[rbridge] Updated charter

[michsmit at cisco.com (Michael Smith)]

 

> From: Bill Sommerfeld [mailto:sommerfeld@sun.com] 
> Sent: Saturday, January 29, 2005 9:39 AM
> To: michsmit@cisco.com; Developing a hybrid router/bridge.
> 
> On Sat, 2005-01-29 at 12:07, Michael Smith wrote:
> 
> > Sending the ARP reponses to all hosts
> > claiming a particular IP address (in other words, 
> replicating the "bad"
> > traffic)
> 
> If the rbridge has a reliable way to tell a "good arp" from a 
> "bad arp", it should definitely not forward the "bad" ones.  
> 
> What should it do when it can't tell?   If you allow for mobility 
> and unmanaged operation, you're going to have to allow for 
> addresses to pop up at perhaps unexpected places, and *that* 
> is what will cause DoS potential.

Assuming the hosts are using DHCP, DHCP snooping at the ingress bridge can
be used to verify the MAC-to-IP binding ensuring that the DHCP policy is
enforced.  If static addressing is used, then there should probably be a
static entry in the MAC-IP binding table.  That said, static addressing and
mobility usually don't mix.
> 
> > IMHO, this
> > is functionality much better performed within the ingress rbridge 
> > rather than the egress host.
> 
> perhaps if all switches and hosts are under the same 
> administration and the network admins are good enough to tell 
> host admins that their switches detected this anomalous behavior....
> 
> but that presumes a state of organizational and operational 
> harmony between network and host administrators that i have 
> rarely encountered in the production networks I'm familiar with.

My understanding is that host addressing is usually in the domain of the
networking folks.  But in general, I agree, there are sometimes
organizational issues which in this case is probably between the network and
the security admins.  Typically, administrators have a much better idea of
the networking gear attached to their network than the hosts they have
attached. Relying on the rbridge to enforce MAC-IP binding seems much more
manageable than leaving it to the wide multitude of host devices on the
network.  

Michael

> 
> 						- Bill
From sommerfeld at sun.com  Mon Jan 31 09:08:06 2005
From: sommerfeld at sun.com (Bill Sommerfeld)
Date: Mon Jan 31 09:08:34 2005
Subject: [rbridge] Updated charter
In-Reply-To: <200501311656.BBL77892@mira-sjc5-f.cisco.com>
References: <200501311656.BBL77892@mira-sjc5-f.cisco.com>
Message-ID: <1107191286.1705.122.camel@thunk>

On Mon, 2005-01-31 at 11:56, Michael Smith wrote:
>  
> > What should it do when it can't tell?   If you allow for mobility 
> > and unmanaged operation, you're going to have to allow for 
> > addresses to pop up at perhaps unexpected places, and *that* 
> > is what will cause DoS potential.
> 
> Assuming the hosts are using DHCP, DHCP snooping at the ingress bridge can
> be used to verify the MAC-to-IP binding ensuring that the DHCP policy is
> enforced.  If static addressing is used, then there should probably be a
> static entry in the MAC-IP binding table.  That said, static addressing and
> mobility usually don't mix.

That didn't actually answer my question. 

I repeat: what should rbridges do when they can't tell whether the MAC-IP binding is
authorized?

My suggestion regarding mirroring the arps is not intended to replace enforcement 
when such mechanisms exist.

Instead, it is an attempt to get an out-of-the-box, unmanaged rbridge net to behave 
at least as well as a broadcast ethernet domain behaves -- the host being spoofed 
will quickly become aware that spoofing is going on!

						- Bill