Hi Kathleen, See below.
On Wed, Jun 29, 2016 at 3:43 PM, Kathleen Moriarty <[email protected]> wrote: > Kathleen Moriarty has entered the following ballot position for > draft-ietf-trill-irb-13: No Objection > > ... > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > In reading the draft and security considerations, I had the same concern > as Stephen's second point. Are there any security issues if the session > is not encrypted? I see the concern for sensitive data and that is good, > but are any exploits possible if the session is not encrypted (like on > the tenantID as Stephen asked). I am not sure what you mean by "session". Simplifying a little: there are two types of TRILL packets, TRILL IS-IS (control plane) packets and TRILL Data packets. IS-IS has an authentication feature but does not provide confidentiality. There is currently no general TRILL feature for securing TRILL Data packets. The purpose of TRILL is to provide connectivity between end stations. Those end stations are connected to the TRILL edge by Ethernet so, if supported by the TRILL edge switch Ethernet port, an end station can, for example, use MACSEC (802.1AE) to secure its connection to the TRILL edge. Also, since TRILL is mostly transparent, end stations talking to each other can use IPsec or TLS/DTLS or whatever they want to secure their conversation. (There is an incomplete personal draft that talks about link security between TRILL switches and/or between an ingress TRILL edge switch and an egress TRILL edge switch.) The Tenant ID does not normally occur in a TRILL Data packet. The tenant the packet belongs to is encoded in other ways. An adversary knowing a valid Tenant ID would mostly enable them to better forge IS-IS control PDUs where the Tenant ID does occur. But the if the network manager is not protecting the IS-IS control traffic, they presumably believe that possible problems due to forged IS-IS control traffic is not significant. Thanks, Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA [email protected] _______________________________________________ trill mailing list [email protected] https://www.ietf.org/mailman/listinfo/trill
