Re: [secdir] Review of draft-ietf-trill-irb-13

Shawn M Emery <shawn.emery@oracle.com> Wed, 06 July 2016 05:45 UTC

Return-Path: <shawn.emery@oracle.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6C1E12B05E for <secdir@ietfa.amsl.com>; Tue, 5 Jul 2016 22:45:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.647
X-Spam-Level:
X-Spam-Status: No, score=-5.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HzXYDmzCoHAh for <secdir@ietfa.amsl.com>; Tue, 5 Jul 2016 22:45:32 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4001212B03D for <secdir@ietf.org>; Tue, 5 Jul 2016 22:45:32 -0700 (PDT)
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u665jSeP020844 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 6 Jul 2016 05:45:28 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0021.oracle.com (8.13.8/8.13.8) with ESMTP id u665jRYh028353 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 6 Jul 2016 05:45:27 GMT
Received: from abhmp0005.oracle.com (abhmp0005.oracle.com [141.146.116.11]) by aserv0122.oracle.com (8.13.8/8.13.8) with ESMTP id u665jPB1023264; Wed, 6 Jul 2016 05:45:26 GMT
Received: from [10.159.78.203] (/10.159.78.203) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 06 Jul 2016 05:45:25 +0000
To: Donald Eastlake <d3e3e3@gmail.com>
References: <5729944D.4040403@oracle.com> <5770C231.9060301@oracle.com> <CAF4+nEGnsmr5+7z52w0Ea7E8Z+osET6sZQkaRQAhawsDqDVYyw@mail.gmail.com> <577347DF.2060202@oracle.com> <CAF4+nEFrgx_UeW-inyOE-nXv6uchzZpzEjCYnP-ernQ3fs1=gQ@mail.gmail.com> <CAF4+nEEBb0+cAzDubEZTPWpjy2G0-t1btXS7V5bMXQ=rEjugDw@mail.gmail.com>
From: Shawn M Emery <shawn.emery@oracle.com>
Message-ID: <577C9B7B.1030209@oracle.com>
Date: Tue, 05 Jul 2016 23:47:39 -0600
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
MIME-Version: 1.0
In-Reply-To: <CAF4+nEEBb0+cAzDubEZTPWpjy2G0-t1btXS7V5bMXQ=rEjugDw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/rlKLJ20bwCWTZ_ZfPkzX61n9qGo>
Cc: draft-ietf-trill-irb.all@tools.ietf.org, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Review of draft-ietf-trill-irb-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jul 2016 05:45:34 -0000

Hi Donald,

The updates clarifying elements of the security considerations section 
looks great.  All the other updates looks good as well, with a few nits 
below:

s/TENANT- GWMAC-LABEL/TENANT-GWMAC-LABEL/
s/for the updating/for the updates/
s/that tenant how/that tenant on how/

Thanks,

Shawn.
--
On 07/ 5/16 06:31 PM, Donald Eastlake wrote:
> Hi Shawn,
>
> A version -14 has been uploaded with the intent that it resolve your comments.
>
> Thanks,
> Donald
> ===============================
>   Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>   155 Beaver Street, Milford, MA 01757 USA
>   d3e3e3@gmail.com
>
>
> On Wed, Jun 29, 2016 at 2:23 PM, Donald Eastlake <d3e3e3@gmail.com> wrote:
>> Hi Shawn,
>>
>> On Wed, Jun 29, 2016 at 12:00 AM, Shawn M Emery <shawn.emery@oracle.com> wrote:
>>> On 06/28/16 08:56 PM, Donald Eastlake wrote:
>>>> Hi Shawan,
>>>>
>>>> Thanks for our comments.
>>>>
>>>> On Mon, Jun 27, 2016 at 2:05 AM, Shawn M Emery <shawn.emery@oracle.com>
>>>> wrote:
>>>>> I have reviewed this document as part of the security directorate's
>>>>> ongoing effort to review all IETF documents being processed by the IESG.
>>>>> These comments were written primarily for the benefit of the security
>>>>> area directors. Document editors and WG chairs should treat these
>>>>> comments just like any other last call comments.
>>>>>
>>>>> This draft specifies layer 3 (inter-subnet) gateway messaging of the
>>>>> TRILL (Transparent Interconnection of Lots of Links) protocol.
>>>>>
>>>>> The security considerations section does exist and refers to Intermediate
>>>>> System to Intermediate System (IS-IS) authentication (RFC 5310) for
>>>>> securing
>>>>> information advertised by Routing Bridges.  For generic TRILL security
>>>>> the
>>>>> draft refers to RFC 6325.  For sensitive data, it prescribes end-to-end
>>>>> security, but does not reference or provide details on how this is done
>>>>> in
>>>>> a layer 3 deployment.
>>>> Would you think it helpful if it gave IPsec and/or TLS as examples of
>>>> protocols that might be used for end-to-end security?
>>> Yes, whatever is commonly used in TRILL and if there are ones that shouldn't
>>> be used then I would suggest writing text describing why not.
>> End stations attached to a TRILL campus think they are on the same
>> local link unless they use or listen for special link control or TRILL
>> IS-IS PDUs. So I would say it is no business of TRILL's to say what
>> end-to-end security protocol they should or shouldn't use. The
>> Security Considerations section is just pointing out the general
>> recommendation that end-to-end security is a good idea to supplement
>> any security of more limited transit scope, particularly for sensitive
>> information.
>>
>>>>> General comments:
>>>>>
>>>>> None.
>>>>>
>>>>> Editorial comments:
>>>>>
>>>>> Does TRILL and FGL need to be expanded in the Abstract and Introduction
>>>>> section, respectively?
>>>>> I think it would be helpful to describe the "Inner.VLAN" syntax used
>>>>> throughout the document.
>>>> The payload of a TRILL Data packet looks like an Ethernet frame with a
>>>> VLAN tag which is the inner.VLAN. This could be added to the
>>>> definitions in Section 2.
>>> Thanks for clarifying.
>>>
>>>> ...
>>>>> s/optimal pair-wise forwarding path/optimal pair-wise forwarding paths/
>>>> I don't see that in version -13.
>>> The text was part of a new-line.  Let's try:
>>>
>>> s/wise forwarding path/wise forwarding paths/
>> Ah, sorry, found it now. OK.
>>
>> Thanks,
>> Donald (document Shepherd)
>> ===============================
>>   Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>>   155 Beaver Street, Milford, MA 01757 USA
>>   d3e3e3@gmail.com
>>
>>> Shawn.
>>> --