[rbridge] Updated charter

> -----Original Message-----
> From: rbridge-bounces@postel.org 
> [mailto:rbridge-bounces@postel.org] On Behalf Of Bill Sommerfeld
> Sent: Saturday, January 29, 2005 6:41 AM
> To: Developing a hybrid router/bridge.
> Subject: Re: [rbridge] Updated charter
> 
> On Sat, 2005-01-29 at 05:08, marcelo bagnulo braun wrote:
> 
> > but, wouldn't this render trivial to sniff any communication across 
> > the whole bridged cloud?
> 
> Seems to me like the existing properties in the charter 
> (allow nodes to move at will; zero delay on new node 
> connection, etc) will already allow for relatively trivial 
> traffic hijacking, which, if anything, is worse than passive sniffing.
> 
> With both nodes getting the traffic you at least prevent that 
> denial-of-service.

Today, this is addressed in bridges using features such as 802.1X and
Cisco's Dynamic ARP Inspection.  Sending the ARP reponses to all hosts
claiming a particular IP address (in other words, replicating the "bad"
traffic) looks to open a wide possibility of DDoS attacks to both the hosts
involved and especially the rbridges performing the replication.  IMHO, this
is functionality much better performed within the ingress rbridge rather
than the egress host. 

Michael

> 
> > i mean, i don't think it would acceptable to substitute routers by 
> > rbridges if one of the costs is that anyone can sniff any 
> > communication....
> 
> I want it to be acceptable to replace bridges with rbridges; 
> I don't think it will be acceptable to do that if you can 
> spoof arp undetectably.
> 
> And nothing prevents the rbridge from locking down certain 
> addresses when local policy says to.
> 
> 							- Bill
> 
> 
> 
> 
> 
> _______________________________________________
> rbridge mailing list
> rbridge@postel.org
> http://www.postel.org/mailman/listinfo/rbridge
From sommerfeld at sun.com  Sat Jan 29 09:38:38 2005
From: sommerfeld at sun.com (Bill Sommerfeld)
Date: Sat Jan 29 09:40:26 2005
Subject: [rbridge] Updated charter
In-Reply-To: <200501291707.BBL05541@mira-sjc5-f.cisco.com>
References: <200501291707.BBL05541@mira-sjc5-f.cisco.com>
Message-ID: <1107020317.5576.3860.camel@unknown.hamachi.org>

On Sat, 2005-01-29 at 12:07, Michael Smith wrote:

> Sending the ARP reponses to all hosts
> claiming a particular IP address (in other words, replicating the "bad"
> traffic) 

If the rbridge has a reliable way to tell a "good arp" from a "bad arp", it
should definitely not forward the "bad" ones.  

What should it do when it can't tell?   If you allow for mobility 
and unmanaged operation, you're going to have to allow for addresses to pop
up at perhaps unexpected places, and *that* is what will cause DoS potential.

> IMHO, this
> is functionality much better performed within the ingress rbridge rather
> than the egress host. 

perhaps if all switches and hosts are under the same administration and
the network admins are good enough to tell host admins that their switches detected this anomalous behavior....

but that presumes a state of organizational and operational harmony between
network and host administrators that i have rarely encountered in the
production networks I'm familiar with.

						- Bill