Re: Layer 2 (stealth) firewalls - PBR?

["Darden, Patrick S." <darden () armc org>]

Layer 2, unlike IP, is on a flat fabric.  There are no routers, no routing protocols, it is bridged.  Every point on 
the fabric knows every other point on the fabric.  It is analogous to (in IP) having all your nodes on the same network 
(e.g. 128.5.5.0/24).  Basically, all they do is ARP/RARP.

Layer 2 PBR would, of necessity, have to change next hop address (which is destination address) and the next hop would 
have to change it back to the original.  And addresses in layer 2 are MACs (for ethernet that is).

There are certain kinda exceptions--proxy ARP/RARP is kinda routing if you extend the meaning of routing, and then you 
have STP for layer 2 failover, and/or bandwidth, and/or least cost routing of layer 2 frames--but again, this is only 
if you extend the meaning of routing....

I am treading on unfamiliar ground here, so I will readily admit it if I am wrong.  So far, none of us is familiar with 
layer 2 pbr so we are all using analogies with IP.  If anyone has hands-on, now would be a good time to pipe up and 
tell us how it is, instead of how we think it should be!

--Patrick Darden



-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of
Darren Reed
Sent: Wednesday, April 02, 2008 5:20 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR?


Not necessarily.
Layer 3 PBR doesn't change layer 3 addressing, so why would
layer 2 PBR change layer 2 addresses?

Granted it is hard to conceive of why people would do such a
thing, but people tend to want to do crazy things (like connect
to the Internet), so I thought I would ask if there were any
known, solid, use cases.

Darren

Darden, Patrick S. wrote:

> This would not be Layer 2 PBR.  This would be Layer 2 NAT of MACs.
> E.g. a frame hits the MAC-NAT with a destination MAC of 
> X, and your rule says if X is dest then rewrite the frame
> so it has dest MAC of Y instead.
>
> --p
>
> -----Original Message-----
> From: firewall-wizards-bounces () listserv icsalabs com
> [mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of Sami
> Ghourabi
> Sent: Tuesday, April 01, 2008 11:28 AM
> To: 'Firewall Wizards Security Mailing List'; 'Firewall Wizards Security
> Mailing List'
> Subject: Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR?
>
>
> Hi Darren,
>
> I had the same question a while ago during a firewall (Juniper Networks one)
> deployment for a customer. He had a proxy-cache and wanted to make it
> transparent to its user. I thought to use PBR to redirect internet traffic
> to the caching box, but it was impossible as the firewall was set as a
> bridge, the only solution I found was to put the proxy-cache inline.
>
> I think it would be useful to have some PBR at layer 2 (or PB Forwarding)
> for situations like this, where you have to redirect content to caching or
> inspection engine, perhaps some constructors have already implemented same
> mechanisms in their firewalls ?
>
> Regards,
>
> Sami.
>
> -----Message d'origine-----
> De : firewall-wizards-bounces () listserv icsalabs com
> [mailto:firewall-wizards-bounces () listserv icsalabs com] De la part de Darren
> Reed
> Envoyé : mardi 1 avril 2008 05:49
> À : Firewall Wizards Security Mailing List
> Objet : [fw-wiz] Layer 2 (stealth) firewalls - PBR?
>
> If I can interrupt the usual questions for some product requirements
> discovery....
>
> Over in the networking community on OpenSolaris.org, a couple of
> us are pondering the question of what it means to do policy based
> routing (PBR) at the ethernet (MAC) layer.
>
> For IP, the use case is well understood and people everywhere do
> it with firewall software, if only to make up for the inadequacies of
> their routing tables however when it comes to ethernet, we're kind
> of scratching our heads....so, some questions....
>
> Does running a stealth (bridging) firewall remove the need for PBR?
>
> Do people still do strange, quirky, things to packets even when they
> don't want them to go through IP?
>
> If you're using bridging to support your firewall (that still filters
> packets using IP header information), can you shed some light on
> why/when you want to send packets out a specific NIC regardless
> of what the forwarding table for the bridge says?
>
> Thanks,
> Darren
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>  

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards