Re: [secdir] Review of draft-ietf-trill-irb-13

Donald Eastlake <d3e3e3@gmail.com> Wed, 29 June 2016 18:23 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D6B812D5E7 for <secdir@ietfa.amsl.com>; Wed, 29 Jun 2016 11:23:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.45
X-Spam-Level:
X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PZHWExUUaRpw for <secdir@ietfa.amsl.com>; Wed, 29 Jun 2016 11:23:46 -0700 (PDT)
Received: from mail-ob0-x22c.google.com (mail-ob0-x22c.google.com [IPv6:2607:f8b0:4003:c01::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79FCF12D5DE for <secdir@ietf.org>; Wed, 29 Jun 2016 11:23:43 -0700 (PDT)
Received: by mail-ob0-x22c.google.com with SMTP id ru5so37398807obc.1 for <secdir@ietf.org>; Wed, 29 Jun 2016 11:23:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=SOstYPPI3MKJjmffOwYCeJ0V8Q8wNIZ2gicwfKA4WLM=; b=AjSJ3X7Ux6xVZs9PMi9LJzA09pyohR3UV+ViBzcnbYFyCKKNULNRWQr0HQONzQ5WsD nEZIU0Qjk+tJ0rORa6CoxhjibJAsmbo3yqVaWH6dSo03RPtOBpX65b+8PM4PEtFLWUPt xYenAobwXSSV6QuijZ86HFOpVGKD77txKdEIHndqg2OlQRQQt4q9iILGlw5qzO2Ajb9m VPpEUfP6PjG67O/+MdosiUhIm67IjbAFmay33pqLAwoYC05c+aCw6Lmd5193bIcFSDak PZ9y8wqLdqsNrdYbs5CE3qLw9dpniSGzrPVoJVnlPd32SXAsIlHz6Pc3+1DGdT/yQN6V iTbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=SOstYPPI3MKJjmffOwYCeJ0V8Q8wNIZ2gicwfKA4WLM=; b=PiyBMIljWdWjA0zadTD1p0143uJno0SgvbwX02L+Nj0m1BGKrM5zS6KnYZvVUMbXso zW01i8imtlHTWQdvOIwMF7t1RaJoKv6/bqwflwp9vex1B9COdkLPjPBkC2zdxag7Katc 3FeZ7AVxp8fTCkzlnucr2LKYjvjtcPNYT+wzZ+ChrzlOe3G1kCvab2izKhBteliCEg2x ViMuACRJ1ma8hDTqag5E5ecAACOUADxEr9Bf6/vdJJJVJqM8MKvC5QF0BYf3npqNLoKi PmERVcfMtdFc+siHQ/gt87xiDrmxQ68bZ8UalEbkd+OwW/v2GlDSBKOJZBTi7L5/1QGX cDYA==
X-Gm-Message-State: ALyK8tIr87x6PsFf+RbU9XnpQS6ahEbDroUF/8lDJ4qO7jgL/FbcfWbVEFrrpoWmPaqs8uvfOR5l9N7wWDYu6Q==
X-Received: by 10.202.229.66 with SMTP id c63mr6643404oih.81.1467224622836; Wed, 29 Jun 2016 11:23:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.52.242 with HTTP; Wed, 29 Jun 2016 11:23:28 -0700 (PDT)
In-Reply-To: <577347DF.2060202@oracle.com>
References: <5729944D.4040403@oracle.com> <5770C231.9060301@oracle.com> <CAF4+nEGnsmr5+7z52w0Ea7E8Z+osET6sZQkaRQAhawsDqDVYyw@mail.gmail.com> <577347DF.2060202@oracle.com>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Wed, 29 Jun 2016 14:23:28 -0400
Message-ID: <CAF4+nEFrgx_UeW-inyOE-nXv6uchzZpzEjCYnP-ernQ3fs1=gQ@mail.gmail.com>
To: Shawn M Emery <shawn.emery@oracle.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/lj6j7IdKRzc4Kzb7hOdNY6A-8nY>
Cc: draft-ietf-trill-irb.all@tools.ietf.org, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Review of draft-ietf-trill-irb-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2016 18:23:50 -0000

Hi Shawn,

On Wed, Jun 29, 2016 at 12:00 AM, Shawn M Emery <shawn.emery@oracle.com> wrote:
> On 06/28/16 08:56 PM, Donald Eastlake wrote:
>>
>> Hi Shawan,
>>
>> Thanks for our comments.
>>
>> On Mon, Jun 27, 2016 at 2:05 AM, Shawn M Emery <shawn.emery@oracle.com>
>> wrote:
>>>
>>> I have reviewed this document as part of the security directorate's
>>> ongoing effort to review all IETF documents being processed by the IESG.
>>> These comments were written primarily for the benefit of the security
>>> area directors. Document editors and WG chairs should treat these
>>> comments just like any other last call comments.
>>>
>>> This draft specifies layer 3 (inter-subnet) gateway messaging of the
>>> TRILL (Transparent Interconnection of Lots of Links) protocol.
>>>
>>> The security considerations section does exist and refers to Intermediate
>>> System to Intermediate System (IS-IS) authentication (RFC 5310) for
>>> securing
>>> information advertised by Routing Bridges.  For generic TRILL security
>>> the
>>> draft refers to RFC 6325.  For sensitive data, it prescribes end-to-end
>>> security, but does not reference or provide details on how this is done
>>> in
>>> a layer 3 deployment.
>>
>> Would you think it helpful if it gave IPsec and/or TLS as examples of
>> protocols that might be used for end-to-end security?
>
> Yes, whatever is commonly used in TRILL and if there are ones that shouldn't
> be used then I would suggest writing text describing why not.

End stations attached to a TRILL campus think they are on the same
local link unless they use or listen for special link control or TRILL
IS-IS PDUs. So I would say it is no business of TRILL's to say what
end-to-end security protocol they should or shouldn't use. The
Security Considerations section is just pointing out the general
recommendation that end-to-end security is a good idea to supplement
any security of more limited transit scope, particularly for sensitive
information.

>>> General comments:
>>>
>>> None.
>>>
>>> Editorial comments:
>>>
>>> Does TRILL and FGL need to be expanded in the Abstract and Introduction
>>> section, respectively?
>>> I think it would be helpful to describe the "Inner.VLAN" syntax used
>>> throughout the document.
>>
>> The payload of a TRILL Data packet looks like an Ethernet frame with a
>> VLAN tag which is the inner.VLAN. This could be added to the
>> definitions in Section 2.
>
> Thanks for clarifying.
>
>> ...
>>>
>>> s/optimal pair-wise forwarding path/optimal pair-wise forwarding paths/
>>
>> I don't see that in version -13.
>
> The text was part of a new-line.  Let's try:
>
> s/wise forwarding path/wise forwarding paths/

Ah, sorry, found it now. OK.

Thanks,
Donald (document Shepherd)
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com

> Shawn.
> --