IETF Logo Mail Archive

Re: [trill] Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08: (with DISCUSS and COMMENT)

Eric Rescorla <ekr@rtfm.com> Thu, 06 July 2017 20:52 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: trill@ietfa.amsl.com
Delivered-To: trill@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16460131963 for <trill@ietfa.amsl.com>; Thu, 6 Jul 2017 13:52:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9XbG19s87245 for <trill@ietfa.amsl.com>; Thu, 6 Jul 2017 13:52:06 -0700 (PDT)
Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43886131967 for <trill@ietf.org>; Thu, 6 Jul 2017 13:52:02 -0700 (PDT)
Received: by mail-yw0-x22b.google.com with SMTP id v193so6143494ywg.2 for <trill@ietf.org>; Thu, 06 Jul 2017 13:52:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6c4MDjwRsnKABGeJlcOvzhplJkM40YmNu79TGP0B8Wk=; b=OmTn05ZKKUcdaIFBDW7MKpaf6ARcbnLU2YjXiIDXQ6usnw9BQmsXOJiCqq+Md2bJoP 0CXDGP89vb+k3zioQG9ZkD6OjF0buQcGDkrCJTJpPKEeqGL3usATJr8P2gH2Y1ecl9Wb b8Q2poH1pU8zZbtqhdjB1VOpJ+GqhfUTGW0kRmVldJ3EWF/TfVVnqjINNuUSjbSVXx9M 1TEaICXnfjPLOCFtp+CSO/bXKWencjNZ1HHRg7VUp0QjNIRuBxONWQ11K6x/KhS1XGJz L6Ufc3Oz9BorStfExbAwxGonoC029VunCjjcKH6zOhcbwk8qwuRsDE/MwDQsrmSFtff9 /cRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6c4MDjwRsnKABGeJlcOvzhplJkM40YmNu79TGP0B8Wk=; b=TUoLN9thkxCmPLV+YFVyKlBYejF12i3j3YRyHAbXhooCnoSsHyPLxx7370AMU5NS7e /4QkYk1t9JlBI1FXBU7fGGX/r59WSRY5/2IcW3OxJ1aBJxzje0u11qU2E5526O1cbliW fyufTsxzJE0HTkeGJyMSlQdkwgzjZQ9mMUvoU8YE7rPtFrjTZKptMRUBHU3HqBJtg4xR BQ8CPPDC2OX03vpI3We+SVapksECD3NNFsDc6DU6Zgr7k5tOFPMHBT+4kAaMWipQSQwd +ns6fbsi+rbnhcCnm3VtowILL+9Dz4KnnAU9eE5KN6fbnKJURN/to4sQnhQq+U+UBewn 5QzQ==
X-Gm-Message-State: AKS2vOzdUjPfSwUfnS7V9Zk80ZZDDzhW4PfffnwXWRS2cH9h+8lgSLnr RV0cqZVYcnxpFWW7RRfm1xNNV6L/bfj9
X-Received: by 10.129.109.206 with SMTP id i197mr33396754ywc.24.1499374321497; Thu, 06 Jul 2017 13:52:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.215.9 with HTTP; Thu, 6 Jul 2017 13:51:21 -0700 (PDT)
In-Reply-To: <00d601d2f692$748f9270$5daeb750$@ndzh.com>
References: <149925473455.19397.5891341140635090367.idtracker@ietfa.amsl.com> <004201d2f63f$9ad86090$d08921b0$@ndzh.com> <CABcZeBN-kTD5mDv+nGp_iLrv7G1L=37ty8QvZ19OuyfyUoC6FQ@mail.gmail.com> <00d601d2f692$748f9270$5daeb750$@ndzh.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 06 Jul 2017 13:51:21 -0700
Message-ID: <CABcZeBMufqtMHvkLGrW3h41W5wZYgNC4ZMvYkkWojB3mFmWEqw@mail.gmail.com>
To: Susan Hares <shares@ndzh.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-trill-arp-optimization@ietf.org, trill-chairs@ietf.org, skh@ndzh.com, trill@ietf.org
Content-Type: multipart/alternative; boundary="001a114dd266d18a480553ac49c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trill/f4fwIU4qB_OjDIv2jwfmIQ6suww>
Subject: Re: [trill] Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08: (with DISCUSS and COMMENT)
X-BeenThere: trill@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Developing a hybrid router/bridge." <trill.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trill>, <mailto:trill-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trill/>
List-Post: <mailto:trill@ietf.org>
List-Help: <mailto:trill-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trill>, <mailto:trill-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jul 2017 20:52:08 -0000

On Thu, Jul 6, 2017 at 1:00 PM, Susan Hares <shares@ndzh.com> wrote:

> Eric:
>
>
>
> Thank you for your answers.   I will investigate the issues further and
> work with the authors to suggest some text.  May I or the authors follow up
> with additional questions?
>

Please. Let me know if I can help, elaborate, etc.

-Ekr


>
>
> Sue
>
>
>
> *From:* Eric Rescorla [mailto:ekr@rtfm.com]
> *Sent:* Thursday, July 6, 2017 9:06 AM
> *To:* Susan Hares
> *Cc:* The IESG; draft-ietf-trill-arp-optimization@ietf.org;
> trill-chairs@ietf.org; skh@ndzh.com; trill@ietf.org
> *Subject:* Re: Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08:
> (with DISCUSS and COMMENT)
>
>
>
>
>
>
>
> On Thu, Jul 6, 2017 at 3:06 AM, Susan Hares <shares@ndzh.com> wrote:
>
> Eric:
>
>
>
> Thank you for your comments and questions.  The text of this email
> requests clarification on your discuss so that I may aid the authors in
> adjusting the draft.   I have included my question inline below.
>
>
>
> Sue Hares
>
>
>
> -----Original Message-----
>
> From: Eric Rescorla [mailto:ekr@rtfm.com <ekr@rtfm.com>]
>
> Sent: Wednesday, July 5, 2017 7:39 AM
>
> To: The IESG
>
> Cc: draft-ietf-trill-arp-optimization@ietf.org; trill-chairs@ietf.org;
> skh@ndzh.com; trill@ietf.org
>
> Subject: Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08:
> (with DISCUSS and COMMENT)
>
>
>
> Eric Rescorla has entered the following ballot position for
>
> draft-ietf-trill-arp-optimization-08: Discuss
>
>
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
>
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>
> for more information about IESG DISCUSS and COMMENT positions.
>
>
>
>
>
> The document, along with other ballot positions, can be found here:
>
> https://datatracker.ietf.org/doc/draft-ietf-trill-arp-optimization/
>
>
>
>
>
>
>
> ----------------------------------------------------------------------
>
> DISCUSS:
>
> ----------------------------------------------------------------------
>
>
>
> > It's not clear to me how the security properties of this mechanism
> compare to existing TRILL. The text says:
>
> >
>
> >  Unless Secure ND (SEND [RFC3971]) is used, ARP and ND messages can be
>
> >  easily forged. Therefore the learning of MAC/IP addresses by RBridges
>
> > from ARP/ND should not be considered as reliable. See Section 4.1 for
>
> >  SEND Considerations.
>
>
>
> > "not considered as reliable" seems suboptimal. You need to cover how
> this mechanism compares to the non-use of this mechanism.
>
>
>
> Question 1:  Are you asking how the "ARP/ND" is unreliable?  Is this not
> documented adequately in the SEND documentation?
>
> Are you asking why the learning of MAC/IP addresses by the RBRIDGE using
> ARP/ND is not reliable in addition to the issues raised by the SEND
> document?
>
> Sorry, no. I'm saying that "not be considered reliable" is not
> operationalizable by
>
> the implementor. What are they supposed to do with information which is not
>
> reliable? More specifically, what is their security posture if they use
> the mechanism
>
> documented in this document versus if they do not?
>
>
>
> > How does logging solve the problem?
>
> Question 2: Logging allows the network management systems to detect the
> problem, and determine if SEND should be used or if other security measures
> should be taken.  Are you looking for other mechanisms outside of SEND?
>
>
>
> This seems like it's of limited use if this actually is an attack. My
> experience
>
> with logging systems is that people don't check their logs very often
> unless
>
> they see a lot of errors. I've certainly seen duplicate IPs in small
> networks
>
> plenty of times, and I just ignore them. I assume others do as well.
>
>
>
> > What do you reply to ARPs with and/or propagate to other nodes?
>
> > Do you tell the originator of the advertisement you have a duplicate?
>
>
>
> Question 3: Are you specifically asking about the reply to duplicate
> address detection ARPs in the first question?  Are you looking for a
> specific answer to second part of this question.  In my understanding of
> security (which is limited compared to yours), I would not recommend
> responding to the originator of the advertisement that there is a duplicate
> since this might aid attacks on the valid originator.
>
> Can you provide additional input on what you'd like to see here?
>
> I think the spec should take a position on how the implementation should
> behave when
>
> it encounters this situation. My general concern here is that you have a
> mechanism
>
> which has a known security vulnerability but the spec is pretty silent on
> how you should
>
> handle it when you have signs that it is being exploited.
>
>
>
>
>
>
>
> > When a newly connected end-station exchanges messages with a DHCP
>
> >  [RFC2131] server an edge RBridge should snoop them (mainly the
>
> >  DHCPAck message) and store IP/MAC mapping information in its ARP/ND
>
> >  cache and should also send the information out through the TRILL
>
> >  control plane using ESADI.
>
>
>
> What happens if the attacker sets up a fake DHCP server and pretends to
> assign addresses to himself? It seems like maybe that's the same as fake
> ARPs but maybe not.
>
>
>
> In general, the security considerations need a complete threat analysis
> per 3552.
>
>
>
> Question 4: Can you provide someone from the SEC-DIR to provide a review
> for a threat analysis per RFC3552.
>
> It's probably easier if I review it. If you're looking for a collaborator,
> let me know and I'll see who I can round up.
>
>
>
> -Ekr
>
>
>
>
>
>
>
>
>
> ----------------------------------------------------------------------
>
> COMMENT:
>
> ----------------------------------------------------------------------
>
>
>
> S 2.
>
>
>
>    plane on the edge RBridges, it should be possible to completely
>
>    suppress flooding of ARP/ND messages in a TRILL Campus, When all end-
>
>    station MAC addresses are similarly known, it should be possible to
>
>    suppress unknown unicast flooding by dropping any unknown unicast
>
>    received at an edge RBridge.
>
>
>
> Are these "should be possibles" normative? Descriptive?
>
>
>
> S 4.
>
> This is a sequence of steps, so it would be nice to preface them with a
> list of the steps. It's also odd to have SEND considerations right in the
> middle here.
>
>
>
>
>
> 4.3 Get Sender's IP/MAC Mapping Information for Non-zero IP Please explain
> what a non-zero IP is and why it's relevant.
>
> This graf also needs an introductory sentence or something before the
> bullets.
>
>
>
>
>
> S 4.4.
>
>    It is not essential that all RBridges use the same strategy for which
>
>    option to select for a particular ARP/ND query. It is up to the
>
>    implementation.
>
>
>
> This seems inconsistent with the MUST in arm (b) below, because I can just
> take some other arm. It's also kind of surprising to be this
> non-prescriptive.
>
>
>
>
>
> S 8.
>
>    some other location (MAC/VM Mobility) and gets connected to egde-
>
>
>
> Nit: edge is mispelled.
>
>
>
>
>
>
>

v2.23.0 | Report a Bug | By Email