Re: [secdir] Secdir review of draft-ietf-trill-mtu-negotiation-05

Donald Eastlake <d3e3e3@gmail.com> Thu, 29 June 2017 19:10 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 559F3129B94; Thu, 29 Jun 2017 12:10:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7UQ8yM7ZPQs9; Thu, 29 Jun 2017 12:10:30 -0700 (PDT)
Received: from mail-io0-x232.google.com (mail-io0-x232.google.com [IPv6:2607:f8b0:4001:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B331126DEE; Thu, 29 Jun 2017 12:10:30 -0700 (PDT)
Received: by mail-io0-x232.google.com with SMTP id z62so12573458ioi.3; Thu, 29 Jun 2017 12:10:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=7eG+HWccBHaHxwNs9jVyueRdK9UdaMjw7x/Q7hukP5I=; b=KC1ZqqWISuCAUslJucfsOuiDMLX7DvRD7I9+ix8VNXF8cQDkMKZ43eGW2b+66l+RDS 1WIjgS0qjYhfzcKcZLsu0NwRC4sW1vm3UgZSwcQpT2YUZYbAG865gcJO1UUXRsH0JoqH cM3nvdaz8zINaE3l7It7cHtihT0OoB+6UuM+8eWjFB3H3l0CzJm36ENA4ZOhBf8cy1Xg RM75YEZsN+4nIsCAYZn2fBLjfZKiZEORK8PgbWq5xoGVPcx9CS0h80tWWdBaM9cy+e+I KGZ1UilI1hpeiekfV+mO6J9jFIcvtyk/TQU+ZTrvT6+TsFsaaMgVLuc0pfaOr562si06 dqwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=7eG+HWccBHaHxwNs9jVyueRdK9UdaMjw7x/Q7hukP5I=; b=LMYvzESCU9qlS94ERXG7J1dU2YaKhRQbipo36aWHwayIngjvTQYsmesKFzzbT9utkf Ws1AxRvNiTFXKSb/IS3vsK9dLiFy+zN7nkywqRpzTQggaGSFx85WvfLMSVEvSaQrKxxD B9H2W5ORLCa3L4hRrM5MaNjyggmNF1ZoC2Gn7qwmAoGyiE9xj0viQi24lnFfD09R7juD h7MwxmUscVzru8YY6zO0iMxinRjC0tVmtrwqwBmt29tc+S/Rdd0gvZ519HjeKjqy1nt7 KpAU9ssR6r2PWUWwLr/IXkFHtf1zIJkwaDqaN01wpEqYWxpfszGi8dvOeKoYGA8vq6zN y1sA==
X-Gm-Message-State: AKS2vOxnJ2G6RRydteqOEqIvnQqoP/Dodnx3RiyP9h+LokGxUSxykIQJ zyLkgW+T8CC1d5pCstoyeiF/GuiKvB2SxuI=
X-Received: by 10.107.31.209 with SMTP id f200mr18541555iof.231.1498763429727; Thu, 29 Jun 2017 12:10:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.17.221 with HTTP; Thu, 29 Jun 2017 12:10:14 -0700 (PDT)
In-Reply-To: <C9487779-64F7-4BB2-AA29-0828108AD4A8@inria.fr>
References: <C9487779-64F7-4BB2-AA29-0828108AD4A8@inria.fr>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Thu, 29 Jun 2017 15:10:14 -0400
Message-ID: <CAF4+nEF3JaeCHeE-QL=Ew87KjY5oNyrrJYY78_NYO29jwJ-JAA@mail.gmail.com>
To: Vincent Roca <vincent.roca@inria.fr>
Cc: IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-trill-mtu-negotiation.all@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/tBVQ7FFuFmjThPp5U7ntV1erSRk>
Subject: Re: [secdir] Secdir review of draft-ietf-trill-mtu-negotiation-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jun 2017 19:10:32 -0000

Hi Vincent,

Thanks for your review.

On Thu, Jun 29, 2017 at 4:47 AM, Vincent Roca <vincent.roca@inria.fr> wrote:
> Hello,
>
> I have reviewed this document as part of the security directorate’s ongoing
> effort to review all IETF documents being processed by the IESG. These
> comments were written primarily for the benefit of the security area
> directors.  Document editors and WG chairs should treat these comments just
> like any other last call comments.
>
> Summary: Ready with issues
>
> This document introduces a new mechanism to assess a link level MTU for local TRILL traffic,
> in addition to the campus level MTU. Therefore I have problems when the authors explain in
> the Security Consider that there is no new security issue: this claim should be detailed.
> For instance, what happens if an RBridge misbehaves (deliberately or not) at the link level or
> at the campus level, and tries to minimize the Lz (or Sz) size? Reporting an
> originatingL1LSPBufferSize smaller than Sz seems to be sufficient at the campus level.
> What prevents or mitigates it? This is just an example and I’m pretty sure other possibilities
> exist.
>
> Since I have the feeling that the « Security Considerations » sections of [RFC6325] and
> [RFC7177] referenced by this document do not address this aspect, I suggest the authors
> add a dedicated paragraph with the threats, counter measures and mitigation techniques
> whenever appropriate.

I have no problem with saying a bit more about this.

However, I reject the idea that this document needs to fill all the
gaps you see in all the Security Consideration sections of TRILL RFCs
on which it is dependent. The goal of this document is to allow TRILL,
for link local IS-IS PDUs, to make us of a link MTU (Lz) that is
higher than the campus wide MTU (Sz). With regard to this feature, the
worst that a misbehaved RBridge could do would be to constrain Lz to
be equal to Sz which really isn't a bit deal.

In TRILL, RBridges are trusted devices and there are just all kinds of
ways they can screw things up by advertising false or malicious
information.

As I say, I have no problem with adding a couple of sentences clarifying this.

> Other comments (not security related):
>
> ** Introduction, second paragraph:
>    The sentence "In other words, if this link..." does not paraphrase the previous sentence:
>    - the first sentence is about a situation where Link MTU X >= campus Sz;
>    - the sentence beginning with "In other words" discusses the opposite situation and introduces
>      another property: "it will not be reported as part of the campus topology". I suggest changing
>      the transition and perhaps the beginning of this paragraph that is not so clear to me.

OK.

>    On the opposite, I find the first few introduction sentences of Section 2 crystal clear on what is
>    Ls and its relationship to Sz, unlike the Introduction.

Well, Section 1 is more of a general introduction about the topic of
TRILL MTU while Section 2 is more specifically about the link local
MTU feature. I think perhaps that paragraph 2 should be split right
after the sentence currently beginning with "In other words," and a
reference to Section 2 added to the new paragraph 3.

> Typos:
>
> ** Introduction: the references [RFC6325] and [RFC7177] that appear at the start of the first two paragraphs are textual, not pointers to the appropriate
> reference.

Sounds like an IETF tools bug to me.

> ** Introduction: "By calculating a using Lz" => "and"

Fixed in version -06.

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com

> Cheers,
>
>   Vincent