec and/or TLS as examples of
> protocols that might be used for end-to-end security?

Yes, whatever is commonly used in TRILL and if there are ones that 
shouldn't be used then I would suggest writing text describing why not.

>> General comments:
>>
>> None.
>>
>> Editorial comments:
>>
>> Does TRILL and FGL need to be expanded in the Abstract and Introduction
>> section, respectively?
>> I think it would be helpful to describe the "Inner.VLAN" syntax used
>> throughout the document.
> The payload of a TRILL Data packet looks like an Ethernet frame with a
> VLAN tag which is the inner.VLAN. This could be added to the
> definitions in Section 2.

Thanks for clarifying.

> ...
>> s/optimal pair-wise forwarding path/optimal pair-wise forwarding paths/
> I don't see that in version -13.

The text was part of a new-line.  Let's try:

s/wise forwarding path/wise forwarding paths/

Shawn.
--