Re: [trill] Kathleen Moriarty's Discuss on draft-ietf-trill-transport-over-mpls-07: (with DISCUSS)
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Sun, 18 March 2018 13:49 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: trill@ietfa.amsl.com
Delivered-To: trill@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6E6512711A; Sun, 18 Mar 2018 06:49:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i5fjVC24Z1W4; Sun, 18 Mar 2018 06:49:22 -0700 (PDT)
Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF0BC12D7E4; Sun, 18 Mar 2018 06:49:21 -0700 (PDT)
Received: by mail-io0-x234.google.com with SMTP id h23so17666074iob.11; Sun, 18 Mar 2018 06:49:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=e1ul8yETnHuLyjgmaZJXL7h5pk8ARfJ00zOlBWImqzI=; b=tEhx4Jby92b902s8rHypKr07a7BehlD5G0NQixndDRuMoxK1aQgFrGVzfwpGYiM/Zz NAzpTPIGL47FaUq3vsP/rUU8Y3pXLDZl4j4FIQyXQcgCbylBwhyIZaKnKOMZnrItyOG5 57lDiwQoyxZSfBOf3XxcrFEpZMQPBDqqYydnXTO9pwx8DnDczQV8gY+e0RSZKMBpfgRW s7kQwop5WRa4z3b4ROwHwt0U9NsIsrth/646dVlG/V7rBm8444CC3J2MD2tC68IGo9IT unC2w7QKF8LlOhpsg3fSFXKVWDUk7Ac/yeKQp57MO9342tPVs/rbHG5x6o94tZDTNXwp 4QnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=e1ul8yETnHuLyjgmaZJXL7h5pk8ARfJ00zOlBWImqzI=; b=T8Nr2ff4N3U5EBerzEen9QpjQ72OWmW5t+KVkLjFNkW5pWEtx7LZGzIplyChlEpeYK XT2SMXcPuv2UgDg4deMP1pm1dyXuIsIkSYBip59hkCEIpPDrJulJFCmcwjhIMbqJk4BA BDZf5M4MPXIMvwjpgZcmvSOY2qDjaCnFycIMR2PD3+PHrgRhEWpJwjYP02zf/XOk+Lq3 2wmfrU9Wp8/PhWPEQfdS//dja6dgnzcgsZmDDkfAQqc92BmFO9BT4s7Rk7t8h7flGzyN EK6+W3TcQQATul4o+hdjeWf+MWs3M7a83xqrRkYXJB8YY65DGTOltXPsELDeUbjtD7Fk bB9g==
X-Gm-Message-State: AElRT7GAcI+af6BSTwrjCly+YcRbAo1r26J02JqHAUB/Hq3ei/0R7XgC zs8KdZsMW30NDAYM7Q+Klv8QuZdrE7/KVpyvNRU=
X-Google-Smtp-Source: AG47ELtVkN7Z3YHdmZtT/BH1UHn42aitPpgttDW3Mt9IyiI6XTUbZVt1nUJo1n0hwQTMYqnH9OP6l6AzbvYWxnSD9pM=
X-Received: by 10.107.18.162 with SMTP id 34mr8392625ios.168.1521380961204; Sun, 18 Mar 2018 06:49:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.192.156.137 with HTTP; Sun, 18 Mar 2018 06:48:40 -0700 (PDT)
In-Reply-To: <CAF4+nEHOa0mDs8WO1am682h+udX=opOo2LXuwb-LrHqRAvqWug@mail.gmail.com>
References: <152046007311.21264.6753387370948470401.idtracker@ietfa.amsl.com> <CAA=duU1oeLWddg=ewEvB=uG+kD45Hg4HvAVkLsHA1xhTRi2-VA@mail.gmail.com> <CAF4+nEGo7hYUBbh4FzaOtt2=ufnNKXA7ybARP7yp4H3_AaXTrw@mail.gmail.com> <CAHbuEH6Ces1aGJMb=_TGfAs8gLYpaPq6AoyeLwo-CumrrYCLZA@mail.gmail.com> <CAF4+nEHOa0mDs8WO1am682h+udX=opOo2LXuwb-LrHqRAvqWug@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Sun, 18 Mar 2018 09:48:40 -0400
Message-ID: <CAHbuEH5=gjekgzAVrp57adG88jOqN=u+ezRLUpEJx1psRodboA@mail.gmail.com>
To: Donald Eastlake <d3e3e3@gmail.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-trill-transport-over-mpls@ietf.org, trill-chairs@ietf.org, Susan Hares <shares@ndzh.com>, trill IETF mailing list <trill@ietf.org>, "Andrew G. Malis" <agmalis@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/trill/AIgbr2AsjaWAIltILMho4bNjkeg>
Subject: Re: [trill] Kathleen Moriarty's Discuss on draft-ietf-trill-transport-over-mpls-07: (with DISCUSS)
X-BeenThere: trill@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Developing a hybrid router/bridge." <trill.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trill>, <mailto:trill-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trill/>
List-Post: <mailto:trill@ietf.org>
List-Help: <mailto:trill-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trill>, <mailto:trill-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Mar 2018 13:49:32 -0000
Hi Donald, Thanks for your response, inline. On Wed, Mar 14, 2018 at 4:52 PM, Donald Eastlake <d3e3e3@gmail.com> wrote: > Hi Kathleen, > > On Wed, Mar 14, 2018 at 2:28 PM, Kathleen Moriarty > <kathleen.moriarty.ietf@gmail.com> wrote: >> Hi Donald, >> >> Thanks for the proposed text. Please see inline. >> >> On Mon, Mar 12, 2018 at 10:01 PM, Donald Eastlake <d3e3e3@gmail.com> >> wrote: >>> Hi Kathleen, >>> >>> Would the following replacement Security Considerations section for >>> draft-ietf-trill-transport-over-mpls be adequate? >>> >>> >>> This document specifies methods using existing standards and >>> facilities in ways that do not create new security problems. >>> >>> For general VPLS security considerations, including discussion of >>> isolating customers from each other, see [RFC4761] and [RFC4762]. >>> >>> For transport of TRILL by Pseudowires security consideration, see >>> [RFC7173]. In particular, since pseudowires are support by MPLS or IP >>> which are in turn supported by a link layer, that document recommends >>> using IP security or the lower link layer security. >>> >>> For added security against the compromise of data end-to-end >>> encryption and authentication should be considered; that is, >>> encryption and authentication from source end station to destination >>> end station. >> >> Would this be accomplished through IPsec? > > For end-to-end security, it could be. Or DTLS. Whatever is convenient for > the information you want to protect. Since end stations are connected to > edge TRILL switches via Ethernet, if you wanted to protect all of the data > between two end stations, you could use IEEE Std 802.1AE. Do you want a list > added? Yes, I think that would be helpful. Thank you. > >> If encryption and authentication are not employed, what are the risks >> to tenant isolation since this draft joins TRILL campuses? > > I wouldn't say that the draft "joins TRILL campuses". If a TRILL campus is > actually structured so that the connectivity being provided is connecting > two islands, then you could say it is making those TRILL switches parts of > the same campus. The term "campus" in TRILL is not intended to have any > geographic (or academic) implication but rather, to be for TRILL switches > the same as the term "bridged LAN" is for IEEE 802.1 bridges. > > Whenever a link extends outside local physical control, there is increased > risk. Assuming a link between two TRILL switch ports in a TRILL campus is > Ethernet, it could be anything from a little copper on a backplane inside a > cabinet to Ethernet connectivity purchased from a carrier and extending > hundreds of miles. > > If you are talking about the risk of a TRILL campus merging with a malicious > TRILL switch, that can be avoided by IS-IS PDU authentication. Until > adjacency is establish (RFC 7177), which requires successful exchange of > IS-IS Hellos PDUs, no data will flow. > >> I think >> there should be text that explains this risk in addition to the text >> already proposed. > > How about adding text like the following: > > > Transmission outside the customer environment through the provider > environment, as described in this document, increases risk of compromise or > injection of false data through failure of tenant isolation or by the > provider. In the VPLS model (Section 3), the use of link encryption and > authentication between the CEs of a tenant that is being connected through > provider facilities should be a good defense. In the VPTS model (Section 4), > it is assumed that the CEs will peer with virtual TRILL switches of the > provider network and thus link security between TRILL switch ports is > inadequate as it will terminate at the edge PE. Thus, end station to end > station encryption and authentication is more appropriate for the VPTS > model. That's helpful, thanks for the proposed text. Best regards, Kathleen > > > Thanks, > Donald > =============================== > Donald E. Eastlake 3rd +1-508-333-2270 (cell) > 155 Beaver Street, Milford, MA 01757 USA > d3e3e3@gmail.com > >> Thanks, >> Kathleen >> >>> >>> For general TRILL security considerations, see [RFC6325]. >>> >>> >>> Thanks, >>> Donald >>> =============================== >>> Donald E. Eastlake 3rd +1-508-333-2270 (cell) >>> 155 Beaver Street, Milford, MA 01757 USA >>> d3e3e3@gmail.com >>> >>> On Wed, Mar 7, 2018 at 5:35 PM, Andrew G. Malis <agmalis@gmail.com> >>> wrote: >>>> >>>> Kathleen, >>>> >>>> I don’t want to speak for the authors. However, I did contribute to this >>>> draft (although not this specific section). So that said, here’s my two >>>> cents …. >>>> >>>> I agree that first sentence could have been worded better, but the >>>> bottom >>>> line is that depending on the model used, the security considerations >>>> for >>>> RFC 7173, 4761, or 4762 applies, including the discussions in those RFCs >>>> on >>>> issues such as isolation and end-to-end security. Those RFCs are >>>> referenced >>>> in the security section. So the substance is already there, perhaps the >>>> draft just needs better pointers to it. >>>> >>>> Cheers, >>>> Andy >>>> >>>> >>>> On Wed, Mar 7, 2018 at 5:01 PM, Kathleen Moriarty >>>> <Kathleen.Moriarty.ietf@gmail.com> wrote: >>>>> >>>>> Kathleen Moriarty has entered the following ballot position for >>>>> draft-ietf-trill-transport-over-mpls-07: Discuss >>>>> >>>>> When responding, please keep the subject line intact and reply to all >>>>> email addresses included in the To and CC lines. (Feel free to cut this >>>>> introductory paragraph, however.) >>>>> >>>>> >>>>> Please refer to >>>>> https://www.ietf.org/iesg/statement/discuss-criteria.html >>>>> for more information about IESG DISCUSS and COMMENT positions. >>>>> >>>>> >>>>> The document, along with other ballot positions, can be found here: >>>>> https://datatracker.ietf.org/doc/draft-ietf-trill-transport-over-mpls/ >>>>> >>>>> >>>>> >>>>> ---------------------------------------------------------------------- >>>>> DISCUSS: >>>>> ---------------------------------------------------------------------- >>>>> >>>>> I was very surprised to see the following in the security >>>>> considerations >>>>> section and would like to work with you on improvements. >>>>> As an informational document specifying methods that use only >>>>> existing standards and facilities, this document has no effect on >>>>> security. >>>>> >>>>> Having watched many TRILL documents go by in the last 4 years, we >>>>> didn't >>>>> push >>>>> too hard on security in some cases as a result of the restriction to a >>>>> campus >>>>> network. This particular document extends into multi-tenancy where >>>>> there >>>>> are >>>>> certainly security considerations introduced to be able to provide >>>>> isolation >>>>> properties. MPLS offers no security and it is being used to join TRILL >>>>> campuses as described int his draft. This is done without any >>>>> requirement of >>>>> an overlay protocol to provide security - why is that the case? >>>>> Minimally, the >>>>> considerations need to be explained. Ideally, a solution should be >>>>> offered to >>>>> protect tenants when TRILL campuses are joined. >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> trill mailing list >>>>> trill@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/trill >>>> >>>> >>> >> >> >> >> -- >> >> Best regards, >> Kathleen -- Best regards, Kathleen
- [trill] Kathleen Moriarty's Discuss on draft-ietf… Kathleen Moriarty
- Re: [trill] Kathleen Moriarty's Discuss on draft-… Andrew G. Malis
- Re: [trill] Kathleen Moriarty's Discuss on draft-… Donald Eastlake
- Re: [trill] Kathleen Moriarty's Discuss on draft-… Kathleen Moriarty
- Re: [trill] Kathleen Moriarty's Discuss on draft-… Donald Eastlake
- Re: [trill] Kathleen Moriarty's Discuss on draft-… Kathleen Moriarty