Re: [trill] Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Mon, 02 October 2017 18:12 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: trill@ietfa.amsl.com
Delivered-To: trill@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6A2A1346CE for <trill@ietfa.amsl.com>; Mon, 2 Oct 2017 11:12:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z-7W3AubaaVe for <trill@ietfa.amsl.com>; Mon, 2 Oct 2017 11:12:55 -0700 (PDT)
Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A002A1346D3 for <trill@ietf.org>; Mon, 2 Oct 2017 11:12:50 -0700 (PDT)
Received: by mail-qt0-x235.google.com with SMTP id x54so8421477qth.12 for <trill@ietf.org>; Mon, 02 Oct 2017 11:12:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=n6tpynfcB19hvnhPhQNmKOaUAFMRlwtz4d3ikIoXJ30=; b=hnHYPasYzHkBMnyK9pgNHqsqGtZ3D0yOX5bVgF792a/E0JgVSq29C4yZaNtFgeWz8S C6U6omsfgiW8Z9dUZlzjmJklegfnxptNB/sZNGPxwwVyuztej+CF75JGhLiYmHpKUDBj Ir+HGb30aiap8vsWuIjZBKyROnzAb0+Xi8/2weqJo3ig7fsAfLjpKdFlOjIEg9QRRcZM 9DwlqUXKlWx5cfDKNjxfKwUd4cwFJ/IYSa/V2DcNsmnyiQzsN6KCeDH/o2Z3GG1XEYuh ivUiLl4eF+tv8BaO9NTtdYFCLz6vUo6aJQd4AehQj2TZMkImvA3jmatvgYhSKBRu7cn2 1pkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=n6tpynfcB19hvnhPhQNmKOaUAFMRlwtz4d3ikIoXJ30=; b=j3rEnSjfySz9HId3rZLIQpRccQ+ml0Nl0RWMcwq+JtW/+MnjOzlUPKSl/0ibhI9PQt J87Me0oDJH64HT5xZVT9cetI14cmnMFNLkayLrQdpoMXGOghSg2t3f3dPUvD2ZrTG1gr 8kC5VXns4fX4DHo9LbgVcio9177Q2V1cMhihJLZ8hUCpOwHp1+htGndH90oLsd31XcuV tNW2UyMwgnw5jgthybNy2Y1T1rw0dcYgoicrPI6T2U5HehCmmuth8/pRwSX3SbAifdnB O5P86HogpwYuBAJjvRVb8ECKpceAzfjkoLcplqmQe0hLdbszw8FqxXBr1un3Vnx2G1qf 6eBg==
X-Gm-Message-State: AHPjjUiI1kGFkE1BOwuIVYZBbTgYcc94rV2sfwPMbEm72lFiU9lX0Zbc COghw8aK/eZQXpqLHvvIWY5hBUFGHTUZ7egcVkYUtk0F
X-Google-Smtp-Source: AOwi7QBuhNgYoQSa2RGI4Z/ZcEzYRKH9OWqyIgR/vqzUYOsynCzwDt4rvK9OC1DntuAAwHRFTFdQZNPLo6o24HD6tnQ=
X-Received: by 10.129.178.69 with SMTP id q66mr13178456ywh.290.1506967969621; Mon, 02 Oct 2017 11:12:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.75.194 with HTTP; Mon, 2 Oct 2017 11:12:09 -0700 (PDT)
In-Reply-To: <CAF4+nEFZ9Oxe75roAFxhR+AJhoU5LSjFD=yYBuu5ULpbV5jy5w@mail.gmail.com>
References: <149925473455.19397.5891341140635090367.idtracker@ietfa.amsl.com> <CAF4+nEFVzrv0OvV13qqON9SRQZQj63ZaegtHbs9fp21Zo5Lusw@mail.gmail.com> <CABcZeBMay2x7mEB8gNv_w3bRM3mHuqWv-FR110A7-HGBHtrH=g@mail.gmail.com> <CAF4+nEFZ9Oxe75roAFxhR+AJhoU5LSjFD=yYBuu5ULpbV5jy5w@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 02 Oct 2017 18:12:09 +0000
Message-ID: <CABcZeBNhMnyC6Y__5gpUw+d0LEP6Zy6cffo-eKmoT2sFXKfmhQ@mail.gmail.com>
To: Donald Eastlake <d3e3e3@gmail.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-trill-arp-optimization@ietf.org, "trill-chairs@ietf.org" <trill-chairs@ietf.org>, Susan Hares <skh@ndzh.com>, "trill@ietf.org" <trill@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c14626884813c055a945239"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trill/SHrrHsevEiKIQdk8sJ3mGdtynDg>
Subject: Re: [trill] Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08: (with DISCUSS and COMMENT)
X-BeenThere: trill@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Developing a hybrid router/bridge." <trill.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trill>, <mailto:trill-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trill/>
List-Post: <mailto:trill@ietf.org>
List-Help: <mailto:trill-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trill>, <mailto:trill-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Oct 2017 18:12:58 -0000
On Mon, Oct 2, 2017 at 4:54 PM, Donald Eastlake <d3e3e3@gmail.com> wrote: > Hi Eric, > > My apologies for the delay in response. (For part of the time I was on > a cruise...) > > It looks like we are in agreement on most items. > > See below. > > On Fri, Sep 22, 2017 at 9:18 AM, Eric Rescorla <ekr@rtfm.com> wrote: > > > > > > On Wed, Aug 23, 2017 at 12:38 PM, Donald Eastlake <d3e3e3@gmail.com> > wrote: > >> > >> Hi Eric, > >> > >> On Wed, Jul 5, 2017 at 7:38 AM, Eric Rescorla <ekr@rtfm.com> wrote: > >> > Eric Rescorla has entered the following ballot position for > >> > draft-ietf-trill-arp-optimization-08: Discuss > >> > > >> > ------------------------------------------------------------ > ---------- > >> > DISCUSS: > >> > ------------------------------------------------------------ > ---------- > >> > >> As a general comment, the Security Consideration section could use > >> clarification and some expansion. > >> > >> Although one can imagine various mixed modes, to the first approximation > >> there are two ways of doing the optimization of various > multi-destination > >> messages discussed in this document: > >> > >> + Using data plane learning by observing ARP/ND and similar messages (in > >> addition to the learning of MAC addresses from the data plane which is > >> enabled by default in TRILL). As described in this document, such data > plane > >> learning by TRILL switches can be used to sometimes optimize > >> ARP/ND/RARP/unknown-destination messages. But the result isn't > particularly > >> more or less secure than it is when this data plane learning is done by > end > >> stations rather than by TRILL switches (or bridges or other kinds of > >> switches) in the middle doing some optimization of the relevant > >> multi-destination messages. Interface address information learned > through > >> data plane learning by edge TRILL switches can also be propagated via > the > >> control plane but this is not significantly different from propagating > that > >> information via the multi-destination messages that are being optimized > to > >> unicast or optimized away. > >> + Using a complete, trusted directory as might be based on an > orchestration > >> system in a data center. Since the messages between TRILL switches doing > >> ARP/ND/RARP/unknown-destination optimization can be secured and the > TRILL > >> switches can be configured to ignore data plane learning, this enables > TRILL > >> switches to provide answers that are "correct" in that they correspond > to > >> the data in this complete, trusted directory. However, there can still > be > >> various forged messages/addresses on a local link between end > station(s) and > >> edge TRILL switches. Such a local link can, with TRILL, be a bridged > LAN, so > >> such forgeries emitted by an end station may be seen by other end > stations > >> and cause incorrect learning from the data plane. > >> > >> The existing Security Considerations section is a bit sketchy and > >> concentrates more on the data plane case, as that is the one with the > >> greatest security challenges. > > > > Yes, this seems like a reasonable assessment. Alia, does someone have the > > action item to make it less sketchy? > > We are working on a draft revision to reflect the above thinking to a > greater extent and decrease sketchiness. > > >> > It's not clear to me how the security properties of this mechanism > >> > compare to existing TRILL. The text says: > >> > > >> > Unless Secure ND (SEND [RFC3971]) is used, ARP and ND messages can > be > >> > easily forged. Therefore the learning of MAC/IP addresses by > RBridges > >> > from ARP/ND should not be considered as reliable. See Section 4.1 > for > >> > SEND Considerations. > >> > > >> > "not considered as reliable" seems suboptimal. You need to cover how > >> > this mechanism compares to the non-use of this mechanism. > >> > >> As above, the optimization mechanisms do not make any significant > >> difference to the inherent insecurities of data plane learning but when > used > >> with a complete, trusted directory, it improves considerably over data > plane > >> learning.. > > > > That had kind of been my impression, but then I don't understand what > "not > > considered as reliable" is doing here. I'm supposed to be doing something > > with it, so while it may be non-secure, I'm still relying on it, no? > > Well, at some level some elements of your protocol stack are "relying" > on it or "trusting" it or whatever term you want, but it's trivially > forged unless you use additional security protocols so I guess we > could say something about that. TRILL supports different link > technologies but if you are using an Ethernet link, I suppose you > could use 802.1AE to improve trust in MAC addresses at layer 2. It > wouldn't hurt to mention that but it has very little to do with ARP/ND > optimization or TRILL. > I think if you just sort of say "you are using it, but it's not trustworthy and here's why" you have it covered. -Ekr > >> > This document seems very sketchy on what you do when you get duplicate > >> > IPs. > >> > >> Why should what you do when you notice a duplicate IP address be > >> significantly different just because some multi-destination messages are > >> being optimized? Why shouldn't you just do whatever you do now and why > is > >> that any of TRILL's business? > > > > Because you're getting the information via different vector, TRILL needs > to > > specify what you do, > > if only to say "do what you would do otherwise". > > OK. > > >> > In the case where the former owner replies, a Duplicate Address has > >> > been detected. In this case the querying RBridge SHOULD log the > >> > duplicate so that the network administrator can take appropriate > >> > action. > >> > > >> > How does logging solve the problem? > >> > >> It doesn't but it seems better than not logging. > >> > >> > What do you reply to ARPs with and/or propagate to other nodes? > >> > >> If you are asking how you reply to ARPs if the IP address being ARPed > for > >> has been found to be duplicated, there are the two cases outlined > above. If > >> you are using a complete, trusted directory, you give the presumed > correct > >> answer provided by that directory. If you are using data plane > learning, you > >> use whatever you last learned from the data plane (which could have > been a > >> forgery over writing good information or good information over writing a > >> forgery or a forgery overwriting a different forgery or ...). > >> > >> > Do you tell the originator of the advertisement you have a duplicate? > >> > >> As far as I know there is no standardized way to tell a station that you > >> think it has an IP address that is duplicated locally and I don't think > it > >> is the job of TRILL to provide such a mechanism. Certainly this document > >> does not propose anything of that sort. > > > > OK. > > > > > >> > When a newly connected end-station exchanges messages with a DHCP > >> > [RFC2131] server an edge RBridge should snoop them (mainly the > >> > DHCPAck message) and store IP/MAC mapping information in its ARP/ND > >> > cache and should also send the information out through the TRILL > >> > control plane using ESADI. > >> > > >> > What happens if the attacker sets up a fake DHCP server and pretends > >> > to assign addresses to himself? It seems like maybe that's the same > >> > as fake ARPs but maybe not. > >> > >> This snooping on DHCP messages only applies to the data plane learning > >> case. In the case of a complete, trusted directory, edge RBridges > already > >> know the right answer, so to speak. With data plane learning, if there > are > >> forged DHCP messages, things are likely to get all screwed up. Of > course, > >> you could run DHCP over IPsec but, partly due to the localized nature of > >> DHCP, I don't think very many people do that. There is also RFC 3118 > which > >> can be used to authenticate DHCP messages, but that assumes the > distribution > >> of keying information. > >> > >> There isn't much difference between the various multi-destination > messages > >> (ARP / DHCP) advertising the addresses and point of attachment of > >> interfaces. But, overall, I'm not sure why a document that is just > >> describing ways to optimize the distribution of various > multi-destination > >> messages needs to analyze the security of the protocols implemented by > those > >> multi-destination when, as in the data plane learning case, it is not > >> significantly changing that security. > > > > Well, in this case, you have a new threat vector: DHCP. Even if it is the > > same kind of threats, it's still a new threat vector. > > More generally documents need to contain complete security considerations > > sections. If the security considerations > > are the same as with some other document, then they need to say that. > > OK. > > >> > In general, the security considerations need a complete threat > >> > analysis per 3552. > >> > >> I don't think there is that much new in this document. While the > Security > >> Considerations section needs clarification and some expansion, I don't > think > >> it is, for example, the job of this document to do a threat analysis of > the > >> ARP protocol as long as it can make a reasonable case that the security > of > >> ARP is not significantly changed by the optimizations specified. > > > > Sure, but it also doesn't make that case. > > I'll see what we can do. > > >> > ------------------------------------------------------------ > ---------- > >> > COMMENT: > >> > ------------------------------------------------------------ > ---------- > >> > >> For completeness, I've cut and pasted below the COMMENT responses I sent > >> to you a while ago. > >> > >> Thanks, > >> Donald > >> =============================== > >> Donald E. Eastlake 3rd +1-508-333-2270 (cell) > >> 155 Beaver Street, Milford, MA 01757 USA > >> d3e3e3@gmail.com > >> > >> > S 2. > >> > > >> > plane on the edge RBridges, it should be possible to completely > >> > suppress flooding of ARP/ND messages in a TRILL Campus, When all > end- > >> > station MAC addresses are similarly known, it should be possible to > >> > suppress unknown unicast flooding by dropping any unknown unicast > >> > received at an edge RBridge. > >> > > >> > Are these "should be possibles" normative? Descriptive? > >> > >> Section 2 of this document is a general discussion of the optimization > >> problem which, while it does mention a couple of possible facets of > >> potential solutions, is not intended to be normative. > >> > >> > >> > S 4. > >> > This is a sequence of steps, so it would be nice to preface them with > >> > a list of the steps. It's also odd to have SEND considerations right > >> > in the middle here. > >> > >> Sorry, I don't understand exactly what you are pointing at as a > >> sequence of steps. All of Section 4? Just the text between the Section > >> 4 heading and the Section 4.1 heading? Something else? > > > > Sorry, my point is that if I read this correctly, I do 4.3, then 4.4, > etc. > > It would be nice if they were listed ahead of this as "this is what you > do, > > now read the sections" > > OK. We can add some clarifying material to Section 4 before the 4.1 > heading. > > >> > 4.3 Get Sender's IP/MAC Mapping Information for Non-zero IP > >> > > >> > Please explain what a non-zero IP is and why it's relevant. > >> > This graf also needs an introductory sentence or something before > >> > the bullets. > >> > >> Here is a copy of the response that was sent to a similar comment in > >> Dale Worley's GENART review: > >> > >> This section is talking about getting and handling the IP/MAC > >> mapping information for a local end station by an edge RBridge. An > >> ARP/ND from such a local end station might show a zero source IP > >> address if the end station does not have one or is probing for > >> duplicates. > >> > >> Perhaps the title for the Section should be something like > >> > >> 4.3 Extracting Local End Station IP/MAC Mapping Information > >> > >> and a new first paragraph could be added something like > >> > >> Edge RBridges extract and use information about the correspondence > >> between local end station IP and MAC addresses from the ARP/ND > >> messages those end stations send as described below. An apparent zero > >> source IP address means that the end station is probing for duplicate > >> IP addresses and messages with such a zero source IP address are not > >> used for the extraction of IP/MAC address mapping information > > > > LGTM > > > > > >> > S 4.4. > >> > It is not essential that all RBridges use the same strategy for > which > >> > option to select for a particular ARP/ND query. It is up to the > >> > implementation. > >> > > >> > This seems inconsistent with the MUST in arm (b) below, because I > >> > can just take some other arm. It's also kind of surprising to be this > >> > non-prescriptive. > >> > >> The wording needs to be clarified. Which lettered item listed below > >> applies is determined by the circumstances; however, which of the > >> numbered strategies associated with these items is followed is an > >> implementation choice in handeling any particular ARP/ND. > > > > OK. > > > > > >> > S 8. > >> > some other location (MAC/VM Mobility) and gets connected to egde- > >> > > >> > Nit: edge is mispelled. > >> > >> OK. > > Thanks, > Donald > =============================== > Donald E. Eastlake 3rd +1-508-333-2270 (cell) > 155 Beaver Street, Milford, MA 01757 USA > d3e3e3@gmail.com >
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Donald Eastlake
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Donald Eastlake
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- [trill] Eric Rescorla's Discuss on draft-ietf-tri… Eric Rescorla
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Susan Hares
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Susan Hares
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Donald Eastlake
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Donald Eastlake
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Donald Eastlake
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla