Re: [secdir] Secdir review of draft-ietf-isis-trill

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

On Mon, Dec 20, 2010 at 2:05 PM, Stewart Bryant <stbryant@xxxxxxxxx> wrote:
> On 20/12/2010 18:43, Donald Eastlake wrote:
>>
>> Hi,
>>
>> On Mon, Dec 20, 2010 at 11:42 AM, Sam Hartman<hartmans-ietf@xxxxxxx>
>>  wrote:
>>>>>>>> "Radia" == Radia Perlman<radiaperlman@xxxxxxxxx>  writes:
>>>
>>>    Radia>  No objections.  Radia
>>>
>>> Can I get someone to confirm that the text in the proposed sentences is
>>> substantially true?
>>> I think so but I'm not an IS-IS expert.
>>
>> LSPs have sequences number, etc., and are idempotent. I think only
>> Hellos have the potential replay Denial of Service problem. So I would
>> suggest changing to:
>>
>> "Even when the IS-IS
>> authentication is used, replays of Hello packets can create
>> denial-of-service conditaions; see RFC 6039 for details. These issues
>> are similar in scope to those discussed in section 6.2 of
>> draft-ietf-trill-rbridge-protocol, and the same mitigations may apply."
>>
>> Thanks,
>> Donald
>
> ... as I recall from discussions with the ISIS WG the changes that were made
> to ISIS for TRILL make it more vulnerable to a hello attack than vanilla
> ISIS. This I understand is because there is more work to be done in
> processing a TRILL hello. Is that correct?

I think we are talking about Denial of Service due to replay of old
Hellos screwing up the state. This is unrelated to the work required
to process a Hello.

It is true that some processing is required for IS-IS LAN Hellos. One
reason for having a protocol like BFD is that you can send BFD
messages more frequently because they take less processing than
Hellos.  But I don't see why there would be that much difference
between the work involved in processing a TRILL LAN Hello and a Layer
3 IS-IS LAN Hello.

> - Stewart

Thanks,
Donald
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]