Security review of Directory Assisted TRILL Encapsulation draft-ietf-trill-directory-assisted-encap-09.txt (A day late and a dollar short, sorry) Do not be alarmed. I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The document describes "the benefits of and a scheme for non-RBridge nodes performing TRILL encapsulation." The scheme uses TRILL directories to help with the scaling issues for large TRILL networks that co-exist with non-TRILL networks. Non-RBridge nodes can find a TRILL directory and properly encapsulate packets with TRILL headers to guide them to and from the network edges. The method reduces the amount of node information that might otherwise be assigned and flooded through the network. There are security considerations that mandate that the directory server and the TRILL encapsulating nodes "properly authenticate with each other to protect sensitive information," but there is no discussion what is "proper" or how the propriety is maintained. How does the directory server know which entities are authorized to be encapsulating nodes and what information are they allowed to see (or change)? How do the encapsulating nodes know how to authenticate the directory nodes? Is this essential configuration that has to be built in before the network can function with directory assisted encapsulation? Does it require cooperation between administrators in different parts of a campus? In some place the behavior of the nodes depends on whether or not the directory is "known to be complete". This seems like transient information that has to be communicated in some unspecified way at unspecified times. It may not affect security, but it might affect dependability? Nits about grammar are many, but the one that interferes with comprehension is the split infinitive in "it is still necessary to designate AF ports to, for example, be sure that multi-destination ..." Hilarie