Re: [trill] Stephen Farrell's No Objection on draft-ietf-trill-irb-13: (with COMMENT)

Donald Eastlake <d3e3e3@gmail.com> Wed, 29 June 2016 17:44 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: trill@ietfa.amsl.com
Delivered-To: trill@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D871D12B05F; Wed, 29 Jun 2016 10:44:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.45
X-Spam-Level:
X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ibLxcscfL4l6; Wed, 29 Jun 2016 10:44:30 -0700 (PDT)
Received: from mail-ob0-x235.google.com (mail-ob0-x235.google.com [IPv6:2607:f8b0:4003:c01::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC59A12D599; Wed, 29 Jun 2016 10:44:27 -0700 (PDT)
Received: by mail-ob0-x235.google.com with SMTP id mu6so36213449obc.3; Wed, 29 Jun 2016 10:44:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=gALk1Yk3rjV164VyWqp9rXAmXDQNV5n6kOYZ7x9DMAw=; b=oyJeKpSa0lKv42eAXVV7TKVzd/ccUXz+t98jVoBV4HKe4HNB9kq1IGkNgngUO5AIKO cl+CMDcavrHBEgFwNL+WWIjNnFqbTJaDAg17wZfTct5wIOHAbfL83vx4FTVCS6xg/fUq R74B95D8/XRv6DQjETvB6R2Qr5FLW1v9SzeUmld3ySDEutbXq27iRtC3AHVxGZ1I5iVA USd/dovvqpt3Frb966ffdI39cRAFdqlk2XWCS02puuLHoJSyPo5iYNKVjSQ9fOfzgGlb ifNVTI7bbCO5SbEz1ao7PK/xFnBAz2mUdU2uTQHZ4pXP3i5xl0ipvGz9XsTLIU1ZalAx ogyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=gALk1Yk3rjV164VyWqp9rXAmXDQNV5n6kOYZ7x9DMAw=; b=a7YUmbdxDH2K6dEuoLxFUpWwFXYUUls5uu+y8eVCPb5+LDUVelOWAU6YppHuxX6lJn 9fy/vyasB+ZixWcoX459WietPbrU2nIJ2Yt1iWUgYZIOtN1R3tMCx6DqbI241ZeKUdbR Ga/llzAjK+lwxBBqnhFp8xncVCbJh59wJHfUW/1ia5sK9IbhjirFolL2rSCPjJZSbTHj NynkFTvuajTHxvNjwAUcf3bqpow+gkNMO6DXkcwlyiVHWz2Jn17VUYWwfTABXezXdabk 1lqkqC9sAgtm+HoOd3OeCwy1LdklM6qSkfxNGqogjAiawMsB/zNKmnds8pPxgNeMCNbk kyOA==
X-Gm-Message-State: ALyK8tLoUggzhnoptaZugPPsOZ5jpz8rlSytQKwWY+qDhoUNE4h1/pUnfTA/Gm5hp0QG/5Rl6yiRp0agiHrP7Q==
X-Received: by 10.202.66.214 with SMTP id p205mr6682865oia.43.1467222267041; Wed, 29 Jun 2016 10:44:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.52.242 with HTTP; Wed, 29 Jun 2016 10:44:12 -0700 (PDT)
In-Reply-To: <20160629120446.18829.90153.idtracker@ietfa.amsl.com>
References: <20160629120446.18829.90153.idtracker@ietfa.amsl.com>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Wed, 29 Jun 2016 13:44:12 -0400
Message-ID: <CAF4+nEE75f2yVZe8K4XUKmbr5+mw8u6+SQx1H=4J=2wAkksBcg@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/trill/hxVEVTw8jbAbww8BgFdR4hWGfLY>
Cc: "trill-chairs@ietf.org" <trill-chairs@ietf.org>, The IESG <iesg@ietf.org>, "trill@ietf.org" <trill@ietf.org>, draft-ietf-trill-irb@ietf.org
Subject: Re: [trill] Stephen Farrell's No Objection on draft-ietf-trill-irb-13: (with COMMENT)
X-BeenThere: trill@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Developing a hybrid router/bridge." <trill.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trill>, <mailto:trill-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trill/>
List-Post: <mailto:trill@ietf.org>
List-Help: <mailto:trill-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trill>, <mailto:trill-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2016 17:44:33 -0000

Hi Stephen,

Thanks for the comments. See below.

On Wed, Jun 29, 2016 at 8:04 AM, Stephen Farrell
<stephen.farrell@cs.tcd.ie> wrote:
> Stephen Farrell has entered the following ballot position for
> draft-ietf-trill-irb-13: No Objection
>
> ...
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> - section 5: The tenant ID is sometimes described as "globally
> unique" and sometimes (in 5.2) as "throughout the campus." The
> latter seems likely correct to me. (As an aside, is this document
> the first to introduce that concept to TRILL?)

Yes, it should be unique within the TRILL campus.

> - section 8: If IS-IS security is not actually used, (is that the
> current deployment reality btw?) and if I can guess a tenant ID then
> what new mischief can happen? If there is some, then perhaps you
> ought recommend that tenant ID's be randomly selected within the
> campus? (I see you use "1" in the example, which is pretty easy to
> guess:-) I think one could argue that that (and maybe more) ought be
> covered in section 8, if the current deployment reality is that no
> crypto is actually used to protect most IS-IS traffic. Is it?

My impression is that IS-IS security is not used in a majority of
cases. The importance of this depends on a lot of factors such as how
tightly managed the routing area is, the security of the links between
routers, etc.

Without link (RBridge-to-adjacent-RBridge) security or edge-to-edge
(ingress-RBridge-to-egress-RBridge), obfuscating Tenant IDs provides
only limited protection against off path attackers but I agree it
would be reasonable to mention it.

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com