Re: [trill] Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08: (with DISCUSS and COMMENT)

"Susan Hares" <> Thu, 06 July 2017 10:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 848BE127241; Thu, 6 Jul 2017 03:12:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.946
X-Spam-Status: No, score=0.946 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DOS_OUTLOOK_TO_MX=2.845, HTML_MESSAGE=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MhuovpX4UdfQ; Thu, 6 Jul 2017 03:12:50 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A626E12702E; Thu, 6 Jul 2017 03:12:49 -0700 (PDT)
X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=;
From: Susan Hares <>
To: 'Eric Rescorla' <>, 'The IESG' <>
References: <>
In-Reply-To: <>
Date: Thu, 06 Jul 2017 06:06:57 -0400
Message-ID: <004201d2f63f$9ad86090$d08921b0$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0043_01D2F61E.13CEFDF0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQG2C0XqA3D6Dqxt00xKejUXJSUYyKKAYDQw
Content-Language: en-us
Archived-At: <>
Subject: Re: [trill] Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Developing a hybrid router/bridge." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 06 Jul 2017 10:12:52 -0000



Thank you for your comments and questions.  The text of this email requests clarification on your discuss so that I may aid the authors in adjusting the draft.   I have included my question inline below.


Sue Hares


-----Original Message-----

From: Eric Rescorla [] 

Sent: Wednesday, July 5, 2017 7:39 AM

To: The IESG


Subject: Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08: (with DISCUSS and COMMENT)


Eric Rescorla has entered the following ballot position for

draft-ietf-trill-arp-optimization-08: Discuss


When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)



Please refer to

for more information about IESG DISCUSS and COMMENT positions.



The document, along with other ballot positions, can be found here:








> It's not clear to me how the security properties of this mechanism compare to existing TRILL. The text says:


>  Unless Secure ND (SEND [RFC3971]) is used, ARP and ND messages can be

>  easily forged. Therefore the learning of MAC/IP addresses by RBridges

> from ARP/ND should not be considered as reliable. See Section 4.1 for

>  SEND Considerations.


> "not considered as reliable" seems suboptimal. You need to cover how this mechanism compares to the non-use of this mechanism.


Question 1:  Are you asking how the "ARP/ND" is unreliable?  Is this not documented adequately in the SEND documentation? 

Are you asking why the learning of MAC/IP addresses by the RBRIDGE using ARP/ND is not reliable in addition to the issues raised by the SEND document?   


> This document seems very sketchy on what you do when you get duplicate IPs.


>  In the case where the former owner replies, a Duplicate Address has

> been detected. In this case the querying RBridge SHOULD log the

>  duplicate so that the network administrator can take appropriate

> action.


> How does logging solve the problem?

Question 2: Logging allows the network management systems to detect the problem, and determine if SEND should be used or if other security measures should be taken.  Are you looking for other mechanisms outside of SEND? 


> What do you reply to ARPs with and/or propagate to other nodes? 

> Do you tell the originator of the advertisement you have a duplicate?


Question 3: Are you specifically asking about the reply to duplicate address detection ARPs in the first question?  Are you looking for a specific answer to second part of this question.  In my understanding of security (which is limited compared to yours), I would not recommend responding to the originator of the advertisement that there is a duplicate since this might aid attacks on the valid originator.   

Can you provide additional input on what you'd like to see here?  



> When a newly connected end-station exchanges messages with a DHCP

>  [RFC2131] server an edge RBridge should snoop them (mainly the

>  DHCPAck message) and store IP/MAC mapping information in its ARP/ND

>  cache and should also send the information out through the TRILL

>  control plane using ESADI.


What happens if the attacker sets up a fake DHCP server and pretends to assign addresses to himself? It seems like maybe that's the same as fake ARPs but maybe not.


In general, the security considerations need a complete threat analysis per 3552.


Question 4: Can you provide someone from the SEC-DIR to provide a review for a threat analysis per RFC3552.  








S 2.


   plane on the edge RBridges, it should be possible to completely

   suppress flooding of ARP/ND messages in a TRILL Campus, When all end-

   station MAC addresses are similarly known, it should be possible to

   suppress unknown unicast flooding by dropping any unknown unicast

   received at an edge RBridge.


Are these "should be possibles" normative? Descriptive?


S 4.

This is a sequence of steps, so it would be nice to preface them with a list of the steps. It's also odd to have SEND considerations right in the middle here.



4.3 Get Sender's IP/MAC Mapping Information for Non-zero IP Please explain what a non-zero IP is and why it's relevant.

This graf also needs an introductory sentence or something before the bullets.



S 4.4.

   It is not essential that all RBridges use the same strategy for which

   option to select for a particular ARP/ND query. It is up to the



This seems inconsistent with the MUST in arm (b) below, because I can just take some other arm. It's also kind of surprising to be this non-prescriptive.



S 8.

   some other location (MAC/VM Mobility) and gets connected to egde-


Nit: edge is mispelled.