Re: [secdir] Review of draft-ietf-trill-irb-13

Donald Eastlake <d3e3e3@gmail.com> Wed, 06 July 2016 00:32 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6012912D0C8 for <secdir@ietfa.amsl.com>; Tue, 5 Jul 2016 17:32:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.45
X-Spam-Level:
X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kT5ZKHJ7pbqB for <secdir@ietfa.amsl.com>; Tue, 5 Jul 2016 17:32:11 -0700 (PDT)
Received: from mail-oi0-x236.google.com (mail-oi0-x236.google.com [IPv6:2607:f8b0:4003:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F174128E19 for <secdir@ietf.org>; Tue, 5 Jul 2016 17:32:11 -0700 (PDT)
Received: by mail-oi0-x236.google.com with SMTP id f189so252094870oig.3 for <secdir@ietf.org>; Tue, 05 Jul 2016 17:32:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=lmo2bBzRLyn6W1WR1Wml/EYW72tPryPS7p2ucdcTosY=; b=Hs6u4dTAeEbCy/YUmAkNK5nHkw3FIEmFEGezkSMs+2Ea1AMZ4+lRaE1DaVmeZJmQdK 2E/2qh9ZWJ18gdazpX6Ohe8mewIQI6iyfco0r7M9hBQITRHKb8mzbGtUqy6muWlajAjc TNVHvXwYL14VwREcTFOmPxdKghRH/l0oVmkUQwbZwKox3aCi+8KPLrvY+XRsSkFxCNdP 6uGMarAoUSvyCs1BATriZiiggLB+MLjBuX9DIKwcmNxnjFCcwEPxs0kJRnJewQuTJG3T rU6XDg8CjtIN+NtGy3b1YoyCIf6tCt3lr2sHj+qfqMgBFcYbhPcKfavoq0q1KzbdeSdi Gcdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=lmo2bBzRLyn6W1WR1Wml/EYW72tPryPS7p2ucdcTosY=; b=ADUVW1I5Pd4iq/k8Qlvm0O2mbmirwqr5RTZAlFgN6DEZjfOHWPx4QK9LFL7FMqkew5 gVe38JQ6r2GysWdNmm1q/DjUZwlQMPoMjC5270mTDFAsX0SLHORiqIhihSGzBOwHFI/c QPjan7IDPe9JNhF9I43CniuCTnZ0e7mony9gAX3UbO9nhFI040rvAfDNKGJMxkxdq9OV 8Id/27Js8j1/qaX9MRUPqF1V70YyvmOp9qPC1aWO2XIKME56768QpcmFhZzJftlb8Nok R60UhWIbVMBJDCtf5rhDcRBOJuIGX1yrDrmNQcHD/VmeZvEYr5ZxOigdWyW0Uv37ELdP bLyw==
X-Gm-Message-State: ALyK8tJ5z3v66A0tG5zO4HIl6RKNiWfSYVtnDSdqxe2plpo2xNx2UfLKZ+VFj/hp0b5w6PUPksg/EJlY+f7AfQ==
X-Received: by 10.157.47.103 with SMTP id h94mr9451066otb.170.1467765130807; Tue, 05 Jul 2016 17:32:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.52.242 with HTTP; Tue, 5 Jul 2016 17:31:56 -0700 (PDT)
In-Reply-To: <CAF4+nEFrgx_UeW-inyOE-nXv6uchzZpzEjCYnP-ernQ3fs1=gQ@mail.gmail.com>
References: <5729944D.4040403@oracle.com> <5770C231.9060301@oracle.com> <CAF4+nEGnsmr5+7z52w0Ea7E8Z+osET6sZQkaRQAhawsDqDVYyw@mail.gmail.com> <577347DF.2060202@oracle.com> <CAF4+nEFrgx_UeW-inyOE-nXv6uchzZpzEjCYnP-ernQ3fs1=gQ@mail.gmail.com>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Tue, 5 Jul 2016 20:31:56 -0400
Message-ID: <CAF4+nEEBb0+cAzDubEZTPWpjy2G0-t1btXS7V5bMXQ=rEjugDw@mail.gmail.com>
To: Shawn M Emery <shawn.emery@oracle.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/y4K2zBnDwpNPwu-XYvH_C_EU9Hk>
Cc: draft-ietf-trill-irb.all@tools.ietf.org, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Review of draft-ietf-trill-irb-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jul 2016 00:32:13 -0000

Hi Shawn,

A version -14 has been uploaded with the intent that it resolve your comments.

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com


On Wed, Jun 29, 2016 at 2:23 PM, Donald Eastlake <d3e3e3@gmail.com> wrote:
> Hi Shawn,
>
> On Wed, Jun 29, 2016 at 12:00 AM, Shawn M Emery <shawn.emery@oracle.com> wrote:
>> On 06/28/16 08:56 PM, Donald Eastlake wrote:
>>>
>>> Hi Shawan,
>>>
>>> Thanks for our comments.
>>>
>>> On Mon, Jun 27, 2016 at 2:05 AM, Shawn M Emery <shawn.emery@oracle.com>
>>> wrote:
>>>>
>>>> I have reviewed this document as part of the security directorate's
>>>> ongoing effort to review all IETF documents being processed by the IESG.
>>>> These comments were written primarily for the benefit of the security
>>>> area directors. Document editors and WG chairs should treat these
>>>> comments just like any other last call comments.
>>>>
>>>> This draft specifies layer 3 (inter-subnet) gateway messaging of the
>>>> TRILL (Transparent Interconnection of Lots of Links) protocol.
>>>>
>>>> The security considerations section does exist and refers to Intermediate
>>>> System to Intermediate System (IS-IS) authentication (RFC 5310) for
>>>> securing
>>>> information advertised by Routing Bridges.  For generic TRILL security
>>>> the
>>>> draft refers to RFC 6325.  For sensitive data, it prescribes end-to-end
>>>> security, but does not reference or provide details on how this is done
>>>> in
>>>> a layer 3 deployment.
>>>
>>> Would you think it helpful if it gave IPsec and/or TLS as examples of
>>> protocols that might be used for end-to-end security?
>>
>> Yes, whatever is commonly used in TRILL and if there are ones that shouldn't
>> be used then I would suggest writing text describing why not.
>
> End stations attached to a TRILL campus think they are on the same
> local link unless they use or listen for special link control or TRILL
> IS-IS PDUs. So I would say it is no business of TRILL's to say what
> end-to-end security protocol they should or shouldn't use. The
> Security Considerations section is just pointing out the general
> recommendation that end-to-end security is a good idea to supplement
> any security of more limited transit scope, particularly for sensitive
> information.
>
>>>> General comments:
>>>>
>>>> None.
>>>>
>>>> Editorial comments:
>>>>
>>>> Does TRILL and FGL need to be expanded in the Abstract and Introduction
>>>> section, respectively?
>>>> I think it would be helpful to describe the "Inner.VLAN" syntax used
>>>> throughout the document.
>>>
>>> The payload of a TRILL Data packet looks like an Ethernet frame with a
>>> VLAN tag which is the inner.VLAN. This could be added to the
>>> definitions in Section 2.
>>
>> Thanks for clarifying.
>>
>>> ...
>>>>
>>>> s/optimal pair-wise forwarding path/optimal pair-wise forwarding paths/
>>>
>>> I don't see that in version -13.
>>
>> The text was part of a new-line.  Let's try:
>>
>> s/wise forwarding path/wise forwarding paths/
>
> Ah, sorry, found it now. OK.
>
> Thanks,
> Donald (document Shepherd)
> ===============================
>  Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>  155 Beaver Street, Milford, MA 01757 USA
>  d3e3e3@gmail.com
>
>> Shawn.
>> --