Re: [trill] Stephen Farrell's No Objection on draft-ietf-trill-irb-13: (with COMMENT)

Donald Eastlake <> Wed, 29 June 2016 17:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D871D12B05F; Wed, 29 Jun 2016 10:44:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.45
X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ibLxcscfL4l6; Wed, 29 Jun 2016 10:44:30 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c01::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BC59A12D599; Wed, 29 Jun 2016 10:44:27 -0700 (PDT)
Received: by with SMTP id mu6so36213449obc.3; Wed, 29 Jun 2016 10:44:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=gALk1Yk3rjV164VyWqp9rXAmXDQNV5n6kOYZ7x9DMAw=; b=oyJeKpSa0lKv42eAXVV7TKVzd/ccUXz+t98jVoBV4HKe4HNB9kq1IGkNgngUO5AIKO cl+CMDcavrHBEgFwNL+WWIjNnFqbTJaDAg17wZfTct5wIOHAbfL83vx4FTVCS6xg/fUq R74B95D8/XRv6DQjETvB6R2Qr5FLW1v9SzeUmld3ySDEutbXq27iRtC3AHVxGZ1I5iVA USd/dovvqpt3Frb966ffdI39cRAFdqlk2XWCS02puuLHoJSyPo5iYNKVjSQ9fOfzgGlb ifNVTI7bbCO5SbEz1ao7PK/xFnBAz2mUdU2uTQHZ4pXP3i5xl0ipvGz9XsTLIU1ZalAx ogyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=gALk1Yk3rjV164VyWqp9rXAmXDQNV5n6kOYZ7x9DMAw=; b=a7YUmbdxDH2K6dEuoLxFUpWwFXYUUls5uu+y8eVCPb5+LDUVelOWAU6YppHuxX6lJn 9fy/vyasB+ZixWcoX459WietPbrU2nIJ2Yt1iWUgYZIOtN1R3tMCx6DqbI241ZeKUdbR Ga/llzAjK+lwxBBqnhFp8xncVCbJh59wJHfUW/1ia5sK9IbhjirFolL2rSCPjJZSbTHj NynkFTvuajTHxvNjwAUcf3bqpow+gkNMO6DXkcwlyiVHWz2Jn17VUYWwfTABXezXdabk 1lqkqC9sAgtm+HoOd3OeCwy1LdklM6qSkfxNGqogjAiawMsB/zNKmnds8pPxgNeMCNbk kyOA==
X-Gm-Message-State: ALyK8tLoUggzhnoptaZugPPsOZ5jpz8rlSytQKwWY+qDhoUNE4h1/pUnfTA/Gm5hp0QG/5Rl6yiRp0agiHrP7Q==
X-Received: by with SMTP id p205mr6682865oia.43.1467222267041; Wed, 29 Jun 2016 10:44:27 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 29 Jun 2016 10:44:12 -0700 (PDT)
In-Reply-To: <>
References: <>
From: Donald Eastlake <>
Date: Wed, 29 Jun 2016 13:44:12 -0400
Message-ID: <>
To: Stephen Farrell <>
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
Cc: "" <>, The IESG <>, "" <>,
Subject: Re: [trill] Stephen Farrell's No Objection on draft-ietf-trill-irb-13: (with COMMENT)
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Developing a hybrid router/bridge." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 29 Jun 2016 17:44:33 -0000

Hi Stephen,

Thanks for the comments. See below.

On Wed, Jun 29, 2016 at 8:04 AM, Stephen Farrell
<> wrote:
> Stephen Farrell has entered the following ballot position for
> draft-ietf-trill-irb-13: No Objection
> ...
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> - section 5: The tenant ID is sometimes described as "globally
> unique" and sometimes (in 5.2) as "throughout the campus." The
> latter seems likely correct to me. (As an aside, is this document
> the first to introduce that concept to TRILL?)

Yes, it should be unique within the TRILL campus.

> - section 8: If IS-IS security is not actually used, (is that the
> current deployment reality btw?) and if I can guess a tenant ID then
> what new mischief can happen? If there is some, then perhaps you
> ought recommend that tenant ID's be randomly selected within the
> campus? (I see you use "1" in the example, which is pretty easy to
> guess:-) I think one could argue that that (and maybe more) ought be
> covered in section 8, if the current deployment reality is that no
> crypto is actually used to protect most IS-IS traffic. Is it?

My impression is that IS-IS security is not used in a majority of
cases. The importance of this depends on a lot of factors such as how
tightly managed the routing area is, the security of the links between
routers, etc.

Without link (RBridge-to-adjacent-RBridge) security or edge-to-edge
(ingress-RBridge-to-egress-RBridge), obfuscating Tenant IDs provides
only limited protection against off path attackers but I agree it
would be reasonable to mention it.

 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA