[rbridge] Updated charter
michsmit at cisco.com (Michael Smith) Sat, 29 January 2005 09:08 UTC
From: "michsmit at cisco.com"
Date: Sat, 29 Jan 2005 09:08:30 +0000
Subject: [rbridge] Updated charter
In-Reply-To: <1107009668.5576.3561.camel@unknown.hamachi.org>
Message-ID: <200501291707.BBL05541@mira-sjc5-f.cisco.com>
X-Date: Sat Jan 29 09:08:30 2005
> -----Original Message----- > From: rbridge-bounces@postel.org > [mailto:rbridge-bounces@postel.org] On Behalf Of Bill Sommerfeld > Sent: Saturday, January 29, 2005 6:41 AM > To: Developing a hybrid router/bridge. > Subject: Re: [rbridge] Updated charter > > On Sat, 2005-01-29 at 05:08, marcelo bagnulo braun wrote: > > > but, wouldn't this render trivial to sniff any communication across > > the whole bridged cloud? > > Seems to me like the existing properties in the charter > (allow nodes to move at will; zero delay on new node > connection, etc) will already allow for relatively trivial > traffic hijacking, which, if anything, is worse than passive sniffing. > > With both nodes getting the traffic you at least prevent that > denial-of-service. Today, this is addressed in bridges using features such as 802.1X and Cisco's Dynamic ARP Inspection. Sending the ARP reponses to all hosts claiming a particular IP address (in other words, replicating the "bad" traffic) looks to open a wide possibility of DDoS attacks to both the hosts involved and especially the rbridges performing the replication. IMHO, this is functionality much better performed within the ingress rbridge rather than the egress host. Michael > > > i mean, i don't think it would acceptable to substitute routers by > > rbridges if one of the costs is that anyone can sniff any > > communication.... > > I want it to be acceptable to replace bridges with rbridges; > I don't think it will be acceptable to do that if you can > spoof arp undetectably. > > And nothing prevents the rbridge from locking down certain > addresses when local policy says to. > > - Bill > > > > > > _______________________________________________ > rbridge mailing list > rbridge@postel.org > http://www.postel.org/mailman/listinfo/rbridge From sommerfeld at sun.com Sat Jan 29 09:38:38 2005 From: sommerfeld at sun.com (Bill Sommerfeld) Date: Sat Jan 29 09:40:26 2005 Subject: [rbridge] Updated charter In-Reply-To: <200501291707.BBL05541@mira-sjc5-f.cisco.com> References: <200501291707.BBL05541@mira-sjc5-f.cisco.com> Message-ID: <1107020317.5576.3860.camel@unknown.hamachi.org> On Sat, 2005-01-29 at 12:07, Michael Smith wrote: > Sending the ARP reponses to all hosts > claiming a particular IP address (in other words, replicating the "bad" > traffic) If the rbridge has a reliable way to tell a "good arp" from a "bad arp", it should definitely not forward the "bad" ones. What should it do when it can't tell? If you allow for mobility and unmanaged operation, you're going to have to allow for addresses to pop up at perhaps unexpected places, and *that* is what will cause DoS potential. > IMHO, this > is functionality much better performed within the ingress rbridge rather > than the egress host. perhaps if all switches and hosts are under the same administration and the network admins are good enough to tell host admins that their switches detected this anomalous behavior.... but that presumes a state of organizational and operational harmony between network and host administrators that i have rarely encountered in the production networks I'm familiar with. - Bill
- [rbridge] Updated charter Erik Nordmark
- [rbridge] Updated charter Pekka Savola
- [rbridge] Updated charter Bill Sommerfeld
- [rbridge] Updated charter Erik Nordmark
- [rbridge] Updated charter Bill Sommerfeld
- [rbridge] Updated charter Bill Sommerfeld
- [rbridge] Updated charter Michael Smith
- [rbridge] Updated charter Michael Smith
- [rbridge] Updated charter Joe Touch
- [rbridge] Updated charter Fred L. Templin
- [rbridge] Updated charter Joe Touch
- [rbridge] Updated charter Joe Touch
- [rbridge] Updated charter Joe Touch
- [rbridge] Updated charter Erik Nordmark
- [rbridge] Updated charter Joe Touch
- [rbridge] updated BOF website Joe Touch
- [rbridge] Updated charter Erik Nordmark
- Re: [rbridge] Updated charter Ralph Droms
- Re: [rbridge] Updated charter Joe Touch
- Re: [rbridge] Updated charter Linda Dunbar
- Re: [rbridge] Updated charter James Carlson
- Re: [rbridge] Updated charter Linda Dunbar
- Re: [rbridge] Updated charter James Carlson
- Re: [rbridge] Updated charter Linda Dunbar
- Re: [rbridge] Updated charter James Carlson
- Re: [rbridge] Updated charter Eric Gray