Re: [trill] Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Thu, 06 July 2017 13:07 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: trill@ietfa.amsl.com
Delivered-To: trill@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A653713163C for <trill@ietfa.amsl.com>; Thu, 6 Jul 2017 06:07:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RvLZzbbrQxqN for <trill@ietfa.amsl.com>; Thu, 6 Jul 2017 06:07:08 -0700 (PDT)
Received: from mail-yb0-x235.google.com (mail-yb0-x235.google.com [IPv6:2607:f8b0:4002:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43ACF131739 for <trill@ietf.org>; Thu, 6 Jul 2017 06:07:05 -0700 (PDT)
Received: by mail-yb0-x235.google.com with SMTP id 84so542624ybe.0 for <trill@ietf.org>; Thu, 06 Jul 2017 06:07:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=kS5znJkh3QngGP/93vA4FDyvZzkuEcZfficIkSFSOMY=; b=XPvDJVc4IfFdV3oD5D3eh3pOs5z87HlrecRyJGt35XLceC0qjg3QNSjVTgaJOh/nRi qvmokhEOc0qn3iFBMfMRIPMdLkc4TiztXoFFSQpoKZnUH+mHuUdUkpjJGYJ5UuLicIjh 2rc1RSln78jx++smcJUy57liB8o+zcv0PN4L3SyunylBpj3mV8pzqLtoknfUBAtZjYEu rpOY+q4jt34rFwiJLKPXXzOC29Kcy9ZsIjbEyRYlyhQRXVGcbair0t9VZUKzLcKRg04e Rj6zGEA5aRiXOM5BROcFJwBNSxuiKhvCtd6ipmMXMJ4Y9NjAruJSuprGgaKtLOdOSGsY Z2lQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=kS5znJkh3QngGP/93vA4FDyvZzkuEcZfficIkSFSOMY=; b=c7PbksKUC76Q6O3p+gOTcsWHCEs4wffDyVF2N1QiAaGzOxc+G8e398xe9TEgkSSZMd F3YOnkHc2ycLGd/Gs03EU67gigo2kmw3N2Lx7iGDFfeqU1fwLfkBqXCykRRWXbLBAvkT 4pWyRqnhqJoHmcXoBZ2eTHesTU6/OsExK2TMj7I4XYMVqkzbq0duahpZmypCnxz20K2F RG9GKK8L6ADCwjx3y9euxlB0qPLonQiKj5Ni8WIR1dZ7fMowy9qN0y3bIzza0E350Yuo y3MZZj4rsohrWvbiNxFl+NRsxyRmncEs/t3ZLWpjRxmOFWgZ2CydEO+s+R7XUs4HTRjX Vffg==
X-Gm-Message-State: AIVw111Bt09URnhEqfeb9M/HI4FW4JQFhG7RCfZdY+I0Bq0p8iCSAPS+ jDImAmse43tbi0+mQFvtnrXJZvlLR5el
X-Received: by 10.37.48.67 with SMTP id w64mr96825ybw.89.1499346424217; Thu, 06 Jul 2017 06:07:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.215.9 with HTTP; Thu, 6 Jul 2017 06:06:23 -0700 (PDT)
In-Reply-To: <004201d2f63f$9ad86090$d08921b0$@ndzh.com>
References: <149925473455.19397.5891341140635090367.idtracker@ietfa.amsl.com> <004201d2f63f$9ad86090$d08921b0$@ndzh.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 06 Jul 2017 06:06:23 -0700
Message-ID: <CABcZeBN-kTD5mDv+nGp_iLrv7G1L=37ty8QvZ19OuyfyUoC6FQ@mail.gmail.com>
To: Susan Hares <shares@ndzh.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-trill-arp-optimization@ietf.org, trill-chairs@ietf.org, skh@ndzh.com, trill@ietf.org
Content-Type: multipart/alternative; boundary="001a114899c4030d5b0553a5cb0f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trill/y1kbBzcPzFDlE1tD6X0Y6yeVuhs>
Subject: Re: [trill] Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08: (with DISCUSS and COMMENT)
X-BeenThere: trill@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Developing a hybrid router/bridge." <trill.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trill>, <mailto:trill-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trill/>
List-Post: <mailto:trill@ietf.org>
List-Help: <mailto:trill-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trill>, <mailto:trill-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jul 2017 13:07:10 -0000
On Thu, Jul 6, 2017 at 3:06 AM, Susan Hares <shares@ndzh.com> wrote: > Eric: > > > > Thank you for your comments and questions. The text of this email > requests clarification on your discuss so that I may aid the authors in > adjusting the draft. I have included my question inline below. > > > > Sue Hares > > > > -----Original Message----- > > From: Eric Rescorla [mailto:ekr@rtfm.com <ekr@rtfm.com>] > > Sent: Wednesday, July 5, 2017 7:39 AM > > To: The IESG > > Cc: draft-ietf-trill-arp-optimization@ietf.org; trill-chairs@ietf.org; > skh@ndzh.com; trill@ietf.org > > Subject: Eric Rescorla's Discuss on draft-ietf-trill-arp-optimization-08: > (with DISCUSS and COMMENT) > > > > Eric Rescorla has entered the following ballot position for > > draft-ietf-trill-arp-optimization-08: Discuss > > > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-trill-arp-optimization/ > > > > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > > It's not clear to me how the security properties of this mechanism > compare to existing TRILL. The text says: > > > > > > Unless Secure ND (SEND [RFC3971]) is used, ARP and ND messages can be > > > easily forged. Therefore the learning of MAC/IP addresses by RBridges > > > from ARP/ND should not be considered as reliable. See Section 4.1 for > > > SEND Considerations. > > > > > "not considered as reliable" seems suboptimal. You need to cover how > this mechanism compares to the non-use of this mechanism. > > > > Question 1: Are you asking how the "ARP/ND" is unreliable? Is this not > documented adequately in the SEND documentation? > > Are you asking why the learning of MAC/IP addresses by the RBRIDGE using > ARP/ND is not reliable in addition to the issues raised by the SEND > document? > Sorry, no. I'm saying that "not be considered reliable" is not operationalizable by the implementor. What are they supposed to do with information which is not reliable? More specifically, what is their security posture if they use the mechanism documented in this document versus if they do not? > > How does logging solve the problem? > > Question 2: Logging allows the network management systems to detect the > problem, and determine if SEND should be used or if other security measures > should be taken. Are you looking for other mechanisms outside of SEND? > This seems like it's of limited use if this actually is an attack. My experience with logging systems is that people don't check their logs very often unless they see a lot of errors. I've certainly seen duplicate IPs in small networks plenty of times, and I just ignore them. I assume others do as well. > > What do you reply to ARPs with and/or propagate to other nodes? > > > Do you tell the originator of the advertisement you have a duplicate? > > > > Question 3: Are you specifically asking about the reply to duplicate > address detection ARPs in the first question? Are you looking for a > specific answer to second part of this question. In my understanding of > security (which is limited compared to yours), I would not recommend > responding to the originator of the advertisement that there is a duplicate > since this might aid attacks on the valid originator. > > Can you provide additional input on what you'd like to see here? > I think the spec should take a position on how the implementation should behave when it encounters this situation. My general concern here is that you have a mechanism which has a known security vulnerability but the spec is pretty silent on how you should handle it when you have signs that it is being exploited. > > > > > > When a newly connected end-station exchanges messages with a DHCP > > > [RFC2131] server an edge RBridge should snoop them (mainly the > > > DHCPAck message) and store IP/MAC mapping information in its ARP/ND > > > cache and should also send the information out through the TRILL > > > control plane using ESADI. > > > > What happens if the attacker sets up a fake DHCP server and pretends to > assign addresses to himself? It seems like maybe that's the same as fake > ARPs but maybe not. > > > > In general, the security considerations need a complete threat analysis > per 3552. > > > > Question 4: Can you provide someone from the SEC-DIR to provide a review > for a threat analysis per RFC3552. > It's probably easier if I review it. If you're looking for a collaborator, let me know and I'll see who I can round up. -Ekr > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > S 2. > > > > plane on the edge RBridges, it should be possible to completely > > suppress flooding of ARP/ND messages in a TRILL Campus, When all end- > > station MAC addresses are similarly known, it should be possible to > > suppress unknown unicast flooding by dropping any unknown unicast > > received at an edge RBridge. > > > > Are these "should be possibles" normative? Descriptive? > > > > S 4. > > This is a sequence of steps, so it would be nice to preface them with a > list of the steps. It's also odd to have SEND considerations right in the > middle here. > > > > > > 4.3 Get Sender's IP/MAC Mapping Information for Non-zero IP Please explain > what a non-zero IP is and why it's relevant. > > This graf also needs an introductory sentence or something before the > bullets. > > > > > > S 4.4. > > It is not essential that all RBridges use the same strategy for which > > option to select for a particular ARP/ND query. It is up to the > > implementation. > > > > This seems inconsistent with the MUST in arm (b) below, because I can just > take some other arm. It's also kind of surprising to be this > non-prescriptive. > > > > > > S 8. > > some other location (MAC/VM Mobility) and gets connected to egde- > > > > Nit: edge is mispelled. > > > > >
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Donald Eastlake
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Donald Eastlake
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- [trill] Eric Rescorla's Discuss on draft-ietf-tri… Eric Rescorla
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Susan Hares
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Susan Hares
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Donald Eastlake
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Donald Eastlake
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Donald Eastlake
- Re: [trill] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla