Re: [trill] Alvaro Retana's Discuss on draft-ietf-trill-directory-assisted-encap-10: (with DISCUSS)

"Susan Hares" <shares@ndzh.com> Wed, 07 March 2018 18:48 UTC

Return-Path: <shares@ndzh.com>
X-Original-To: trill@ietfa.amsl.com
Delivered-To: trill@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A959312D869; Wed, 7 Mar 2018 10:48:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.946
X-Spam-Level:
X-Spam-Status: No, score=0.946 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DOS_OUTLOOK_TO_MX=2.845, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8UZvfzrVxGza; Wed, 7 Mar 2018 10:48:26 -0800 (PST)
Received: from hickoryhill-consulting.com (50-245-122-97-static.hfc.comcastbusiness.net [50.245.122.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDC6312946D; Wed, 7 Mar 2018 10:48:25 -0800 (PST)
X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=166.176.251.46;
From: "Susan Hares" <shares@ndzh.com>
To: "'Donald Eastlake'" <d3e3e3@gmail.com>, "'Alvaro Retana'" <aretana.ietf@gmail.com>
Cc: "'The IESG'" <iesg@ietf.org>, <draft-ietf-trill-directory-assisted-encap@ietf.org>, <trill-chairs@ietf.org>, "'trill IETF mailing list'" <trill@ietf.org>
References: <152027833835.31755.10651902836786225579.idtracker@ietfa.amsl.com> <CAF4+nEGAvefBS3HpKYeV2bSwhwSkLL=1xH4+kUh6yK4eq=Nu-g@mail.gmail.com>
In-Reply-To: <CAF4+nEGAvefBS3HpKYeV2bSwhwSkLL=1xH4+kUh6yK4eq=Nu-g@mail.gmail.com>
Date: Wed, 7 Mar 2018 13:48:05 -0500
Message-ID: <01f101d3b644$d4be0290$7e3a07b0$@ndzh.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Content-Language: en-us
Thread-Index: AQHdA11VU1qLoU9chKDVMJaMg1FyeAGnwEi0o6VEnmA=
X-Authenticated-User: skh@ndzh.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/trill/Ho-ydWUi0Dh5vhmdynVGHRkzZQs>
Subject: Re: [trill] Alvaro Retana's Discuss on draft-ietf-trill-directory-assisted-encap-10: (with DISCUSS)
X-BeenThere: trill@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Developing a hybrid router/bridge." <trill.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trill>, <mailto:trill-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trill/>
List-Post: <mailto:trill@ietf.org>
List-Help: <mailto:trill-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trill>, <mailto:trill-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Mar 2018 18:48:27 -0000

Donald and Alvaro: 

Do we have an agreed upon text changes?   If so, can we send a proposed change to Alvaro for review prior to Thursday's meeting? 

Sue Hares

-----Original Message-----
From: Donald Eastlake [mailto:d3e3e3@gmail.com] 
Sent: Monday, March 5, 2018 3:27 PM
To: Alvaro Retana
Cc: The IESG; draft-ietf-trill-directory-assisted-encap@ietf.org; trill-chairs@ietf.org; Susan Hares; trill IETF mailing list
Subject: Re: Alvaro Retana's Discuss on draft-ietf-trill-directory-assisted-encap-10: (with DISCUSS)

Hi Alvaro,

On Mon, Mar 5, 2018 at 2:32 PM, Alvaro Retana <aretana.ietf@gmail.com> wrote:
> Alvaro Retana has entered the following ballot position for
> draft-ietf-trill-directory-assisted-encap-10: Discuss
>
> ...
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> I have significant concerns about this document; as currently written, 
> I believe the technology is underspecified and can cause significant 
> damage to a DC network where it might be deployed.  I am then balloting a DISCUSS.
>
> The document (including the security considerations) is written 
> assuming that the TRILL-ENs can be trusted (and are not compromised), 
> and that the directory information is accurate.  However, I believe 
> there are several cases that have been overlooked.
>
> (1) There aren't any basic safeguards specified to at least make sure 
> that a TRILL-EN is doing the right thing (or something sensible).  For 
> example, what if the Ingress RBridge Nickname field in the TRILL 
> header doesn't correspond to the first rBridge at the domain boundary?  Should that frame be accepted?

This concern doesn't seem very different from the general insecurity of Layer 2.

If a link has no TRILL router adjacencies, then I guess it it reasonable to check that the ingress nickname is that of the receiving RBridge but it gets harder if you have a mixed link with both end stations and TRILL routers (probably rare in deployments but, on the other hand, in TRILL a "link" can be a bridged LAN...).

> (2) rfc8171 talks about issues with incorrect directory mappings.  
> Consider the case where a TRILL-EN uses (on purpose!) an incorrect 
> mapping.  That "can result in data being delivered to the wrong end 
> stations, or set of end stations in the case of multi-destination packets, violating security policy."
> [rfc8171]  How can this risk be mitigated?

I'm not sure how using "an incorrect mapping" is that different from just using whatever nicknames it feels like...

> I don't think that there are easy mitigations for these issues, but at 
> least mentioning them so that operators are aware of the risk would be 
> enough to clear this DISCUSS.

It is certainly reasonable to mention these. One possible mitigation is the use of end-to-end encryption.

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA  d3e3e3@gmail.com