Re: Layer 2 (stealth) firewalls - PBR?

["Darden, Patrick S." <darden () armc org>]

(My answers below start with--.  This will be my last message on this 
thread unless someone adds something new.  Rehashing fundamental layer2 
is not interesting.)


No, just saying that I'm (a) aware of the differences in layers and (b) 
aware of when those differences are not treated as true boundaries.

--I don't think you are.  You do seem to be learning though.  My guess
is you are doing a lot of research in order to answer my "challenges",
although they haven't been personal up til now.  


I will refer you to RFC 4541, Considerations for Internet Group Management 
Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches. 
(May 2006)

Which says in part:

   In recent years, a number of commercial vendors have introduced
   products described as "IGMP snooping switches" to the market.  These
   devices do not adhere to the conceptual model that provides the
   strict separation of functionality between different communications
   layers in the ISO model, and instead utilize information in the upper
   level protocol headers as factors to be considered in processing at
   the lower levels.  This is analogous to the manner in which a router
   can act as a firewall by looking into the transport protocol's header
   before allowing a packet to be forwarded to its destination address.

   In the case of IP multicast traffic, an IGMP snooping switch provides
   the benefit of conserving bandwidth on those segments of the network
   where no node has expressed interest in receiving packets addressed
   to the group address.  This is in contrast to normal switch behavior
   where multicast traffic is typically forwarded on all interfaces.

   Many switch datasheets state support for IGMP snooping, but no
   recommendations for this exist today.  It is the authors' hope that
   the information presented in this document will supply this
   foundation.

...

   The suggestions in this document are based on IGMP, which applies
   only to IPv4.  For IPv6, Multicast Listener Discovery [MLD] must be
   used instead.  Because MLD is based on IGMP, we do not repeat the
   entire description and recommendations for MLD snooping switches.
   Instead, we point out the few cases where there are differences from
   IGMP.


--Paul, this is a layer 3 switch.  No wonder it can handle specialized 
layer 3 protocols.  Most L3 switches can handle certain circumstances
in specific ways to enhance or optimize them.  E.g. route once,
switch many....




> but layer 2 devices such as NICs, hubs, bridges, and layer 2 switches do 
> not rely on IP or any other layer 3 protocol whatsoever for forwarding.

So, you see switch vendors really are looking into layer 3 information for 
multicast traffic.  Enough so that someone thought "Hey, we should have an 
RFC to cover this!"


--Yes they are.  That's because there is a huge market for L3 switches.
Core switches had better be L3 these days.  


> You seem to be conflating layer 3 multicast/broadcast/unicast Packets with 
> broadcast/unicast Frames.  To begin with, packets are not frames, and 
> layer 2 devices cannot interpret packets.

Perhaps I crossed frame and packet, I tend to do that from time to time, 
doesn't change the fact that the vendors are a' shipping it.

--Meh.


> You state "They also have to forward layer 3 broadcasts out all ports in a 
> LAN" which is patently false--if a 128 port layer 2 switch has 64 ports on 
> 10.0.0.0/24 and the other 64 ports on 10.1.0.0/24, then a broadcast sent 
> to 10.0.0.0/24 will only hit the correct 64 ports.  The switch decides 

That's two LANs the way I've always counted it in terms of addressing 
unless your'e supernetting on some devices and not on others, in which 
case you can count it several ways.  A dumb switch doesn't always know 
your mask either.  I think the algorithm for a dumb switch actually tends 
to be "if I don't know the destination MAC address, send it out all the 
ports," but I'd have to get some playtime to test it effectively.


--No no no.  And no.  Yes for the last sentence--that is the basic fundamental
function of an L2 switch; yes yes yes, you are getting it finally!



> I think this is the problem.  You are confusing layer 2 unicast/broadcast 
> frames with layer 3 unicast/multicast/broadcast packets.  Certainly layer 
> 2 devices do unicast and broadcast, but again NOT based on IP or any other 
> layer 3 protocol.  Layer 2 Unicast and Broadcast are all in relation to 

No, I'm talking about both types, you're simply missing the case where the 
switch vendors peeking up the stack.  Your refusal to acknowlege this blinds 
you, and causes you to misinterpret.

--I don't refuse to acknowledge it.  I just know the difference between an
L3 switch and an L2 switch.


> IPv6 has nothing to do with layer 2.  I am going to completely ignore this 
> statement.

Again, I'll point you to MLD snooping.  Again, I'll admit my term of 
"peeking" isn't the common "snooping" that seems to be vogue, but it's 
still there and it's still a factor in shipping hardware.

--Me chest thump now.  Do a search on ipv6 and my name.  You'll find I am
part of the public policy making body in ARIN for IPV6, and have been for
years.  Active too.  IPV6 is medium independant.  Neutral on layer 2.
As is ipv4: ethernet, token ring, atm (special case here, but mostly true),
etc. etc. etc.


Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
             http://www.fluiditgroup.com/blog/pdr/
           Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards