[rbridge] Updated charter
michsmit at cisco.com (Michael Smith) Mon, 31 January 2005 08:58 UTC
From: "michsmit at cisco.com"
Date: Mon, 31 Jan 2005 08:58:37 +0000
Subject: [rbridge] Updated charter
In-Reply-To: <1107020317.5576.3860.camel@unknown.hamachi.org>
Message-ID: <200501311656.BBL77892@mira-sjc5-f.cisco.com>
X-Date: Mon Jan 31 08:58:37 2005
> From: Bill Sommerfeld [mailto:sommerfeld@sun.com] > Sent: Saturday, January 29, 2005 9:39 AM > To: michsmit@cisco.com; Developing a hybrid router/bridge. > > On Sat, 2005-01-29 at 12:07, Michael Smith wrote: > > > Sending the ARP reponses to all hosts > > claiming a particular IP address (in other words, > replicating the "bad" > > traffic) > > If the rbridge has a reliable way to tell a "good arp" from a > "bad arp", it should definitely not forward the "bad" ones. > > What should it do when it can't tell? If you allow for mobility > and unmanaged operation, you're going to have to allow for > addresses to pop up at perhaps unexpected places, and *that* > is what will cause DoS potential. Assuming the hosts are using DHCP, DHCP snooping at the ingress bridge can be used to verify the MAC-to-IP binding ensuring that the DHCP policy is enforced. If static addressing is used, then there should probably be a static entry in the MAC-IP binding table. That said, static addressing and mobility usually don't mix. > > > IMHO, this > > is functionality much better performed within the ingress rbridge > > rather than the egress host. > > perhaps if all switches and hosts are under the same > administration and the network admins are good enough to tell > host admins that their switches detected this anomalous behavior.... > > but that presumes a state of organizational and operational > harmony between network and host administrators that i have > rarely encountered in the production networks I'm familiar with. My understanding is that host addressing is usually in the domain of the networking folks. But in general, I agree, there are sometimes organizational issues which in this case is probably between the network and the security admins. Typically, administrators have a much better idea of the networking gear attached to their network than the hosts they have attached. Relying on the rbridge to enforce MAC-IP binding seems much more manageable than leaving it to the wide multitude of host devices on the network. Michael > > - Bill From sommerfeld at sun.com Mon Jan 31 09:08:06 2005 From: sommerfeld at sun.com (Bill Sommerfeld) Date: Mon Jan 31 09:08:34 2005 Subject: [rbridge] Updated charter In-Reply-To: <200501311656.BBL77892@mira-sjc5-f.cisco.com> References: <200501311656.BBL77892@mira-sjc5-f.cisco.com> Message-ID: <1107191286.1705.122.camel@thunk> On Mon, 2005-01-31 at 11:56, Michael Smith wrote: > > > What should it do when it can't tell? If you allow for mobility > > and unmanaged operation, you're going to have to allow for > > addresses to pop up at perhaps unexpected places, and *that* > > is what will cause DoS potential. > > Assuming the hosts are using DHCP, DHCP snooping at the ingress bridge can > be used to verify the MAC-to-IP binding ensuring that the DHCP policy is > enforced. If static addressing is used, then there should probably be a > static entry in the MAC-IP binding table. That said, static addressing and > mobility usually don't mix. That didn't actually answer my question. I repeat: what should rbridges do when they can't tell whether the MAC-IP binding is authorized? My suggestion regarding mirroring the arps is not intended to replace enforcement when such mechanisms exist. Instead, it is an attempt to get an out-of-the-box, unmanaged rbridge net to behave at least as well as a broadcast ethernet domain behaves -- the host being spoofed will quickly become aware that spoofing is going on! - Bill
- [rbridge] Updated charter Erik Nordmark
- [rbridge] Updated charter Pekka Savola
- [rbridge] Updated charter Bill Sommerfeld
- [rbridge] Updated charter Erik Nordmark
- [rbridge] Updated charter Bill Sommerfeld
- [rbridge] Updated charter Bill Sommerfeld
- [rbridge] Updated charter Michael Smith
- [rbridge] Updated charter Michael Smith
- [rbridge] Updated charter Joe Touch
- [rbridge] Updated charter Fred L. Templin
- [rbridge] Updated charter Joe Touch
- [rbridge] Updated charter Joe Touch
- [rbridge] Updated charter Joe Touch
- [rbridge] Updated charter Erik Nordmark
- [rbridge] Updated charter Joe Touch
- [rbridge] updated BOF website Joe Touch
- [rbridge] Updated charter Erik Nordmark
- Re: [rbridge] Updated charter Ralph Droms
- Re: [rbridge] Updated charter Joe Touch
- Re: [rbridge] Updated charter Linda Dunbar
- Re: [rbridge] Updated charter James Carlson
- Re: [rbridge] Updated charter Linda Dunbar
- Re: [rbridge] Updated charter James Carlson
- Re: [rbridge] Updated charter Linda Dunbar
- Re: [rbridge] Updated charter James Carlson
- Re: [rbridge] Updated charter Eric Gray