ietf
[Top] [All Lists]

Re: Gen-ART Review of draft-ietf-trill-pseudonode-nickname-05

2015-08-31 15:21:14
On Aug 27, 2015, at 5:59 PM, Russ Housley <housley(_at_)vigilsec(_dot_)com> 
wrote:


(3)  In Section 11, we learn that the VLAN membership of all the
RBridge ports in an LAALP MUST be the same.  Any inconsistencies in
VLAN membership may result in packet loss or non-shortest paths.
Is there anything that can be added to the Security Considerations
that can help avoid these inconsistencies?

Interesting.  In the trill draft I recently reviewed for secdir 
(draft-ietf-trill-aa-multi-attach) it makes a similar statement that VLAN 
membership had to be consistent across all ports on all RBridges in a LAALP.  
In that draft, the consistency meant the VLANs could be left out of the 
protocol packet.

  All enabled VLANs MUST be consistent on all ports connected to an
  LAALP. So the enabled VLANs need not be included in the AA-LAALP-
  GROUP-RBRIDGES TRILL APPsub-TLV. They can be locally obtained from
  the port attached to that LAALP.

I wondered if the LAALP was responsible for ensuring the consistency.  If it is 
left to the operator configuration, that’s tough.  Turns out there’s a dynamic 
VLAN registration protocol (VRP), but I could not discover that it is doing a 
consistency check.

If the draft you are looking at implies inconsistency is a possibility, then it 
must be that neither the LAALP or VRP ensures the consistency.

—Sandy

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail