Re: [trill] Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Thu, 06 July 2017 20:52 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: trill@ietfa.amsl.com
Delivered-To: trill@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16460131963 for <trill@ietfa.amsl.com>; Thu, 6 Jul 2017 13:52:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9XbG19s87245 for <trill@ietfa.amsl.com>; Thu, 6 Jul 2017 13:52:06 -0700 (PDT)
Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43886131967 for <trill@ietf.org>; Thu, 6 Jul 2017 13:52:02 -0700 (PDT)
Received: by mail-yw0-x22b.google.com with SMTP id v193so6143494ywg.2 for <trill@ietf.org>; Thu, 06 Jul 2017 13:52:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6c4MDjwRsnKABGeJlcOvzhplJkM40YmNu79TGP0B8Wk=; b=OmTn05ZKKUcdaIFBDW7MKpaf6ARcbnLU2YjXiIDXQ6usnw9BQmsXOJiCqq+Md2bJoP 0CXDGP89vb+k3zioQG9ZkD6OjF0buQcGDkrCJTJpPKEeqGL3usATJr8P2gH2Y1ecl9Wb b8Q2poH1pU8zZbtqhdjB1VOpJ+GqhfUTGW0kRmVldJ3EWF/TfVVnqjINNuUSjbSVXx9M 1TEaICXnfjPLOCFtp+CSO/bXKWencjNZ1HHRg7VUp0QjNIRuBxONWQ11K6x/KhS1XGJz L6Ufc3Oz9BorStfExbAwxGonoC029VunCjjcKH6zOhcbwk8qwuRsDE/MwDQsrmSFtff9 /cRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6c4MDjwRsnKABGeJlcOvzhplJkM40YmNu79TGP0B8Wk=; b=TUoLN9thkxCmPLV+YFVyKlBYejF12i3j3YRyHAbXhooCnoSsHyPLxx7370AMU5NS7e /4QkYk1t9JlBI1FXBU7fGGX/r59WSRY5/2IcW3OxJ1aBJxzje0u11qU2E5526O1cbliW fyufTsxzJE0HTkeGJyMSlQdkwgzjZQ9mMUvoU8YE7rPtFrjTZKptMRUBHU3HqBJtg4xR BQ8CPPDC2OX03vpI3We+SVapksECD3NNFsDc6DU6Zgr7k5tOFPMHBT+4kAaMWipQSQwd +ns6fbsi+rbnhcCnm3VtowILL+9Dz4KnnAU9eE5KN6fbnKJURN/to4sQnhQq+U+UBewn 5QzQ==
X-Gm-Message-State: AKS2vOzdUjPfSwUfnS7V9Zk80ZZDDzhW4PfffnwXWRS2cH9h+8lgSLnr RV0cqZVYcnxpFWW7RRfm1xNNV6L/bfj9
X-Received: by 10.129.109.206 with SMTP id i197mr33396754ywc.24.1499374321497; Thu, 06 Jul 2017 13:52:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.215.9 with HTTP; Thu, 6 Jul 2017 13:51:21 -0700 (PDT)
In-Reply-To: <00d601d2f692$748f9270$5daeb750$@ndzh.com>
References: <149925473455.19397.5891341140635090367.idtracker@ietfa.amsl.com> <004201d2f63f$9ad86090$d08921b0$@ndzh.com> <CABcZeBN-kTD5mDv+nGp_iLrv7G1L=37ty8QvZ19OuyfyUoC6FQ@mail.gmail.com> <00d601d2f692$748f9270$5daeb750$@ndzh.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 06 Jul 2017 13:51:21 -0700
Message-ID: <CABcZeBMufqtMHvkLGrW3h41W5wZYgNC4ZMvYkkWojB3mFmWEqw@mail.gmail.com>
To: Susan Hares <shares@ndzh.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-trill-arp-optimization@ietf.org, trill-chairs@ietf.org, skh@ndzh.com, trill@ietf.org
Content-Type: multipart/alternative; boundary="001a114dd266d18a480553ac49c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trill/f4fwIU4qB_OjDIv2jwfmIQ6suww>
Subject: Re: [trill] Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08: (with DISCUSS and COMMENT)
X-BeenThere: trill@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Developing a hybrid router/bridge." <trill.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trill>, <mailto:trill-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trill/>
List-Post: <mailto:trill@ietf.org>
List-Help: <mailto:trill-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trill>, <mailto:trill-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jul 2017 20:52:08 -0000
On Thu, Jul 6, 2017 at 1:00 PM, Susan Hares <shares@ndzh.com> wrote: > Eric: > > > > Thank you for your answers. I will investigate the issues further and > work with the authors to suggest some text. May I or the authors follow up > with additional questions? > Please. Let me know if I can help, elaborate, etc. -Ekr > > > Sue > > > > *From:* Eric Rescorla [mailto:ekr@rtfm.com] > *Sent:* Thursday, July 6, 2017 9:06 AM > *To:* Susan Hares > *Cc:* The IESG; draft-ietf-trill-arp-optimization@ietf.org; > trill-chairs@ietf.org; skh@ndzh.com; trill@ietf.org > *Subject:* Re: Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08: > (with DISCUSS and COMMENT) > > > > > > > > On Thu, Jul 6, 2017 at 3:06 AM, Susan Hares <shares@ndzh.com> wrote: > > Eric: > > > > Thank you for your comments and questions. The text of this email > requests clarification on your discuss so that I may aid the authors in > adjusting the draft. I have included my question inline below. > > > > Sue Hares > > > > -----Original Message----- > > From: Eric Rescorla [mailto:ekr@rtfm.com <ekr@rtfm.com>] > > Sent: Wednesday, July 5, 2017 7:39 AM > > To: The IESG > > Cc: draft-ietf-trill-arp-optimization@ietf.org; trill-chairs@ietf.org; > skh@ndzh.com; trill@ietf.org > > Subject: Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08: > (with DISCUSS and COMMENT) > > > > Eric Rescorla has entered the following ballot position for > > draft-ietf-trill-arp-optimization-08: Discuss > > > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-trill-arp-optimization/ > > > > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > > It's not clear to me how the security properties of this mechanism > compare to existing TRILL. The text says: > > > > > > Unless Secure ND (SEND [RFC3971]) is used, ARP and ND messages can be > > > easily forged. Therefore the learning of MAC/IP addresses by RBridges > > > from ARP/ND should not be considered as reliable. See Section 4.1 for > > > SEND Considerations. > > > > > "not considered as reliable" seems suboptimal. You need to cover how > this mechanism compares to the non-use of this mechanism. > > > > Question 1: Are you asking how the "ARP/ND" is unreliable? Is this not > documented adequately in the SEND documentation? > > Are you asking why the learning of MAC/IP addresses by the RBRIDGE using > ARP/ND is not reliable in addition to the issues raised by the SEND > document? > > Sorry, no. I'm saying that "not be considered reliable" is not > operationalizable by > > the implementor. What are they supposed to do with information which is not > > reliable? More specifically, what is their security posture if they use > the mechanism > > documented in this document versus if they do not? > > > > > How does logging solve the problem? > > Question 2: Logging allows the network management systems to detect the > problem, and determine if SEND should be used or if other security measures > should be taken. Are you looking for other mechanisms outside of SEND? > > > > This seems like it's of limited use if this actually is an attack. My > experience > > with logging systems is that people don't check their logs very often > unless > > they see a lot of errors. I've certainly seen duplicate IPs in small > networks > > plenty of times, and I just ignore them. I assume others do as well. > > > > > What do you reply to ARPs with and/or propagate to other nodes? > > > Do you tell the originator of the advertisement you have a duplicate? > > > > Question 3: Are you specifically asking about the reply to duplicate > address detection ARPs in the first question? Are you looking for a > specific answer to second part of this question. In my understanding of > security (which is limited compared to yours), I would not recommend > responding to the originator of the advertisement that there is a duplicate > since this might aid attacks on the valid originator. > > Can you provide additional input on what you'd like to see here? > > I think the spec should take a position on how the implementation should > behave when > > it encounters this situation. My general concern here is that you have a > mechanism > > which has a known security vulnerability but the spec is pretty silent on > how you should > > handle it when you have signs that it is being exploited. > > > > > > > > > When a newly connected end-station exchanges messages with a DHCP > > > [RFC2131] server an edge RBridge should snoop them (mainly the > > > DHCPAck message) and store IP/MAC mapping information in its ARP/ND > > > cache and should also send the information out through the TRILL > > > control plane using ESADI. > > > > What happens if the attacker sets up a fake DHCP server and pretends to > assign addresses to himself? It seems like maybe that's the same as fake > ARPs but maybe not. > > > > In general, the security considerations need a complete threat analysis > per 3552. > > > > Question 4: Can you provide someone from the SEC-DIR to provide a review > for a threat analysis per RFC3552. > > It's probably easier if I review it. If you're looking for a collaborator, > let me know and I'll see who I can round up. > > > > -Ekr > > > > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > S 2. > > > > plane on the edge RBridges, it should be possible to completely > > suppress flooding of ARP/ND messages in a TRILL Campus, When all end- > > station MAC addresses are similarly known, it should be possible to > > suppress unknown unicast flooding by dropping any unknown unicast > > received at an edge RBridge. > > > > Are these "should be possibles" normative? Descriptive? > > > > S 4. > > This is a sequence of steps, so it would be nice to preface them with a > list of the steps. It's also odd to have SEND considerations right in the > middle here. > > > > > > 4.3 Get Sender's IP/MAC Mapping Information for Non-zero IP Please explain > what a non-zero IP is and why it's relevant. > > This graf also needs an introductory sentence or something before the > bullets. > > > > > > S 4.4. > > It is not essential that all RBridges use the same strategy for which > > option to select for a particular ARP/ND query. It is up to the > > implementation. > > > > This seems inconsistent with the MUST in arm (b) below, because I can just > take some other arm. It's also kind of surprising to be this > non-prescriptive. > > > > > > S 8. > > some other location (MAC/VM Mobility) and gets connected to egde- > > > > Nit: edge is mispelled. > > > > > > >
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Donald Eastlake
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Donald Eastlake
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- [trill] Eric Rescorla's Discuss on draft-ietf-tri… Eric Rescorla
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Susan Hares
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Susan Hares
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Donald Eastlake
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Donald Eastlake
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Donald Eastlake
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla