[trill] draft-ietf-trill-smart-end-nodes-06.txt - Comments upon forwarding to the AD

"Susan Hares" <shares@ndzh.com> Mon, 22 January 2018 16:53 UTC

Return-Path: <shares@ndzh.com>
X-Original-To: trill@ietfa.amsl.com
Delivered-To: trill@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C168D127775; Mon, 22 Jan 2018 08:53:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.946
X-Spam-Level:
X-Spam-Status: No, score=0.946 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DOS_OUTLOOK_TO_MX=2.845, HTML_MESSAGE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q04VO2N8iAeF; Mon, 22 Jan 2018 08:53:53 -0800 (PST)
Received: from hickoryhill-consulting.com (50-245-122-97-static.hfc.comcastbusiness.net [50.245.122.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDA041273B1; Mon, 22 Jan 2018 08:53:52 -0800 (PST)
X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=166.176.249.181;
From: "Susan Hares" <shares@ndzh.com>
To: <trill@ietf.org>
Cc: "'Donald Eastlake'" <d3e3e3@gmail.com>, <trill-chairs@ietf.org>, "'Alia Atlas'" <akatlas@gmail.com>, "'Kathleen Moriarty'" <kathleen.moriarty.ietf@gmail.com>, "'Eric Rescorla'" <ekr@mozilla.com>
Date: Mon, 22 Jan 2018 11:53:49 -0500
Message-ID: <015501d393a1$942f9380$bc8eba80$@ndzh.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0156_01D39377.AB5A4ED0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AdOTmfFdF6okJfuARjy10Cbxu4Jeww==
Content-Language: en-us
X-Authenticated-User: skh@ndzh.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/trill/0H11PSmJITTcVy-9_PpmQ6Im9Bo>
Subject: [trill] draft-ietf-trill-smart-end-nodes-06.txt - Comments upon forwarding to the AD
X-BeenThere: trill@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Developing a hybrid router/bridge." <trill.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trill>, <mailto:trill-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trill/>
List-Post: <mailto:trill@ietf.org>
List-Help: <mailto:trill-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trill>, <mailto:trill-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jan 2018 16:53:55 -0000

Version 6 fixes the issues we discussed in IETF 99 and 100 - so I am
forwarding this to the AD for Evaluation. 

I want to complement you on improving the readability of the draft. 

 

Two editorial nits exist, and I will be asking the AD one significant
question which I provide to you.  This question arose out of a discussion
with the Security ADs last week (which was original scheduled in November). 

 

I had been awaiting the meeting with the Security ADs before forwarding this
draft.   Hopefully, it will raise this question early in the process. I
apologize to the authors (especially Fangwei and Donald) for the lengthy
delay in posting this shepherd review. 

 

We have also been awaiting the response from Julien Meuric in his routing
directorate review. 

https://www.ietf.org/mail-archive/web/rtg-dir/current/msg02740.html

 

I've sent another query to him this morning.  The authors and I will need to
work all of these reviews in parallel as we do not have enough time to work
these in series.  I would like to ask the authors of
draft-ietf-smart-end-nodes to be watching all of this email.  I am going to
push to resolve all issues quickly this week.  Please be ready to revise
this document based on exterior reviews. 

 

Sue Hares 

 

------------

 

Significant Security question: 

 

Shepherd question to the AD (1/22/2018): 

Does this security section need to explain the risks of an 

end-node participating with secured hellos using 

authentication TLVs [RFC5310], TRILL ES-IS Security [RFC8171],

ISIS general cryptographic security, and TRILL's general 

security considerations.  The WG thought was to not repeat

the thought and comments presented in these other drafts.

 

The WG believes that with TRILL security and authentication 

this end node is as secure as the main TRILL infrastructure and 

any IS-IS infrastructure. Does the draft need a summary of these mechanisms
in the draft? 

If so this could be added in section 7.  Otherwise, section 7 is very brief.


 

Should possible attack vectors for remote dual homed nodes be added

to section 7.  These attack vectors are similar for any stub ISIS/OSPF node.


As you will note in the  IESG review draft-ietf-ospf-link-overload-12, the 

potential attacks for stub ISIS/OSPF nodes or smart-end nodes may be
slightly 

different than core nodes.  However, this is a general case of problems. 

In general, I think this general attack vector belongs in a routing-area

related draft relating to all IGPs (OSPF, ISIS, Babel) or IGP that support

L2 forwarding (E.g. TRILL).

 

Editorial nits  - catch next time you do a revision or as RFC editor note

Page 6 in Holding time: paragraph. 

 Old /Holding Time in the IS-IS Hellos [IS-IS] ./

New/Holding Time in the IS-IS Hellos [IS-IS]./ 

 

(note your processor added a space prior to the period.) 

Page 8 section 5.2 last paragraph

OLD/nickname as the niknamae/

New/nickname as the nickname/

 

Sue Hares