Re: [trill] Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08: (with DISCUSS and COMMENT)

Donald Eastlake <> Wed, 23 August 2017 19:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2F0691323B5; Wed, 23 Aug 2017 12:38:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SzCJFnikQ8mG; Wed, 23 Aug 2017 12:38:46 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E60A4132C76; Wed, 23 Aug 2017 12:38:41 -0700 (PDT)
Received: by with SMTP id j144so11343575oib.1; Wed, 23 Aug 2017 12:38:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=wtXQPTlPHCjmc0NEeuPpSBujQS74fA07qH6SDhwWE1w=; b=YEwO7cOT0oCc7Tiin91wvBPt9DHzRIcWM85G5GasPQg+N9/I1mhuV66ZGO7wfLnVUM ppMimkyw+PfPCfz/aYhXsl1I7dtKCh3FqJyw1UkpoZgUs4TaGi4tPwp2SwUMvhLEJEjs 4/a/NduKvLlSMDg3r+8HK7V4uM8KVnxJn700dnCJbDQW5UKcalefqXLVdwzDaEZg9Ej/ eAkUe4vaPQndxW4MTDD2aA1pg5D6LkFyxvpYkxex+vtKS0TkPMLMT+rnwzULMYHtS1hB TyO+u+zvNe/0LWQaavffu8KzxZA1o+SrkJJLD+g3753zTsTO6bOFPUDb1qjwt4SrGepk XMqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=wtXQPTlPHCjmc0NEeuPpSBujQS74fA07qH6SDhwWE1w=; b=mWV3u0+yzaV2yfGVAidAaskIUFPcEIoHmxmsT7ODQ6fPSw3mIvqmPoe33XYaMetAdV M3GwSPOhpt+G6A+pPpcOmclJAeg+T5jan5t6EEiIhUL1JzqvuMaYQBC9GBbwp4MKAetc zly30cpKbVQSGyt3mTd6NhyxdBfGIAwW4oy+jr2IHCQQxqGk2Ygpo9HfdltivuoS/ba3 utr1PwJlcEdEP7wWnS9u/0/UyTEUnvzg2bM5wznpF46AKXIqg1P/QGPEIAl+0R2fviNE sThmot0QH50lNWiqeHHApin9RzGsxZeuf49gHQWgUXV9WJgdtUbobr1RfvjgennN++0t XlCQ==
X-Gm-Message-State: AHYfb5g6ccWsgbrp87qt++IaysymnBImCu+D1pRD/gXsEXxhiBHUhlwy cVanLGGw4gCUgp5oF8um/kS5/pwjrw==
X-Received: by with SMTP id x14mr4695115oix.172.1503517113419; Wed, 23 Aug 2017 12:38:33 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 23 Aug 2017 12:38:17 -0700 (PDT)
In-Reply-To: <>
References: <>
From: Donald Eastlake <>
Date: Wed, 23 Aug 2017 15:38:17 -0400
Message-ID: <>
To: Eric Rescorla <>
Cc: The IESG <>,, "" <>, Susan Hares <>, "" <>
Content-Type: multipart/alternative; boundary="001a113cc43e758fda055770db5e"
Archived-At: <>
Subject: Re: [trill] Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Developing a hybrid router/bridge." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 23 Aug 2017 19:38:50 -0000

Hi Eric,

On Wed, Jul 5, 2017 at 7:38 AM, Eric Rescorla <> wrote:
> Eric Rescorla has entered the following ballot position for
> draft-ietf-trill-arp-optimization-08: Discuss
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------

As a general comment, the Security Consideration section could use
clarification and some expansion.

Although one can imagine various mixed modes, to the first approximation
there are two ways of doing the optimization of various multi-destination
messages discussed in this document:

   - Using data plane learning by observing ARP/ND and similar messages (in
   addition to the learning of MAC addresses from the data plane which is
   enabled by default in TRILL). As described in this document, such data
   plane learning by TRILL switches can be used to sometimes optimize
   ARP/ND/RARP/unknown-destination messages. But the result isn't particularly
   more or less secure than it is when this data plane learning is done by end
   stations rather than by TRILL switches (or bridges or other kinds of
   switches) in the middle doing some optimization of the relevant
   multi-destination messages. Interface address information learned through
   data plane learning by edge TRILL switches can also be propagated via the
   control plane but this is not significantly different from propagating that
   information via the multi-destination messages that are being optimized to
   unicast or optimized away.
   - Using a complete, trusted directory as might be based on an
   orchestration system in a data center. Since the messages between TRILL
   switches doing ARP/ND/RARP/unknown-destination optimization can be secured
   and the TRILL switches can be configured to ignore data plane learning,
   this enables TRILL switches to provide answers that are "correct" in that
   they correspond to the data in this complete, trusted directory. However,
   there can still be various forged messages/addresses on a local link
   between end station(s) and edge TRILL switches. Such a local link can, with
   TRILL, be a bridged LAN, so such forgeries emitted by an end station may be
   seen by other end stations and cause incorrect learning from the data plane.

The existing Security Considerations section is a bit sketchy and
concentrates more on the data plane case, as that is the one with the
greatest security challenges.

> It's not clear to me how the security properties of this mechanism
> compare to existing TRILL. The text says:
>    Unless Secure ND (SEND [RFC3971]) is used, ARP and ND messages can be
>    easily forged. Therefore the learning of MAC/IP addresses by RBridges
>    from ARP/ND should not be considered as reliable. See Section 4.1 for
>    SEND Considerations.
> "not considered as reliable" seems suboptimal. You need to cover how
> this mechanism compares to the non-use of this mechanism.

As above, the optimization mechanisms do not make any significant
difference to the inherent insecurities of data plane learning but when
used with a complete, trusted directory, it improves considerably over data
plane learning..

> This document seems very sketchy on what you do when you get duplicate
> IPs.

Why should what you do when you notice a duplicate IP address be
significantly different just because some multi-destination messages are
being optimized? Why shouldn't you just do whatever you do now and why is
that any of TRILL's business?

>    In the case where the former owner replies, a Duplicate Address has
>    been detected. In this case the querying RBridge SHOULD log the
>    duplicate so that the network administrator can take appropriate
>    action.
> How does logging solve the problem?

It doesn't but it seems better than not logging.

> What do you reply to ARPs with and/or propagate to other nodes?

If you are asking how you reply to ARPs if the IP address being ARPed for
has been found to be duplicated, there are the two cases outlined above. If
you are using a complete, trusted directory, you give the presumed correct
answer provided by that directory. If you are using data plane learning,
you use whatever you last learned from the data plane (which could have
been a forgery over writing good information or good information over
writing a forgery or a forgery overwriting a different forgery or ...).

> Do you tell the originator of the advertisement you have a duplicate?

As far as I know there is no standardized way to tell a station that you
think it has an IP address that is duplicated locally and I don't think it
is the job of TRILL to provide such a mechanism. Certainly this document
does not propose anything of that sort.

>    When a newly connected end-station exchanges messages with a DHCP
>    [RFC2131] server an edge RBridge should snoop them (mainly the
>    DHCPAck message) and store IP/MAC mapping information in its ARP/ND
>    cache and should also send the information out through the TRILL
>    control plane using ESADI.
> What happens if the attacker sets up a fake DHCP server and pretends
> to assign addresses to himself? It seems like maybe that's the same
> as fake ARPs but maybe not.

This snooping on DHCP messages only applies to the data plane learning
case. In the case of a complete, trusted directory, edge RBridges already
know the right answer, so to speak. With data plane learning, if there are
forged DHCP messages, things are likely to get all screwed up. Of course,
you could run DHCP over IPsec but, partly due to the localized nature of
DHCP, I don't think very many people do that. There is also RFC 3118 which
can be used to authenticate DHCP messages, but that assumes the
distribution of keying information.

There isn't much difference between the various multi-destination messages
(ARP / DHCP) advertising the addresses and point of attachment of
interfaces. But, overall, I'm not sure why a document that is just
describing ways to optimize the distribution of various multi-destination
messages needs to analyze the security of the protocols implemented by
those multi-destination when, as in the data plane learning case, it is not
significantly changing that security.

> In general, the security considerations need a complete threat
> analysis per 3552.

I don't think there is that much new in this document. While the Security
Considerations section needs clarification and some expansion, I don't
think it is, for example, the job of this document to do a threat analysis
of the ARP protocol as long as it can make a reasonable case that the
security of ARP is not significantly changed by the optimizations specified.

> ----------------------------------------------------------------------
> ----------------------------------------------------------------------

For completeness, I've cut and pasted below the COMMENT responses I sent to
you a while ago.

 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA

> S 2.
>    plane on the edge RBridges, it should be possible to completely
>    suppress flooding of ARP/ND messages in a TRILL Campus, When all end-
>    station MAC addresses are similarly known, it should be possible to
>    suppress unknown unicast flooding by dropping any unknown unicast
>    received at an edge RBridge.
> Are these "should be possibles" normative? Descriptive?

Section 2 of this document is a general discussion of the optimization
problem which, while it does mention a couple of possible facets of
potential solutions, is not intended to be normative.

> S 4.
> This is a sequence of steps, so it would be nice to preface them with
> a list of the steps. It's also odd to have SEND considerations right
> in the middle here.

Sorry, I don't understand exactly what you are pointing at as a
sequence of steps. All of Section 4? Just the text between the Section
4 heading and the Section 4.1 heading? Something else?

> 4.3 Get Sender's IP/MAC Mapping Information for Non-zero IP
> Please explain what a non-zero IP is and why it's relevant.
> This graf also needs an introductory sentence or something before
> the bullets.

Here is a copy of the response that was sent to a similar comment in
Dale Worley's GENART review:

This section is talking about getting and handling the IP/MAC
mapping information for a local end station by an edge RBridge. An
ARP/ND from such a local end station might show a zero source IP
address if the end station does not have one or is probing for

Perhaps the title for the Section should be something like

   4.3 Extracting Local End Station IP/MAC Mapping Information

and a new first paragraph could be added something like

   Edge RBridges extract and use information about the correspondence
between local end station IP and MAC addresses from the ARP/ND
messages those end stations send as described below. An apparent zero
source IP address means that the end station is probing for duplicate
IP addresses and messages with such a zero source IP address are not
used for the extraction of IP/MAC address mapping information.

> S 4.4.
>    It is not essential that all RBridges use the same strategy for which
>    option to select for a particular ARP/ND query. It is up to the
>    implementation.
> This seems inconsistent with the MUST in arm (b) below, because I
> can just take some other arm. It's also kind of surprising to be this
> non-prescriptive.

The wording needs to be clarified. Which lettered item listed below
applies is determined by the circumstances; however, which of the
numbered strategies associated with these items is followed is an
implementation choice in handeling any particular ARP/ND.

> S 8.
>    some other location (MAC/VM Mobility) and gets connected to egde-
> Nit: edge is mispelled.