Re: [trill] Eric Rescorla's No Objection on draft-ietf-trill-p2mp-bfd-08: (with COMMENT)

"Susan Hares" <shares@ndzh.com> Wed, 24 January 2018 18:59 UTC

Return-Path: <shares@ndzh.com>
X-Original-To: trill@ietfa.amsl.com
Delivered-To: trill@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57D7312751F; Wed, 24 Jan 2018 10:59:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.946
X-Spam-Level:
X-Spam-Status: No, score=0.946 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DOS_OUTLOOK_TO_MX=2.845, HTML_MESSAGE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tw8XR7yC0_et; Wed, 24 Jan 2018 10:59:39 -0800 (PST)
Received: from hickoryhill-consulting.com (50-245-122-97-static.hfc.comcastbusiness.net [50.245.122.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D5E31275FD; Wed, 24 Jan 2018 10:59:39 -0800 (PST)
X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=166.176.249.181;
From: "Susan Hares" <shares@ndzh.com>
To: "'Eric Rescorla'" <ekr@rtfm.com>, "'Zhangmingui \(Martin\)'" <zhangmingui@huawei.com>
Cc: "'The IESG'" <iesg@ietf.org>, <trill-chairs@ietf.org>, <draft-ietf-trill-p2mp-bfd@ietf.org>, <trill@ietf.org>
References: <151629775024.3841.11679795774117326021.idtracker@ietfa.amsl.com> <4552F0907735844E9204A62BBDD325E7AAFAF80F@NKGEML515-MBX.china.huawei.com> <CABcZeBOW=gHNfCkScZaz0Wg1b0YDDLQ3H0PuOggx18dYmXQ_CQ@mail.gmail.com>
In-Reply-To: <CABcZeBOW=gHNfCkScZaz0Wg1b0YDDLQ3H0PuOggx18dYmXQ_CQ@mail.gmail.com>
Date: Wed, 24 Jan 2018 13:59:29 -0500
Message-ID: <014b01d39545$770a4480$651ecd80$@ndzh.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_014C_01D3951B.8E38F770"
X-Mailer: Microsoft Outlook 14.0
Content-Language: en-us
Thread-Index: AQHDEjAxdQiH1P6pWi9muqiCTu8wcQJG7LvRAT622lSjiDTVEA==
X-Authenticated-User: skh@ndzh.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/trill/KIi976zPjE0BvEC_KpE1kgdro5g>
Subject: Re: [trill] Eric Rescorla's No Objection on draft-ietf-trill-p2mp-bfd-08: (with COMMENT)
X-BeenThere: trill@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Developing a hybrid router/bridge." <trill.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trill>, <mailto:trill-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trill/>
List-Post: <mailto:trill@ietf.org>
List-Help: <mailto:trill-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trill>, <mailto:trill-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jan 2018 18:59:42 -0000

Eric: 

 

Is there something I missed here.  The referenced document is RFC5880 section 6.7 starts out: 

 <https://tools.ietf.org/html/rfc5880#section-6.7> 6.7.  Authentication

 

   An optional Authentication Section MAY be present in the BFD Control

   packet.  In its generic form, the purpose of the Authentication

   Section is to carry all necessary information, based on the

   authentication type in use, to allow the receiving system to

   determine the validity of the received packet.  The exact mechanism

   depends on the authentication type in use, but in general the

   transmitting system will put information in the Authentication

   transmitting system will put information in the Authentication
 
   Section that vouches for the packet's validity, and the receiving
   system will examine the Authentication Section and either accept the
   packet for further processing or discard it.

 

The section 6.7 describes four types of authentication: simple password [6.7.2] , Keyed MD5 and Meticulous Keyed MD5 [6.7.3], Keyed SHA and Meticulous Key SHA1 authentication [6.7.4].  
 
Do you wish TRILL to recommend a particular authentication for this draft if they use the BFD authentication? 
 
Please note that Kathleen noted this problem based on the sec-dir-review: 
https://mailarchive.ietf.org/arch/msg/secdir/KAZevWuVQAiukpRBKgjm7YIATRg
 
Donald Eastlake’s response to the sec-dir review, and the changes in -08.txt are related to this issue. 
 
Donald points out that the RFC7978 provide strong authentication, and that we have a group keying mechanism ready for WG LC.  If you have  a moment, perhaps you can look at the group keying draft as well:
 
https://datatracker.ietf.org/doc/draft-ietf-trill-group-keying/
 
It would be helpful to me as a WG chair to know if we have missed anything before we go into WG LC with this document in 2 days. Donald will be glad to answer additional questions on the group keying draft. 
 
Cheerily, Susan Hares 

 

From: Eric Rescorla [mailto:ekr@rtfm.com] 
Sent: Wednesday, January 24, 2018 1:40 PM
To: Zhangmingui (Martin)
Cc: The IESG; trill-chairs@ietf.org; draft-ietf-trill-p2mp-bfd@ietf.org; shares@ndzh.com; trill@ietf.org
Subject: Re: Eric Rescorla's No Objection on draft-ietf-trill-p2mp-bfd-08: (with COMMENT)

 

OK. This doesn't seem like it blocks this document, but I'll have to take a closer look when the referenced document comes up.

 

On Mon, Jan 22, 2018 at 1:40 AM, Zhangmingui (Martin) <zhangmingui@huawei.com> wrote:

Hi Eric,

Thanks for your review. When the referred document mentions Section 6.7, it actually points to the Section 6.7 of RFC5880.

Thanks,
Mingui


> -----Original Message-----
> From: Eric Rescorla [mailto:ekr@rtfm.com]
> Sent: Friday, January 19, 2018 1:49 AM
> To: The IESG
> Cc: draft-ietf-trill-p2mp-bfd@ietf.org; Susan Hares; trill-chairs@ietf.org;
> shares@ndzh.com; trill@ietf.org
> Subject: Eric Rescorla's No Objection on draft-ietf-trill-p2mp-bfd-08: (with
> COMMENT)
>
> Eric Rescorla has entered the following ballot position for
> draft-ietf-trill-p2mp-bfd-08: No Objection
>
> When responding, please keep the subject line intact and reply to all email
> addresses included in the To and CC lines. (Feel free to cut this introductory
> paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-trill-p2mp-bfd/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> I'm hoping this can be resolved quickly, as it's probably just a missing cite. If it
> turns out that there's actually missing content, this may turn into a DISCUSS.
>
>    Multipoint BFD provides its own authentication but does not provide
>    encryption (see Security Considerations in [I-D.ietf-bfd-
>    multipoint]). As specified in this document, the point-to-multipoint
>
> I skimmed the reference here, but wasn't able to figure out what the
> authentication was. In particular, the document says:
>
>       If the A bit is set, the packet MUST be authenticated under the
>       rules of section 6.7, based on the authentication type in use
>       (bfd.AuthType.)  This may cause the packet to be discarded.
>
> But there is no 6.7. So, this makes me worry that I don't understand any of this.
>