Re: [trill] Alvaro Retana's Discuss on draft-ietf-trill-directory-assisted-encap-10: (with DISCUSS)

Donald Eastlake <> Mon, 05 March 2018 20:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B30D1124B18; Mon, 5 Mar 2018 12:27:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yqEWnXSdVN6D; Mon, 5 Mar 2018 12:27:43 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4AED01204DA; Mon, 5 Mar 2018 12:27:43 -0800 (PST)
Received: by with SMTP id e30so19435061ioc.3; Mon, 05 Mar 2018 12:27:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dF4BzvnOUHFdsPg6mVxKYbSDEwdZwTQqBsNYHR/fqrc=; b=Izfvfe50+mBY2h1tK0CDaDi7JU5yQ7wnMdCTkk7x+fI/psTZZSyQgJaME/LWKseYc/ mLdoXmaMc+stxFBSDDGn9uebmehLSodwmhRMHHNlUOzzlETXfgJw/Z2wmYHPtSlX3g7I /0x5mImxWNu+TMoBPRCyoNX41+/uJGxKDnLcbqtNYllD8HY4r0trYCLiUEpNE1qBTcnT kM4G5G0mUuugtKevR3m0rHSKJyplnK7FX49dN7PETz05ZFAXWThuFp80e+SZQFSFoHkD XgGcZPjpPplj6vzPRwhHyjVSIaz2rmi0nD9pIo8FAkbTULmH3JipEoG2L3SwxzdCnlXK GnzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dF4BzvnOUHFdsPg6mVxKYbSDEwdZwTQqBsNYHR/fqrc=; b=kmv+ksnc9Jt5Ta/UkN0m95CHPTMJWhXNS+IHCxRbUFf8vMDbLz6Ca0O6otG0ihlqwz n7ZrOdd0PlI+mKSo+mSTp4GYhFyky7kvARPSgubvW0AsZvyjdgXpRnDqQAD2fqKKqyiU fxAOZ2pXVAali4HQTuVaL9rDFjUpPxaorBAnKKce75fF3ltgNCcUEqnXrwz70LRd+tGY OsCDpwfFtGFIKKDfXKCFmVosH6yFfG0blbkAUf5SO+sS+9wi11knAvy9EgWAnBOZkhK3 T4ikGES5YsQpOid5wWM9YQ/ZkTZU0f7g0PzMXQMS/vteRZ/pwrJmiDgq9ijiyclJJcHd YB9w==
X-Gm-Message-State: APf1xPA0qhWxdOqlzhJpBdS+nuerv0LP5sPdHmBjRjBeWWQkTi//YOKF IhAtHBYXuNm44gAZjhIj3rTFr6IHxoQ+kurQ1cc=
X-Google-Smtp-Source: AG47ELtDTnQjjdztbOMZDP45ZBETp2T9cXN4ic+C2IbgZu1mCYKWW/hQ+YIKq3lNX9Kjzwox9MjqllMzDzkerRwD6J8=
X-Received: by with SMTP id k195mr18268357iok.131.1520281662449; Mon, 05 Mar 2018 12:27:42 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 5 Mar 2018 12:27:26 -0800 (PST)
In-Reply-To: <>
References: <>
From: Donald Eastlake <>
Date: Mon, 5 Mar 2018 15:27:26 -0500
Message-ID: <>
To: Alvaro Retana <>
Cc: The IESG <>,,, Susan Hares <>, trill IETF mailing list <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [trill] Alvaro Retana's Discuss on draft-ietf-trill-directory-assisted-encap-10: (with DISCUSS)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Developing a hybrid router/bridge." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 05 Mar 2018 20:27:45 -0000

Hi Alvaro,

On Mon, Mar 5, 2018 at 2:32 PM, Alvaro Retana <> wrote:
> Alvaro Retana has entered the following ballot position for
> draft-ietf-trill-directory-assisted-encap-10: Discuss
> ...
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> I have significant concerns about this document; as currently written, I
> believe the technology is underspecified and can cause significant damage to a
> DC network where it might be deployed.  I am then balloting a DISCUSS.
> The document (including the security considerations) is written assuming that
> the TRILL-ENs can be trusted (and are not compromised), and that the directory
> information is accurate.  However, I believe there are several cases that have
> been overlooked.
> (1) There aren't any basic safeguards specified to at least make sure that a
> TRILL-EN is doing the right thing (or something sensible).  For example, what
> if the Ingress RBridge Nickname field in the TRILL header doesn't correspond to
> the first rBridge at the domain boundary?  Should that frame be accepted?

This concern doesn't seem very different from the general insecurity of Layer 2.

If a link has no TRILL router adjacencies, then I guess it it
reasonable to check that the ingress nickname is that of the receiving
RBridge but it gets harder if you have a mixed link with both end
stations and TRILL routers (probably rare in deployments but, on the
other hand, in TRILL a "link" can be a bridged LAN...).

> (2) rfc8171 talks about issues with incorrect directory mappings.  Consider the
> case where a TRILL-EN uses (on purpose!) an incorrect mapping.  That "can
> result in data being delivered to the wrong end stations, or set of end
> stations in the case of multi-destination packets, violating security policy."
> [rfc8171]  How can this risk be mitigated?

I'm not sure how using "an incorrect mapping" is that different from
just using whatever nicknames it feels like...

> I don't think that there are easy mitigations for these issues, but at least
> mentioning them so that operators are aware of the risk would be enough to
> clear this DISCUSS.

It is certainly reasonable to mention these. One possible mitigation
is the use of end-to-end encryption.

 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA