Re: [DNA] Re: RS/RA Exchange

[Greg Daley <greg.daley@eng.monash.edu.au>]

Hi Hesham,

Soliman Hesham wrote:
>  > >  > Personally, I think that the lack of security in VRRP is the
>  > >  > killer for using this technology in DNA.  It may be trivial
>  > >  > on a wireless link to become the [fastest responder, 
>  > VRRP master].
>  > > 
>  > > => But the routers don't have to talk VRRP over the wireless
>  > > link. Surely they can do that on the wired side.
>  > 
>  > On WLAN with switched ethernet, broadcasts go over the wireless link.
> 
> => Doesn't that depend on which link is shared between
> the two routers? For instance, the link shared between
> the two routers can be physically separate from the 
> bridged link connected to the wireless interface.

You're right.

The link can be a physically distinct, or logically
distinct.

I think it would assume a preconfigured interface arrangement
between the access network's routers.

It's interesting, but not universally applicable to
access network scenarios.

Please correct me if you have a different idea.

>  > 
>  > Most switches today treat multicast as broadcast.
>  > 
>  > So multicast all-routers RA/VRRP goes over the wireless link.
>  > 
>  > A device which can transmit onto the wirless link will have its
>  > vrrp or all-routers messages bridged onto the wired link, and will
>  > also be able to snoop the status of the conversation from the wired
>  > side.
> 
> => Ok, but even if that can happen, what harm is there
> in snooping? As long as the device cannot impersonate
> the router I don't see any harm in that. 

I don't mind this, in the case that there's not too
much traffic on the wireless link.

Alternatively, multicast snooping can be used to
help prevent the traffic going onto a wireless segment.
I'm not sure this is 'kosher' though.

Greg