Hi Eric, On Mon, Oct 2, 2017 at 2:12 PM, Eric Rescorla <[email protected]> wrote: > > On Mon, Oct 2, 2017 at 4:54 PM, Donald Eastlake <[email protected]> wrote: >> >> Hi Eric, >> >> ... >> >> >> > It's not clear to me how the security properties of this mechanism >> >> > compare to existing TRILL. The text says: >> >> > >> >> > Unless Secure ND (SEND [RFC3971]) is used, ARP and ND messages can >> >> > be >> >> > easily forged. Therefore the learning of MAC/IP addresses by >> >> > RBridges >> >> > from ARP/ND should not be considered as reliable. See Section 4.1 >> >> > for >> >> > SEND Considerations. >> >> > >> >> > "not considered as reliable" seems suboptimal. You need to cover how >> >> > this mechanism compares to the non-use of this mechanism. >> >> >> >> As above, the optimization mechanisms do not make any significant >> >> difference to the inherent insecurities of data plane learning but when >> >> used >> >> with a complete, trusted directory, it improves considerably over data >> >> plane >> >> learning.. >> > >> > That had kind of been my impression, but then I don't understand what >> > "not >> > considered as reliable" is doing here. I'm supposed to be doing >> > something >> > with it, so while it may be non-secure, I'm still relying on it, no? >> >> Well, at some level some elements of your protocol stack are "relying" >> on it or "trusting" it or whatever term you want, but it's trivially >> forged unless you use additional security protocols so I guess we >> could say something about that. TRILL supports different link >> technologies but if you are using an Ethernet link, I suppose you >> could use 802.1AE to improve trust in MAC addresses at layer 2. It >> wouldn't hurt to mention that but it has very little to do with ARP/ND >> optimization or TRILL. > > > I think if you just sort of say "you are using it, but it's not trustworthy > and here's why" you have it covered.
OK. Thanks, Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA [email protected] > -Ekr _______________________________________________ trill mailing list [email protected] https://www.ietf.org/mailman/listinfo/trill
