Re: [trill] Kathleen Moriarty's Discuss on draft-ietf-trill-transport-over-mpls-07: (with DISCUSS)

Donald Eastlake <> Wed, 14 March 2018 20:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D12BB1275FD; Wed, 14 Mar 2018 13:52:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FeDJZubZ95Om; Wed, 14 Mar 2018 13:52:33 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D4A951243F3; Wed, 14 Mar 2018 13:52:32 -0700 (PDT)
Received: by with SMTP id m83so5967332ioi.8; Wed, 14 Mar 2018 13:52:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=CudX/tttwpjTb7BqxyIaWlyDvRhUHCaVm4FaKX1WUAI=; b=LHr+HRkwHcSUn9Oe6Xw2p6UL8Hgn6wUsadPWACYtjNokpjkxz88VOa7A7wORuFtEjV SuyhJbbszA/eelzycaEH4ofbaurm5+CAdBM+3yoH7BwAy+3GHp+/P77itQXfkNSuTOVw xfiafTrXKG9GeFwkJTSQfbaPDbjl/7EzBZME6KxStFS7lCR8NTMvYftyVYqET+k3Dh+r tpkNtiWLevu1n10czHavFdWj/fY6dBiisPU+fy9x7DGG8HqyE+vlXF9N/NBJhwM3ZcwJ 8YbKFkBQ9rn5Vnkhreykwat1nFt/vW8s4H02s+T+drNAlb5bX7M9w6CsY2vhIolf2nwQ CHhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=CudX/tttwpjTb7BqxyIaWlyDvRhUHCaVm4FaKX1WUAI=; b=CvV6Ib59BPIDVQBiFSRQEzdhClrm/DJHAeNGC6Nh1/SXipWHp9RLuTVdEh/9XIRn1A tMH8MozmBdcdIero2UIuvxnTMVygdY8wdnWRx6iYs6zJs2jutzHzjzMZ8e1NixCmDG1U A/bsDWuAJFdoxE43qhy4H0RC8O3cDDwwsFuCO/jpqRNs0IMA0QIYjDyZVJva7SU+TOwU enGqY3yMTaNuv4j3DLVfK0NRG0P5HbFXMutPzIcRdEMlzll8Q0Ll3isBXx/EtF/goNWx +VJ3Jfuco4psdM2S9NndMWr4Jk46b/HaatRmw5CW1L6bhznYX4trEWEliOPjidZh5uqD E7oQ==
X-Gm-Message-State: AElRT7F9Qjl4WYy8fDsC/YBYs1sPHLoSw8o2DTnjfv9gVr+ulrbrQhtV Mdr3RJMiRXldbHZ7dtTvvJsDry1wo/TkEMZ4fAVdyw==
X-Google-Smtp-Source: AG47ELvnUQjVBTVjfIrdHwylTunM9zjlOvLGrhnxpcJGCPPYbMrJJusqy9lkTgN6xSdGTNhkYYEEq6aw5de5rIRq24U=
X-Received: by with SMTP id f25mr6392885iob.14.1521060751898; Wed, 14 Mar 2018 13:52:31 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 14 Mar 2018 13:52:16 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <>
From: Donald Eastlake <>
Date: Wed, 14 Mar 2018 16:52:16 -0400
Message-ID: <>
To: Kathleen Moriarty <>
Cc: The IESG <>,,, Susan Hares <>, trill IETF mailing list <>, "Andrew G. Malis" <>
Content-Type: multipart/alternative; boundary="089e0825d6d0cc7ec70567658d95"
Archived-At: <>
Subject: Re: [trill] Kathleen Moriarty's Discuss on draft-ietf-trill-transport-over-mpls-07: (with DISCUSS)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Developing a hybrid router/bridge." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 14 Mar 2018 20:52:35 -0000

Hi Kathleen,

On Wed, Mar 14, 2018 at 2:28 PM, Kathleen Moriarty <> wrote:
> Hi Donald,
> Thanks for the proposed text.  Please see inline.
> On Mon, Mar 12, 2018 at 10:01 PM, Donald Eastlake <>
>> Hi Kathleen,
>> Would the following replacement Security Considerations section for
>> draft-ietf-trill-transport-over-mpls be adequate?
>>    This document specifies methods using existing standards and
>>    facilities in ways that do not create new security problems.
>>    For general VPLS security considerations, including discussion of
>>    isolating customers from each other, see [RFC4761] and [RFC4762].
>>    For transport of TRILL by Pseudowires security consideration, see
>>    [RFC7173]. In particular, since pseudowires are support by MPLS or IP
>>    which are in turn supported by a link layer, that document recommends
>>    using IP security or the lower link layer security.
>>    For added security against the compromise of data end-to-end
>>    encryption and authentication should be considered; that is,
>>    encryption and authentication from source end station to destination
>>    end station.
> Would this be accomplished through IPsec?

For end-to-end security, it could be. Or DTLS. Whatever is convenient for
the information you want to protect. Since end stations are connected to
edge TRILL switches via Ethernet, if you wanted to protect all of the data
between two end stations, you could use IEEE Std 802.1AE. Do you want a
list added?

> If encryption and authentication are not employed, what are the risks
> to tenant isolation since this draft joins TRILL campuses?

I wouldn't say that the draft "joins TRILL campuses". If a TRILL campus is
actually structured so that the connectivity being provided is connecting
two islands, then you could say it is making those TRILL switches parts of
the same campus. The term "campus" in TRILL is not intended to have any
geographic (or academic) implication but rather, to be for TRILL switches
the same as the term "bridged LAN" is for IEEE 802.1 bridges.

Whenever a link extends outside local physical control, there is increased
risk. Assuming a link between two TRILL switch ports in a TRILL campus is
Ethernet, it could be anything from a little copper on a backplane inside a
cabinet to Ethernet connectivity purchased from a carrier and extending
hundreds of miles.

If you are talking about the risk of a TRILL campus merging with a
malicious TRILL switch, that can be avoided by IS-IS PDU authentication.
Until adjacency is establish (RFC 7177), which requires successful exchange
of IS-IS Hellos PDUs, no data will flow.

> I think
> there should be text that explains this risk in addition to the text
> already proposed.

How about adding text like the following:

Transmission outside the customer environment through the provider
environment, as described in this document, increases risk of compromise or
injection of false data through failure of tenant isolation or by the
provider. In the VPLS model (Section 3), the use of link encryption and
authentication between the CEs of a tenant that is being connected through
provider facilities should be a good defense. In the VPTS model (Section
4), it is assumed that the CEs will peer with virtual TRILL switches of the
provider network and thus link security between TRILL switch ports is
inadequate as it will terminate at the edge PE. Thus, end station to end
station encryption and authentication is more appropriate for the VPTS

 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA

> Thanks,
> Kathleen
>>    For general TRILL security considerations, see [RFC6325].
>> Thanks,
>> Donald
>> ===============================
>>  Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>>  155 Beaver Street, Milford, MA 01757 USA
>> On Wed, Mar 7, 2018 at 5:35 PM, Andrew G. Malis <>
>>> Kathleen,
>>> I don’t want to speak for the authors. However, I did contribute to this
>>> draft (although not this specific section). So that said, here’s my two
>>> cents ….
>>> I agree that first sentence could have been worded better, but the
>>> line is that depending on the model used, the security considerations
>>> RFC 7173, 4761, or 4762 applies, including the discussions in those
RFCs on
>>> issues such as isolation and end-to-end security. Those RFCs are
>>> in the security section. So the substance is already there, perhaps the
>>> draft just needs better pointers to it.
>>> Cheers,
>>> Andy
>>> On Wed, Mar 7, 2018 at 5:01 PM, Kathleen Moriarty
>>> <> wrote:
>>>> Kathleen Moriarty has entered the following ballot position for
>>>> draft-ietf-trill-transport-over-mpls-07: Discuss
>>>> When responding, please keep the subject line intact and reply to all
>>>> email addresses included in the To and CC lines. (Feel free to cut this
>>>> introductory paragraph, however.)
>>>> Please refer to
>>>> for more information about IESG DISCUSS and COMMENT positions.
>>>> The document, along with other ballot positions, can be found here:
>>>> ----------------------------------------------------------------------
>>>> ----------------------------------------------------------------------
>>>> I was very surprised to see the following in the security
>>>> section and would like to work with you on improvements.
>>>>    As an informational document specifying methods that use only
>>>>    existing standards and facilities, this document has no effect on
>>>>    security.
>>>> Having watched many TRILL documents go by in the last 4 years, we
>>>> push
>>>> too hard on security in some cases as a result of the restriction to a
>>>> campus
>>>> network.  This particular document extends into multi-tenancy where
>>>> are
>>>> certainly security considerations introduced to be able to provide
>>>> isolation
>>>> properties.  MPLS offers no security and it is being used to join TRILL
>>>> campuses as described int his draft.  This is done without any
>>>> requirement of
>>>> an overlay protocol to provide security - why is that the case?
>>>> Minimally, the
>>>> considerations need to be explained.  Ideally, a solution should be
>>>> offered to
>>>> protect tenants when TRILL campuses are joined.
>>>> _______________________________________________
>>>> trill mailing list
> --
> Best regards,
> Kathleen