[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comment: draft-ietf-isis-igp-p2p-over-lan-03

To: housley@vigilsec.com
Subject: Re: Comment: draft-ietf-isis-igp-p2p-over-lan-03
From: Bill Fenner <fenner@research.att.com>
Date: Wed, 1 Oct 2003 22:12:40 -0700
Cc: iesg@ietf.org
Versions: dmail (solaris) 2.5a/makemail 2.9d

Russ,

  I agree the sentence doesn't make much sense as written.  It is
talking about the issue that's described a little better in this
paragraph from RFC 1027:

    If the IP networks of the source and target hosts of an ARP request
    are different, an ARP subnet gateway implementation should not
    reply.  This is to prevent the ARP subnet gateway from being used to
    reach foreign IP networks and thus possibly bypass security checks
    provided by IP gateways.

i.e. the "normal check" that he's talking about is "is this ARP for an
IP address that's on the subnet to which this interface is attached",
so that you don't cache an ARP entry for an arbitrary address that's
not normally on this subnet, with mac address pointing to an attacker.
You have to relax this check in the "unnumbered" case, since there is
no subnet (second paragraph of section 4.3).

  How about this for a revised final sentence?
"This is due to the fact that the normal ARP sanity check that the
address is on the same subnet as the interface on which it was received
can not be applied in this case."

Thanks,
  Bill

Prev by Date: evaluation: draft-ietf-ipsec-esn-addendum-02
Next by Date: Re: draft-ietf-isis-igp-p2p-over-lan-03.txt
Previous by thread: Comment: draft-ietf-isis-igp-p2p-over-lan-03
Next by thread: Comment: draft-ietf-magma-msf-api-05
Index(es):
- Date
- Thread