Re: draft-lltm-v5

[Tim Gleeson <tgleeson@cisco.com>]

About security, I agree in general with what Emmanuel and Takei-san have said.

> 1. the security considerations fail to list the threat of ARP spoofing
> when ARP packets are being tunneled over the back channel.

ARP spoofing is a potential problem on any broadcast network, so I don't 
think there's a new issue here.

> 6.> 10. Security Considerations
> >
> >    Security in a network using the link layer tunneling mechanism should
> >    be relatively similar to security in a normal IPv4 network. However,
> >    as the link layer tunneling mechanism uses GRE[rfc2784], it is
> >    expected that GRE authentication mechanism combined with a specific
> >    link layer security mechanism on the back-channel will help to
> >    enhance security in a unidirectional link environment.
> 
> And what GRE authentication mechanism would that be? AFAIK, GRE has no
> authentication.

The phrase "GRE authentication mechanism" could be replaced by something 
less general, but other than this, we could probably be a little bit more 
specific about threats and countermeasures, but we don't need to be too 
specific because, as Takei-san says, these problems are inherent with tunnels.

* Tunnel mechanisms introduce the potential for unauthorized access to the 
service. This can be countered by authenticating all tunnels. It doesn't 
matter what the specific mechanism used is: inside-GRE or outside-GRE (maybe AH).

* Many unidirectional links are open-broadcast, and can be received by 
anyone. This lack of secrey isn't especially a problem for the UDLR 
protocol itself. There is one exception: the feed addresses are broadcast 
here - keeping them secret might help with the first problem. Depending on 
the service being offered, open-broadcast might be problematic, but this 
really isn't our problem. If secrecy is needed, link level secrecy 
mechanisms are appropriate.

Tim