Re: [trill] Alvaro Retana's Discuss on draft-ietf-trill-directory-assisted-encap-10: (with DISCUSS)

Donald Eastlake <d3e3e3@gmail.com> Mon, 05 March 2018 20:27 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: trill@ietfa.amsl.com
Delivered-To: trill@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B30D1124B18; Mon, 5 Mar 2018 12:27:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yqEWnXSdVN6D; Mon, 5 Mar 2018 12:27:43 -0800 (PST)
Received: from mail-io0-x230.google.com (mail-io0-x230.google.com [IPv6:2607:f8b0:4001:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AED01204DA; Mon, 5 Mar 2018 12:27:43 -0800 (PST)
Received: by mail-io0-x230.google.com with SMTP id e30so19435061ioc.3; Mon, 05 Mar 2018 12:27:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dF4BzvnOUHFdsPg6mVxKYbSDEwdZwTQqBsNYHR/fqrc=; b=Izfvfe50+mBY2h1tK0CDaDi7JU5yQ7wnMdCTkk7x+fI/psTZZSyQgJaME/LWKseYc/ mLdoXmaMc+stxFBSDDGn9uebmehLSodwmhRMHHNlUOzzlETXfgJw/Z2wmYHPtSlX3g7I /0x5mImxWNu+TMoBPRCyoNX41+/uJGxKDnLcbqtNYllD8HY4r0trYCLiUEpNE1qBTcnT kM4G5G0mUuugtKevR3m0rHSKJyplnK7FX49dN7PETz05ZFAXWThuFp80e+SZQFSFoHkD XgGcZPjpPplj6vzPRwhHyjVSIaz2rmi0nD9pIo8FAkbTULmH3JipEoG2L3SwxzdCnlXK GnzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dF4BzvnOUHFdsPg6mVxKYbSDEwdZwTQqBsNYHR/fqrc=; b=kmv+ksnc9Jt5Ta/UkN0m95CHPTMJWhXNS+IHCxRbUFf8vMDbLz6Ca0O6otG0ihlqwz n7ZrOdd0PlI+mKSo+mSTp4GYhFyky7kvARPSgubvW0AsZvyjdgXpRnDqQAD2fqKKqyiU fxAOZ2pXVAali4HQTuVaL9rDFjUpPxaorBAnKKce75fF3ltgNCcUEqnXrwz70LRd+tGY OsCDpwfFtGFIKKDfXKCFmVosH6yFfG0blbkAUf5SO+sS+9wi11knAvy9EgWAnBOZkhK3 T4ikGES5YsQpOid5wWM9YQ/ZkTZU0f7g0PzMXQMS/vteRZ/pwrJmiDgq9ijiyclJJcHd YB9w==
X-Gm-Message-State: APf1xPA0qhWxdOqlzhJpBdS+nuerv0LP5sPdHmBjRjBeWWQkTi//YOKF IhAtHBYXuNm44gAZjhIj3rTFr6IHxoQ+kurQ1cc=
X-Google-Smtp-Source: AG47ELtDTnQjjdztbOMZDP45ZBETp2T9cXN4ic+C2IbgZu1mCYKWW/hQ+YIKq3lNX9Kjzwox9MjqllMzDzkerRwD6J8=
X-Received: by 10.107.36.204 with SMTP id k195mr18268357iok.131.1520281662449; Mon, 05 Mar 2018 12:27:42 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.58.193 with HTTP; Mon, 5 Mar 2018 12:27:26 -0800 (PST)
In-Reply-To: <152027833835.31755.10651902836786225579.idtracker@ietfa.amsl.com>
References: <152027833835.31755.10651902836786225579.idtracker@ietfa.amsl.com>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Mon, 5 Mar 2018 15:27:26 -0500
Message-ID: <CAF4+nEGAvefBS3HpKYeV2bSwhwSkLL=1xH4+kUh6yK4eq=Nu-g@mail.gmail.com>
To: Alvaro Retana <aretana.ietf@gmail.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-trill-directory-assisted-encap@ietf.org, trill-chairs@ietf.org, Susan Hares <shares@ndzh.com>, trill IETF mailing list <trill@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trill/fR_fSd7qsrsr2-6Ze_cLTHS9OAQ>
Subject: Re: [trill] Alvaro Retana's Discuss on draft-ietf-trill-directory-assisted-encap-10: (with DISCUSS)
X-BeenThere: trill@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Developing a hybrid router/bridge." <trill.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trill>, <mailto:trill-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trill/>
List-Post: <mailto:trill@ietf.org>
List-Help: <mailto:trill-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trill>, <mailto:trill-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Mar 2018 20:27:45 -0000

Hi Alvaro,

On Mon, Mar 5, 2018 at 2:32 PM, Alvaro Retana <aretana.ietf@gmail.com> wrote:
> Alvaro Retana has entered the following ballot position for
> draft-ietf-trill-directory-assisted-encap-10: Discuss
>
> ...
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> I have significant concerns about this document; as currently written, I
> believe the technology is underspecified and can cause significant damage to a
> DC network where it might be deployed.  I am then balloting a DISCUSS.
>
> The document (including the security considerations) is written assuming that
> the TRILL-ENs can be trusted (and are not compromised), and that the directory
> information is accurate.  However, I believe there are several cases that have
> been overlooked.
>
> (1) There aren't any basic safeguards specified to at least make sure that a
> TRILL-EN is doing the right thing (or something sensible).  For example, what
> if the Ingress RBridge Nickname field in the TRILL header doesn't correspond to
> the first rBridge at the domain boundary?  Should that frame be accepted?

This concern doesn't seem very different from the general insecurity of Layer 2.

If a link has no TRILL router adjacencies, then I guess it it
reasonable to check that the ingress nickname is that of the receiving
RBridge but it gets harder if you have a mixed link with both end
stations and TRILL routers (probably rare in deployments but, on the
other hand, in TRILL a "link" can be a bridged LAN...).

> (2) rfc8171 talks about issues with incorrect directory mappings.  Consider the
> case where a TRILL-EN uses (on purpose!) an incorrect mapping.  That "can
> result in data being delivered to the wrong end stations, or set of end
> stations in the case of multi-destination packets, violating security policy."
> [rfc8171]  How can this risk be mitigated?

I'm not sure how using "an incorrect mapping" is that different from
just using whatever nicknames it feels like...

> I don't think that there are easy mitigations for these issues, but at least
> mentioning them so that operators are aware of the risk would be enough to
> clear this DISCUSS.

It is certainly reasonable to mention these. One possible mitigation
is the use of end-to-end encryption.

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com