Re: Layer 2 (stealth) firewalls - PBR?

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 8 Apr 2008, Patrick Darden wrote:

> > I've been doing networking since the broadband/baseband LAN thing a long
> > time ago, and I'm pretty cognizant of how it all works...
>
>
> Chest thumping.  Gotchya.

No, just saying that I'm (a) aware of the differences in layers and (b) 
aware of when those differences are not treated as true boundaries.

> > Layer 2 devices like switches have to forwrd layer 3 multicast packets out
> > ports for the multicast group, so they in essence have to peek up a layer
> > even though they're not "routers, firewalls, etc."  They also have to
> > forward layer 3 broadcasts out all ports in a LAN or VLAN, once again
> > without being "routers, firewalls, etc."
>
> Layer 2 devices forward based on MAC addresses.  End of story.  They do 
> NOT peak up the stack.  ARP/RARP bridges the gap between layer 2 and 3, 

I will refer you to RFC 4541, Considerations for Internet Group Management 
Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches. 
(May 2006)

Which says in part:

   In recent years, a number of commercial vendors have introduced
   products described as "IGMP snooping switches" to the market.  These
   devices do not adhere to the conceptual model that provides the
   strict separation of functionality between different communications
   layers in the ISO model, and instead utilize information in the upper
   level protocol headers as factors to be considered in processing at
   the lower levels.  This is analogous to the manner in which a router
   can act as a firewall by looking into the transport protocol's header
   before allowing a packet to be forwarded to its destination address.

   In the case of IP multicast traffic, an IGMP snooping switch provides
   the benefit of conserving bandwidth on those segments of the network
   where no node has expressed interest in receiving packets addressed
   to the group address.  This is in contrast to normal switch behavior
   where multicast traffic is typically forwarded on all interfaces.

   Many switch datasheets state support for IGMP snooping, but no
   recommendations for this exist today.  It is the authors' hope that
   the information presented in this document will supply this
   foundation.

...

   The suggestions in this document are based on IGMP, which applies
   only to IPv4.  For IPv6, Multicast Listener Discovery [MLD] must be
   used instead.  Because MLD is based on IGMP, we do not repeat the
   entire description and recommendations for MLD snooping switches.
   Instead, we point out the few cases where there are differences from
   IGMP.

> but layer 2 devices such as NICs, hubs, bridges, and layer 2 switches do 
> not rely on IP or any other layer 3 protocol whatsoever for forwarding.

So, you see switch vendors really are looking into layer 3 information for 
multicast traffic.  Enough so that someone thought "Hey, we should have an 
RFC to cover this!"

> You seem to be conflating layer 3 multicast/broadcast/unicast Packets with 
> broadcast/unicast Frames.  To begin with, packets are not frames, and 
> layer 2 devices cannot interpret packets.

Perhaps I crossed frame and packet, I tend to do that from time to time, 
doesn't change the fact that the vendors are a' shipping it.

> You state "They also have to forward layer 3 broadcasts out all ports in a 
> LAN" which is patently false--if a 128 port layer 2 switch has 64 ports on 
> 10.0.0.0/24 and the other 64 ports on 10.1.0.0/24, then a broadcast sent 
> to 10.0.0.0/24 will only hit the correct 64 ports.  The switch decides 

That's two LANs the way I've always counted it in terms of addressing 
unless your'e supernetting on some devices and not on others, in which 
case you can count it several ways.  A dumb switch doesn't always know 
your mask either.  I think the algorithm for a dumb switch actually tends 
to be "if I don't know the destination MAC address, send it out all the 
ports," but I'd have to get some playtime to test it effectively.

> I think this is the problem.  You are confusing layer 2 unicast/broadcast 
> frames with layer 3 unicast/multicast/broadcast packets.  Certainly layer 
> 2 devices do unicast and broadcast, but again NOT based on IP or any other 
> layer 3 protocol.  Layer 2 Unicast and Broadcast are all in relation to 

No, I'm talking about both types, you're simply missing the case where the 
switch vendors peeking up the stack.  Your refusal to acknowlege this blinds 
you, and causes you to misinterpret.

> IPv6 has nothing to do with layer 2.  I am going to completely ignore this 
> statement.

Again, I'll point you to MLD snooping.  Again, I'll admit my term of 
"peeking" isn't the common "snooping" that seems to be vogue, but it's 
still there and it's still a factor in shipping hardware.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
             http://www.fluiditgroup.com/blog/pdr/
           Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards