[rbridge] ARP proxying

Gray, Eric Eric.Gray at marconi.com
Tue Dec 20 13:29:11 PST 2005 

Joe,

	Thanks for the explanation.

	I will leave this to be argued by those who are strong proponents 
of ARP/ND Optimization.  I think the idea has value, but it is not my
battle.

	However, in general, the trust model implicit in a bridged network
(and further implied by the zero-configuration objective) is one in which
it is likely that security mechanisms such as these are not used.  Most
likely, ARP/ND Optimization can be turned on and off in those RBridges 
that implement it.

	In addition, since the RBridge enjoys a man-in-the-middle position,
it is likely that implementers may well implement some hack or another
to get around this.

--
Eric

--> -----Original Message-----
--> From: rbridge-bounces at postel.org 
--> [mailto:rbridge-bounces at postel.org] On Behalf Of Joe Touch
--> Sent: Tuesday, December 20, 2005 3:58 PM
--> To: Developing a hybrid router/bridge.
--> Subject: Re: [rbridge] ARP proxying
--> 
--> -----BEGIN PGP SIGNED MESSAGE-----
--> Hash: SHA1
--> 
--> 
--> 
--> Gray, Eric wrote:
--> > Joe,
--> > 
--> > 	Your references to RFC 3756 and RFC 3971 are just a bit opaque.
--> > Would you care to expand on what the relationship might 
--> be between what 
--> > we're talking about and IPv6 neighbor discovery security issues?
--> 
--> Sorry - of course.
--> 
--> IPv6 ND has a variant which is intended to address security issues.
--> 
--> RFC3756 describes the threat models, including replay issues.
--> 
--> RFC3971 describes a Standards-Track protocol called SEND - 
--> secure ND,
--> one feature of which is to defeat replay attacks.
--> 
--> The proposed behavior of DR rbridges in "ND optimization" would be
--> defeated by SEND, *unless* the DR had a copy of the keys used to
--> authenticate sources. A simple replay would be defeated.
--> 
--> Joe
--> -----BEGIN PGP SIGNATURE-----
--> Version: GnuPG v1.2.4 (MingW32)
--> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
--> 
--> iD8DBQFDqHBTE5f5cImnZrsRAm5YAKC+UCE8lZsnNVB3DPZt+eF2BQRL0ACgoGmg
--> 3Xjk/0V3KbRT1iO0XjwWP/A=
--> =cKwk
--> -----END PGP SIGNATURE-----
--> _______________________________________________
--> rbridge mailing list
--> rbridge at postel.org
--> http://www.postel.org/mailman/listinfo/rbridge
-->

More information about the rbridge mailing list