Re: [trill] Stephen Farrell's Discuss on draft-ietf-trill-pseudonode-nickname-06: (with DISCUSS)
Donald Eastlake <d3e3e3@gmail.com> Thu, 24 September 2015 03:47 UTC
Return-Path: <d3e3e3@gmail.com>
X-Original-To: trill@ietfa.amsl.com
Delivered-To: trill@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5ACC31B2C8A; Wed, 23 Sep 2015 20:47:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HDpVtFoTcFwu; Wed, 23 Sep 2015 20:47:09 -0700 (PDT)
Received: from mail-ob0-x231.google.com (mail-ob0-x231.google.com [IPv6:2607:f8b0:4003:c01::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DDA41B2C9B; Wed, 23 Sep 2015 20:47:09 -0700 (PDT)
Received: by obbmp4 with SMTP id mp4so49231695obb.3; Wed, 23 Sep 2015 20:47:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=KQgLx+gop6xtDdiKttBgRPbUGznTzAUAHZAF+lz7ySk=; b=SDgsqGtx2seJyP4U5YQlEsKs/h5cYmENdESiPidNvF03YfCRPfyklheUyA4d1BvuIs wmSme1K1sc0QJeaqD0o4083bB1lGikZFxS3waWLgIL0zqN7rA6GpCnSOenz0PiJCIi1A Wcdepd7BC1Drame3UtV4cbi+7+bvYJibMZ0aXHhCXsQav0fPqwKVSbZvoZjTrrOMjvrr x5IaevI9YS/UXtQmWUrYgjjKOl3r+ZfM0nv/hD3Nn3yU+kGV70AnNp2uh7P8DxtC+sff i1ab0PvA7mSkhkWBqqoTTj1S0o6RiUCE7PL32AKjQVXp4ocvzYygh4Q4Bnf3ebdt5jVu Sd0Q==
X-Received: by 10.60.118.162 with SMTP id kn2mr20745924oeb.80.1443066428443; Wed, 23 Sep 2015 20:47:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.76.144.65 with HTTP; Wed, 23 Sep 2015 20:46:54 -0700 (PDT)
In-Reply-To: <CAF4+nEFEJj8NyuMA2M_f0cGQLUFuYSOKg8jrYRWtzicZFSNqUA@mail.gmail.com>
References: <20150917103447.13065.86001.idtracker@ietfa.amsl.com> <CAF4+nEFEJj8NyuMA2M_f0cGQLUFuYSOKg8jrYRWtzicZFSNqUA@mail.gmail.com>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Wed, 23 Sep 2015 23:46:54 -0400
Message-ID: <CAF4+nEEzG1GcYEdMj9bhS50JAsQ=LAE=qT3YnCNa-3NBdXr0eg@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/trill/D13S8FEmOBxSAdfs76h3TejXjYs>
Cc: draft-ietf-trill-pseudonode-nickname.shepherd@ietf.org, "trill-chairs@ietf.org" <trill-chairs@ietf.org>, draft-ietf-trill-pseudonode-nickname@ietf.org, The IESG <iesg@ietf.org>, "trill@ietf.org" <trill@ietf.org>, draft-ietf-trill-pseudonode-nickname.ad@ietf.org
Subject: Re: [trill] Stephen Farrell's Discuss on draft-ietf-trill-pseudonode-nickname-06: (with DISCUSS)
X-BeenThere: trill@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Developing a hybrid router/bridge." <trill.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trill>, <mailto:trill-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trill/>
List-Post: <mailto:trill@ietf.org>
List-Help: <mailto:trill-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trill>, <mailto:trill-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2015 03:47:10 -0000
Hi Stephen, Would the following change resolve your DISCUSS? OLD This draft does not introduce any extra security risks. For general TRILL Security Considerations, see [RFC6325]. NEW Since currently deployed LAALPs [RFC7379] are proprietary, security over membership in and internal management of active-active edge groups is proprietary. A rogue RBridge that insinuates itself into an active-active edge group can disrupt end station traffic flowing into or out of that group. For example, if there are N RBridges in the group, it could typically control 1/Nth of the traffic flowing out of that group and a similar amount of unicast traffic flowing into that group. For multi-destination traffice flowing into that group, it could control all that was in a VLAN for which it was DF and it can exercise substantial control over the DF election by changing its own System ID. For general TRILL Security Considerations, see [RFC6325]. Thanks, Donald ============================= Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com On Thu, Sep 17, 2015 at 9:49 AM, Donald Eastlake <d3e3e3@gmail.com> wrote: > Hi Stephen, > > On Thu, Sep 17, 2015 at 6:34 AM, Stephen Farrell > <stephen.farrell@cs.tcd.ie> wrote: >> Stephen Farrell has entered the following ballot position for >> draft-ietf-trill-pseudonode-nickname-06: Discuss >> >> ... >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-trill-pseudonode-nickname/ >> >> >> >> ---------------------------------------------------------------------- >> DISCUSS: >> ---------------------------------------------------------------------- >> >> >> I have two questions where it's not clear to me if this >> specification does or does not introduce new vulnerabilities. >> It could well be that it does not and these are handled >> elsewhere, but I'm not sure so... >> >> (1) How is authorization for being a member of an RBv handled? > > Currently I think that this is out of scope because the active-active > edge groups, each of which is represented by an RBv, are proprietary > MC-LAG implementations with proprietary management. (See bottom of > page 5 of RFC 7379. This draft is standardizing a TRILL campus facing > interface for an AAE group.) > >> (2) If a rogue RB can add itself to an RBv can it arrange >> things so the rogue RB becomes the DF for the RBv? (If so, >> that would seem to create new DoS opportunities at least.) > > I don't see any problem in mentioning this in the Security Considerations. > > Thanks, > Donald > ============================= > Donald E. Eastlake 3rd +1-508-333-2270 (cell) > 155 Beaver Street, Milford, MA 01757 USA > d3e3e3@gmail.com
- [trill] Stephen Farrell's Discuss on draft-ietf-t… Stephen Farrell
- Re: [trill] Stephen Farrell's Discuss on draft-ie… Donald Eastlake
- Re: [trill] Stephen Farrell's Discuss on draft-ie… Donald Eastlake
- Re: [trill] Stephen Farrell's Discuss on draft-ie… Stephen Farrell
- Re: [trill] Stephen Farrell's Discuss on draft-ie… Donald Eastlake
- Re: [trill] Stephen Farrell's Discuss on draft-ie… Stephen Farrell
- Re: [trill] Stephen Farrell's Discuss on draft-ie… Donald Eastlake