TRILL: Link Security
draft-eastlake-trill-link-security-06

Document Type Active Internet-Draft (individual)
Last updated 2017-09-24
Stream (None)
Intended RFC status (None)
Formats plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
INTERNET-DRAFT                                           Donald Eastlake
Updates: 6325, 6361, 7173                                  Dacheng Zhang
Intended status: Proposed Standard                                Huawei
Expires: March 23, 2018                               September 24, 2017

                          TRILL: Link Security
              <draft-eastlake-trill-link-security-06.txt>

Abstract

   The TRILL protocol supports arbitrary link technologies between TRILL
   switches, both point-to-point and broadcast links, and supports
   Ethernet links between edge TRILL switches and end stations.
   Communications links are constantly under attack by criminals and
   national intelligence agencies as discussed in RFC 7258. Link
   security is an important element of security in depth, particularly
   for links that are not entirely under the physical control of the
   TRILL network operator or that include device which may have been
   compromised. This document specifies link security recommendations
   for TRILL over Ethernet, PPP, and pseudowire links. It updates RFC
   6325, RFC 6361, and RFC 7173. It requires that link encryption MUST
   be implemented and that all TRILL Data packets between TRILL switch
   ports capable of encryption at line speed MUST default to being
   encrypted.

   [This is a early partial draft.]

Status of This Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Distribution of this document is unlimited. Comments should be sent
   to the DNSEXT working group mailing list: <rbridge@postel.org>.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html. The list of Internet-Draft
   Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

D. Eastlake, et al                                              [Page 1]
INTERNET-DRAFT                                      TRILL: Link Security

Table of Contents

      1. Introduction............................................3
      1.1 Encryption Requirement and Adjacency...................3
      1.2 Terminology and Acronyms...............................4

      2. Link Security Default Keying............................5

      3. Link Security Specifics.................................6
      3.1 Ethernet Links.........................................6
      3.2 PPP Links..............................................8
      3.3 Pseudowire Links.......................................8

      4. Edge-to-Edge Security...................................9

      5. Security Considerations................................11
      6. IANA Considerations....................................11

      Normative References......................................12
      Informative References....................................13
      Acknowledgments...........................................14

      Appendix A: Summary of Changes to RFCs 6325, 6361, 7173...15
      Appendix B: Ethernet Secrity to End Stations..............16

      Authors' Addresses........................................19

D. Eastlake, et al                                              [Page 2]
INTERNET-DRAFT                                      TRILL: Link Security

1. Introduction

   The TRILL (Transparent Interconnection of Lots of Links or Tunneled
   Routing in the Link Layer) protocol [RFC6325] [RFC7780] supports
   arbitrary link technologies including both point-to-point and
   broadcast links and supports Ethernet links between edge TRILL
   switches and end stations.  Communications links are constantly under
   attack by criminals and national intelligence agencies as discussed
   in [RFC7258].

   Link security in an important element of security in depth for links,
   paticularly those that are not entirely under the physical control of
   the TRILL network operator or that include device which may have been
   compromised, that is, pretty much for all links. TRILL generally uses
   an existing link security method specified for the technology of the
   link in question.

   This document specifies link security recommendations for TRILL over
   Ethernet [RFC6325], TRILL over PPP [RFC6361], and transport of TRILL
   by pseudowires [RFC7173], in Sections 3.1, 3.2, and 3.3 respectively.
Show full document text