[rbridge] VLAN hopping: firewall on a stick

Sat Mar 14 11:10:20 PDT 2009

Hi,

On Fri, Mar 13, 2009 at 7:38 PM, Kris Price <trill at punk.co.nz> wrote:
> Hi,
>
> I asked about this last year, but at the time I was more interested in
> the use of MPLS. I'm hoping I am just misunderstanding something here,
> but my reading of TRILL is that it bypasses the configured policy, and
> enables a kind of VLAN hopping.
>
> Is it possible to send a frame with an inner VLAN tag across a link that
> does not ordinarily permit that VLAN tag?

Yes. It's a feature mentioned a few places in the protocol draft.

The TRILL view, as stated in the draft, is that a VLAN represents a
layer 2 community and that all end stations in that VLAN within a
campus should be able to get to each other. Many people believe that
is the spirit of 802.1Q and is why, in 802.1Q, dynamic VLAN
registration is mandatory to implement and is the default for almost
all VLANs on almost all ports, so that all end stations in a VLAN are
connected. Anyway, if there are two or more islands of a particular
VLAN in a bridged networks, replacing enough of the bridges with
RBridges will heal the partitioning of that VLAN.

> I'll try to explain with an overly-simplistic case.
>
> *Diagram*
>
>     Office floor : Server room
>     ------------ : -----------
>                  :
>   +---Sw1---+         +---Sw2---+
>   | [Vlan1]-|--Vlan1--|-[Vlan1] |
>   +---------+         | [Vlan2] |--dot1Q--[Firewall]
>                  :    +---------+
>                  :        |
>                  :      dot1Q
>                  :        |
>                  :    +---Sw3---+
>                  :    | [Vlan1] |
>                  :    | [Vlan2] |
>                  :    +---------+
>
> Traffic between VLAN 1 and VLAN 2 must go via the firewall.

I find your diagram very confusing. Does "dot1Q" in the middle of a
link means that frames on that link are VLAN tagged? Does a list of
VLANs inside a box means that the ports of that box which are shown
are configured to enable output of frames in that VLAN (except perhaps
for the horizontal link between Sw1 and Sw2 which has "Vlan 1" in the
middle of it, presumably meaning that the ports at both ends are
configured for VLAN 1 only?)?

Is this Firewall an end station? Why do frames go to the firewall? Are
they addressed to it? Couldn't any end station connected to Sw2 or Sw3
do VLAN mapping on frame it receives?

> Sw3 is reaching EOL so a smart thinking engineer decides to replace with
> an RBridge. At first there is no problem because the engineer configures
> the RBridge to only allow the correct VLANs on the access ports. Traffic
> between VLAN 1 and VLAN 2 must still go via the firewall.

If you are replacing a bridge with an RBridge, of course you have to
do the same VLAN configuration on its ports as the bridge ports had.
And, unless you are using the optional RBridge VLAN mapping feature
(see draft-ietf-trill-rbridge-vlan-mapping-00.txt), you can only map
frames from one VLAN to another via an end station or by using port
configurations so a VLAN tag gets stripped on transmission and a
different tag added on receipt.

> An unscrupulous individual comes on the scene and connects an RBridge to
> Sw1 which is accessible, or simply emulates an RBridge on her PC, either
> way there are now two RBridges seeking each other out across VLAN 1. She
> can bypass the firewall to reach VLAN 2, sending packets via the RBridge
> that replaced Sw3.

I don't really understand what you mean by "reach VLAN 2". First of
all, if someone "unscrupulous" attaches a hardware or software RBridge
and you have no TRILL IS-IS security, you're pretty well screwed
anyway. See the Security Considerations section of the protocols
draft. Second, if you mean they can send a VLAN 1 frame that would be
delivered to a VLAN 2 end station which is attached to an RBridge port
where only VLAN 2 is enabled, I don't see why you think that. There
seems to be vast amounts of detail you are assuming and not
describing.

> Do I understand right?

Probably, although I'm not sure. Try looking at Section 2.3, 4.1.2,
and 6.1 of draft-ietf-trill-rbridge-protocol-12.txt.

> Regards
> Kris

Thanks,
Donald
=============================
 Donald E. Eastlake 3rd   +1-508-634-2066 (home)
 155 Beaver Street
 Milford, MA 01757 USA
 d3e3e3 at gmail.com