Re: [trill] Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08: (with DISCUSS and COMMENT)

"Susan Hares" <> Thu, 06 July 2017 20:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EAB97131536; Thu, 6 Jul 2017 13:06:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.946
X-Spam-Status: No, score=0.946 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DOS_OUTLOOK_TO_MX=2.845, HTML_MESSAGE=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TbFctdYDvjSv; Thu, 6 Jul 2017 13:06:31 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 73D9813196C; Thu, 6 Jul 2017 13:05:54 -0700 (PDT)
X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=;
From: Susan Hares <>
To: 'Eric Rescorla' <>
Cc: 'The IESG' <>,,,,
References: <> <004201d2f63f$9ad86090$d08921b0$> <>
In-Reply-To: <>
Date: Thu, 06 Jul 2017 16:00:01 -0400
Message-ID: <00d601d2f692$748f9270$5daeb750$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00D7_01D2F670.ED80FFB0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQG2C0XqA3D6Dqxt00xKejUXJSUYyAJG4NftAdyzEX+iX+/9UA==
Content-Language: en-us
Archived-At: <>
Subject: Re: [trill] Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Developing a hybrid router/bridge." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 06 Jul 2017 20:06:34 -0000



Thank you for your answers.   I will investigate the issues further and work with the authors to suggest some text.  May I or the authors follow up with additional questions? 




From: Eric Rescorla [] 
Sent: Thursday, July 6, 2017 9:06 AM
To: Susan Hares
Cc: The IESG;;;;
Subject: Re: Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08: (with DISCUSS and COMMENT)




On Thu, Jul 6, 2017 at 3:06 AM, Susan Hares <> wrote:



Thank you for your comments and questions.  The text of this email requests clarification on your discuss so that I may aid the authors in adjusting the draft.   I have included my question inline below.


Sue Hares


-----Original Message-----

From: Eric Rescorla [] 

Sent: Wednesday, July 5, 2017 7:39 AM

To: The IESG


Subject: Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08: (with DISCUSS and COMMENT)


Eric Rescorla has entered the following ballot position for

draft-ietf-trill-arp-optimization-08: Discuss


When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)



Please refer to

for more information about IESG DISCUSS and COMMENT positions.



The document, along with other ballot positions, can be found here:








> It's not clear to me how the security properties of this mechanism compare to existing TRILL. The text says:


>  Unless Secure ND (SEND [RFC3971]) is used, ARP and ND messages can be

>  easily forged. Therefore the learning of MAC/IP addresses by RBridges

> from ARP/ND should not be considered as reliable. See Section 4.1 for

>  SEND Considerations.


> "not considered as reliable" seems suboptimal. You need to cover how this mechanism compares to the non-use of this mechanism.


Question 1:  Are you asking how the "ARP/ND" is unreliable?  Is this not documented adequately in the SEND documentation? 

Are you asking why the learning of MAC/IP addresses by the RBRIDGE using ARP/ND is not reliable in addition to the issues raised by the SEND document?  

Sorry, no. I'm saying that "not be considered reliable" is not operationalizable by

the implementor. What are they supposed to do with information which is not

reliable? More specifically, what is their security posture if they use the mechanism

documented in this document versus if they do not? 


> How does logging solve the problem?

Question 2: Logging allows the network management systems to detect the problem, and determine if SEND should be used or if other security measures should be taken.  Are you looking for other mechanisms outside of SEND?


This seems like it's of limited use if this actually is an attack. My experience

with logging systems is that people don't check their logs very often unless

they see a lot of errors. I've certainly seen duplicate IPs in small networks

plenty of times, and I just ignore them. I assume others do as well.


> What do you reply to ARPs with and/or propagate to other nodes? 

> Do you tell the originator of the advertisement you have a duplicate?


Question 3: Are you specifically asking about the reply to duplicate address detection ARPs in the first question?  Are you looking for a specific answer to second part of this question.  In my understanding of security (which is limited compared to yours), I would not recommend responding to the originator of the advertisement that there is a duplicate since this might aid attacks on the valid originator.   

Can you provide additional input on what you'd like to see here? 

I think the spec should take a position on how the implementation should behave when

it encounters this situation. My general concern here is that you have a mechanism

which has a known security vulnerability but the spec is pretty silent on how you should

handle it when you have signs that it is being exploited.




> When a newly connected end-station exchanges messages with a DHCP

>  [RFC2131] server an edge RBridge should snoop them (mainly the

>  DHCPAck message) and store IP/MAC mapping information in its ARP/ND

>  cache and should also send the information out through the TRILL

>  control plane using ESADI.


What happens if the attacker sets up a fake DHCP server and pretends to assign addresses to himself? It seems like maybe that's the same as fake ARPs but maybe not.


In general, the security considerations need a complete threat analysis per 3552.


Question 4: Can you provide someone from the SEC-DIR to provide a review for a threat analysis per RFC3552. 

It's probably easier if I review it. If you're looking for a collaborator, let me know and I'll see who I can round up.











S 2.


   plane on the edge RBridges, it should be possible to completely

   suppress flooding of ARP/ND messages in a TRILL Campus, When all end-

   station MAC addresses are similarly known, it should be possible to

   suppress unknown unicast flooding by dropping any unknown unicast

   received at an edge RBridge.


Are these "should be possibles" normative? Descriptive?


S 4.

This is a sequence of steps, so it would be nice to preface them with a list of the steps. It's also odd to have SEND considerations right in the middle here.



4.3 Get Sender's IP/MAC Mapping Information for Non-zero IP Please explain what a non-zero IP is and why it's relevant.

This graf also needs an introductory sentence or something before the bullets.



S 4.4.

   It is not essential that all RBridges use the same strategy for which

   option to select for a particular ARP/ND query. It is up to the



This seems inconsistent with the MUST in arm (b) below, because I can just take some other arm. It's also kind of surprising to be this non-prescriptive.



S 8.

   some other location (MAC/VM Mobility) and gets connected to egde-


Nit: edge is mispelled.