Re: [secdir] SECDIR review of draft-ietf-trill-esadi-07
Donald Eastlake <d3e3e3@gmail.com> Wed, 30 April 2014 16:08 UTC
Return-Path: <d3e3e3@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 941EA1A0928 for <secdir@ietfa.amsl.com>; Wed, 30 Apr 2014 09:08:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5tBjDEAxyo6P for <secdir@ietfa.amsl.com>; Wed, 30 Apr 2014 09:08:40 -0700 (PDT)
Received: from mail-oa0-x22d.google.com (mail-oa0-x22d.google.com [IPv6:2607:f8b0:4003:c02::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 2816C1A08E8 for <secdir@ietf.org>; Wed, 30 Apr 2014 09:08:40 -0700 (PDT)
Received: by mail-oa0-f45.google.com with SMTP id eb12so2210553oac.18 for <secdir@ietf.org>; Wed, 30 Apr 2014 09:08:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=Ry/fNMi0uDG40vjl2q0eLpsebHZcTzfehIGieHMkf1Y=; b=pYgNlDGaOb0fa0WlTuNM8/DoY+sK4tmXvDOhv6shkFmV18uNIMbaFHDeDS787fWCkA jq47XT9CEaf3NOMslYPHBChUfkCG9vW4e+PKjmqWJq/5eJRECqLL/N8i9r/0Wy8P4KAI 9PC8ulN+6XklHDxuWC17lQHWvYQmwrhZ5s1wdtNDxRAXG4t321V7POlk9LFeuzE6SrUR yTZjw4NA6MPRyVsn7Kw3fNwZY8sN6MTq2XgHFNfQ/vF1UkVucwNxKBPBBs4bGmFclvsQ TAdyixervsvjmxyvM7A+K8E8CG/WqYHb6fnyMu0W+tqEpAKERkhSHY8mJuY7096xEcbC xHUg==
X-Received: by 10.182.22.227 with SMTP id h3mr4934312obf.36.1398874118485; Wed, 30 Apr 2014 09:08:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.76.25.41 with HTTP; Wed, 30 Apr 2014 09:08:18 -0700 (PDT)
In-Reply-To: <CAMm+LwgcA98LiubRSOgEAFSgXyWzT_rk-WyriY_SXq8AMBim3g@mail.gmail.com>
References: <CAMm+LwgcA98LiubRSOgEAFSgXyWzT_rk-WyriY_SXq8AMBim3g@mail.gmail.com>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Wed, 30 Apr 2014 12:08:18 -0400
Message-ID: <CAF4+nEHnuUkeiHd1R5EJ5UrLmSX=UVmTuGzxxU_nLGsVawZ7-Q@mail.gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/kFYG4Y_LDZy5LhmGQ2vYhF1Em9I
Cc: draft-ietf-trill-esadi.all@tools.ietf.org, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] SECDIR review of draft-ietf-trill-esadi-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2014 16:08:41 -0000
Hi Phil, On Thu, Apr 24, 2014 at 11:52 AM, Phillip Hallam-Baker <hallam@gmail.com> wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should > treat these comments just like any other last call comments. > > This document is describing extensions to a routing infrastructure. > As such the only security properties that are reasonably achievable > without inappropriate assumptions such as trustworthy routing nodes > is to assure continuity of service. We should assume that > authentication and confidentiality of the message content are > assured via some end-to-end means where the ends are the source and > destination of the messages. I agree that people should use end-to-end security to protect their data in transit but that isn't really related to this ESADI document. It is helpful to have read RFC 6325, the TRILL base protocol specification, in understanding this document, which is why the ESADI draft says "familiarity with [RFC6325] is particularly assumed". I view this ESADI document as providing two things: (1) A reliable information flooding mechanism that is scoped by data label (VLAN or fine grained label) such that, in a quiescent network, all TRILL switches that have advertised interest in a particular label will end up with the same flooded information state associated with that label. (2) A method of using the facility in item (1) above to flood information on the reachability of end stations by edge TRILL switches. Edge TRILL switches need to learn what end station destinations are reachable from (i.e., connected to) edge TRILL switch in order to efficiently handle end station traffic. By default they learn from observation of the data plane. ESADI provide a mechanism whereby such reachability information for an end station in data label X, however learned, can be flooded to all TRILL switches that also advertise interest in data label X and are participating in ESADI for data label X. ESADI uses essentially the same mechanisms to authenticate its reliable flooding mechanism as does IS-IS. End stations reachability information can be learned through cryptographically hardened Layer 2 registration methods a couple of which I give as examples below. This ESADI document does not specify any such Layer 2 end station registration methods and does not require their use but suggests that their use could improve security. > [It would be rather useful if the IAB would draft a document that > would state what security properties are expected at which level] > > ESADI does provide for improved service assurances by allowing the > authentication of nodes. End stations can authenticate to an edge TRILL switch if the edge TRILL switch supports an existing Layer 2 authentication/registration protocol. Example registration protocols might be Wi-Fi (IEEE 802.11) association and authentication or IEEE 802.1X port based authentication, both of which use the IETF EAP (Extensible Authentication Protocol). > What is less clear is how this authentication is leveraged Section > 5.1 suggests that authenticating endpoints permits higher confidence > to be built up. if end nodes are authenticated to their MAC > address. But this authentication only has value if there is a chain > of custody authentication to the relying party. Section 6.2 > describes a mechanism that might be relevant here. A pointer would > be helpful. TRILL has a facility for assigning a one byte unsigned integer confidence level to any particular association of a destination to an edge TRILL switch from which that destination is reachable. Section 5.1 mentions that it is reasonable for the network manager to assign a higher confidence level to such edge TRILL switch end station reachability information if it was learned through a secured registration protocol. I think you meant to refer to Section 6.3 that talks about authenticating ESADI PDUs, particularly the default authentication if nothing more specific is configured. That mechanism can be used to authenticate end station destination reachability information as it is flooded with ESADI and provides at least some sort of "chain of custody", as you refer to it, between the originating TRILL switch and the relying TRILL switch. You say "a pointer would be helpful" but I'm not sure what pointer you want. We could add a reference to RFC 5310, "IS-IS Generic Cryptographic Authentication" since, as I say, the method for authenticating ESADI PDUs is essentially the same as that used in IS-IS. Thanks, Donald ============================= Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com > -- > Website: http://hallambaker.com/
- [secdir] SECDIR review of draft-ietf-trill-esadi-… Phillip Hallam-Baker
- Re: [secdir] SECDIR review of draft-ietf-trill-es… Donald Eastlake