IETF Logo Mail Archive

Re: [trill] ESADI draft change suggestion

Sujay Gupta <sujay.ietf@gmail.com> Wed, 25 July 2012 10:19 UTC

Return-Path: <sujay.ietf@gmail.com>
X-Original-To: trill@ietfa.amsl.com
Delivered-To: trill@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8043D21F85C7; Wed, 25 Jul 2012 03:19:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.848
X-Spam-Level:
X-Spam-Status: No, score=0.848 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_81=0.6, MIME_CHARSET_FARAWAY=2.45, RCVD_IN_DNSWL_LOW=-1, WEIRD_QUOTING=1.396]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TXBgftEuPy6x; Wed, 25 Jul 2012 03:19:45 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id 63B9821F85CC; Wed, 25 Jul 2012 03:19:45 -0700 (PDT)
Received: by pbcwy7 with SMTP id wy7so1222497pbc.31 for <multiple recipients>; Wed, 25 Jul 2012 03:19:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=3BziWUSDYhY58VCfSyWiuueI4IpVFuwloSx5jHXf99E=; b=uwm73Z/1qOCJ3sotA4ZUCKe/qVsVv4VtMBaVcyBGXNL57KJGcXJ71ENNgs3mZcdU8z Hdz/wCAeeZxQID9pnRKe5iJNS68mXE1nzws/Y0scv8rPjprGwJ+TKgzIGAkbdCd6+3ib MP2b87ZlITmXjcTxvL+bMG4sYKCPt7u0bWrKLOt7QbSfVkY3gntvZrrMNd9YE5NCyu/e b+tKh2vBn+Zrd09nP8RGxEPw7MCcgpo1uwXxHAh4biWcxYR5ltlvNt4B5eh3t9jWjpRM JhsU1ndw22WMJLOJrJ7YZ/ILY8+16po2W8oxhxWBPdOuXGc+F7VbyJsLCD7FySyhsFIB ZeAQ==
Received: by 10.68.227.163 with SMTP id sb3mr53137374pbc.74.1343211585143; Wed, 25 Jul 2012 03:19:45 -0700 (PDT)
Received: from [10.12.6.82] ([115.112.61.194]) by mx.google.com with ESMTPS id qr3sm14099879pbc.69.2012.07.25.03.19.40 (version=SSLv3 cipher=OTHER); Wed, 25 Jul 2012 03:19:44 -0700 (PDT)
Message-ID: <500FC839.1000509@gmail.com>
Date: Wed, 25 Jul 2012 15:49:37 +0530
From: Sujay Gupta <sujay.ietf@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20120713 Thunderbird/14.0
MIME-Version: 1.0
To: zhai.hongjun@zte.com.cn
References: <OFC6602D69.6F6D8C4D-ON48257A46.0025E6D5-48257A46.00263B7E@zte.com.cn>
In-Reply-To: <OFC6602D69.6F6D8C4D-ON48257A46.0025E6D5-48257A46.00263B7E@zte.com.cn>
Content-Type: multipart/alternative; boundary="------------020104080405010101060203"
Cc: trill-bounces@ietf.org, trill@ietf.org
Subject: Re: [trill] ESADI draft change suggestion
X-BeenThere: trill@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Developing a hybrid router/bridge." <trill.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trill>, <mailto:trill-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trill>
List-Post: <mailto:trill@ietf.org>
List-Help: <mailto:trill-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trill>, <mailto:trill-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2012 10:19:46 -0000

Hi,

Thanks for the response.

1.) The unsecured ESADI's, potential security issue, could be documented
in the "Security Considerations" section.
2.) The ESADI learned entry behavior,I agree with you explanation;
however the base RFC 6325 is not exactly worded so.
I would recommend if the correction can be added in the next RFC update
or clear-correct changes.
"

   For end-station address information locally learned from frames
   received, the time out from the last time a native frame was received
   or decapsulated with the information conforms to the recommendations
   of [802.1D <http://tools.ietf.org/html/rfc6325#ref-802.1D>].  It is referred to as the "Ageing Time" and is
   configurable per RBridge with a range of from 10 seconds to 1,000,000
   seconds and a default value of 300 seconds.

   The situation is different for end-station address information
   acquired via the TRILL ESADI protocol.  It is up to the originating
   RBridge to decide when to remove such information from its ESADI LSPs
   (or up to ESADI protocol timeouts if the originating RBridge becomes
   inaccessible).

"

Best Regards,
-Sujay


On 25-07-2012 12:25, zhai.hongjun@zte.com.cn wrote:
>
> Hi Sujay,
>
> Sorry for delaying reponse. Thanks for the suggestion, please see
> in-line.
>
>
>
> Thanks,
> Zhai Hongjun
> """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
> Protocol Development Dept.VI, Central R&D Institute, ZTE Corporation
> No. 68, Zijinghua Road, Yuhuatai District, Nanjing, P.R.China, 210012
>
> Zhai Hongjun
>
> Tel: +86-25-52877345
> Email: zhai.hongjun@zte.com.cn
> """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
>
>
>
>
> *Sujay Gupta <sujay.ietf@gmail.com>*
> 发件人: trill-bounces@ietf.org
>
> 2012-07-23 09:34
>
> 	
> 收件人
> 	trill@ietf.org
> 抄送
> 	
> 主题
> 	[trill] ESADI draft change suggestion
>
>
>
> 	
>
>
>
>
>
> Hi,
>
> 1)
>
> The ESADI protocol objectives as stated in the draft-04, IMO needs
> added statements.
> Section 1: "Introduction"
> >>
> The ESADI
> protocol's potential advantages over data plane learning include the
> following:
>
> 1. Security advantages:..
> 2. Fast update advantages:..
> <<
>
> w.r.t to Security advantages, albeit ESADI can make a authenticated
> entries an insecure ESADI increases
> the security vulnerability then without it. My recommendation is to
> recommend a SHOULD clause to implement
> security features. A secured deployment of TRILL may choose to live
> with a unsecured ESADI ( & therefore
> possibly a more efficient/lighter ESADI); whilst a TRILL plane
> bridging 3rd party aggregation and application
> layers may choose for trusted/secured model.
>
> [Hongjun] Although security is one of ESADI's potential advantanges,
> but it is not a focal point in that draft. ESADI draft focuses on the
> general mechanism of ESADI protocol, then an ESADI instance can find
> its neighbors, exchange end station addresses and keep link state
> database synchronization with its neighbors. How an ESADI obtains its
> security features is out of the scope of that spec. Since there will
> be much work to do if we consider the security features, I think it is
> more suitable to discuss those features in a new draft than that spec.
> Therefore, I do not think such a "SHOULD clause" is suitable in that spec.
>
> 2)
> This is w.r.t to learning of ESADI entries and timing them out. As per
> RFC 6325, the entries are expected
> to be removed only by the originating RBridge.
> >>
> Section 4.8.3
> “The situation is different for end-station address information
> acquired via the TRILL ESADI protocol.
> It is up to the originating RBridge to decide when to remove such
> information from its ESADI LSPs
> (or up to ESADI protocol timeouts if the originating RBridge becomes
> inaccessible).”
> <<
> For robust behavior it would be better to timeout the entries without
> depending on ESADI, the reason
> is a (wrong)ESADI directed forwarding can cause persistent traffic
> loss, unlike a best effort flood everywhere
> situation. Therefore my recommendation is the specs should not
> 'mandate' the timing out behavior.
>
> [Hongjun] The spec gives two most common conditions under which an
> ESADI to time out some MAC addresses learned via ESADI (i.e., being
> told to do so by the originating RBridge or finding the originating
> RBridge inaccessible). But it does not mandate or imply that an ESADI
> can forget the learned MACs via ESADI only under the two conditions.
> Besides the two conditions, an ESADI can also decide to forget some
> learned MACs via ESADI based on local configured polices, for example,
> configured by administrator not to learn MACs from a specific ESADI
> RBridge.
>
>
> Best Regards,
> -Sujay
>
>
>
>
>
>
> _______________________________________________
> trill mailing list
> trill@ietf.org
> https://www.ietf.org/mailman/listinfo/trill
>

v2.23.0 | Report a Bug | By Email