RE: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp
Thomas Morin <thomas.morin@orange-ftgroup.com> Mon, 15 December 2008 10:51 UTC
Return-Path: <l3vpn-bounces@ietf.org>
X-Original-To: l3vpn-archive@megatron.ietf.org
Delivered-To: ietfarch-l3vpn-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C0C5E3A67F0; Mon, 15 Dec 2008 02:51:24 -0800 (PST)
X-Original-To: l3vpn@core3.amsl.com
Delivered-To: l3vpn@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 608FD3A67F0 for <l3vpn@core3.amsl.com>; Mon, 15 Dec 2008 02:51:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.157
X-Spam-Level:
X-Spam-Status: No, score=-3.157 tagged_above=-999 required=5 tests=[AWL=0.092, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cJgu0GjuSlHl for <l3vpn@core3.amsl.com>; Mon, 15 Dec 2008 02:51:22 -0800 (PST)
Received: from p-mail1.rd.francetelecom.com (p-mail1.rd.francetelecom.com [195.101.245.15]) by core3.amsl.com (Postfix) with ESMTP id D7F693A67B6 for <l3vpn@ietf.org>; Mon, 15 Dec 2008 02:51:21 -0800 (PST)
Received: from ftrdmel10.rd.francetelecom.fr ([10.193.117.156]) by ftrdsmtp2.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.1830); Mon, 15 Dec 2008 11:51:09 +0100
Received: from [10.193.15.34] ([10.193.15.34]) by ftrdmel10.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.1830); Mon, 15 Dec 2008 11:51:08 +0100
Subject: RE: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp
From: Thomas Morin <thomas.morin@orange-ftgroup.com>
To: "NAPIERALA, MARIA H, ATTLABS" <mnapierala@att.com>
In-Reply-To: <2F1DE4DFCFF32144B771BD2C246E6A200166D77C@misout7msgusr7e.ugd.att.com>
References: <F9AA9B4C-3FEA-4723-BBBD-7FF91270E07D@tcb.net> <2F1DE4DFCFF32144B 771BD2C246E6A200166D5CF@misout7msgusr7e.ugd.att.com> <EC8F87C1-E3AA-4606-A89A-4D02110355FA@multicasttech.com> <2F1DE4DFCFF32144B771BD2C246E6A200166D77C@misout7msgusr7e.ugd.att.com>
Content-Type: text/plain
Organization: France Telecom R&D - Orange Labs
Date: Mon, 15 Dec 2008 11:51:24 +0100
Message-Id: <1229338284.5286.23.camel@l-at11168.FTRD>
Mime-Version: 1.0
X-Mailer: Evolution 2.22.3.1
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 15 Dec 2008 10:51:08.0331 (UTC) FILETIME=[092BB7B0:01C95EA3]
Cc: l3vpn@ietf.org, Danny McPherson <danny@tcb.net>
X-BeenThere: l3vpn@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <l3vpn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/l3vpn>
List-Post: <mailto:l3vpn@ietf.org>
List-Help: <mailto:l3vpn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=subscribe>
Sender: l3vpn-bounces@ietf.org
Errors-To: l3vpn-bounces@ietf.org
Hi Maria, NAPIERALA, MARIA H, ATTLABS : > > > > Might there be situations where receivers want to set up a multicast > > route for > > source regardless of whether the source is currently active, to reduce > > the time for source data to propagate ? So in that case this would be > > legitimate. > > > > Otherwise, joins to sources that are not active will generally stop. > > Or are you worried about > > DOS attacks ? > > Yes, I think that triggering Source Active A-D routes when receiving > (S,G) Joins without the knowledge that S is actually "active" creates a > security issue. I don't agree with your formulation. Let's suppose that there is a security issue due to spurious state being created because of an inactive source "mistaken" as active. Let's suppose we try to solve the issue by avoiding inactive sources to create these states. The "attacker" on the customer side can still create the same states by making the right number of source active. > A single end-user PC can generate a lot of spurious > IGMP (S,G) joins that could trigger lots of BGP updates and potentially > useless S-PMSIs in VPN core. Well, I'm lost here : since when do IGMP S,G joins create S-PMSI routes ? It is true that IGMP activity (and PIM) on the customer side will create state on the PEs, and that this has to be controlled in some kind of way, but this is not specific to BGP, nor related to S-A A-D routes or S-PMSI routes... Now, if we take a broader perspective, I agree that we must ensure that there are safeguards to avoid that customers could creates an unbounded amount of states in the PEs (and RRs) : - it applies to state in the PEs that is created directly based on state on the PE-CE interfaces : (S,G) and (*,G) joins * we need safeguards to avoid too much states created on PEs based on customer PIM activity * it implies having the operator configure upper bounds on the amount of multicast states in the VRFs * this is true independently of the protocol used for C-multicast routing - it also applies to states created "indirecly" based on customer activit: Source-Active and S-PMSI A-D routes * we need safeguards to cover these * S-PMSI routes are created based on (a) customer activity and (b) PE policy defined by the operator --> there is a need to bound the amount, and frequency of changes, of S-PMSI state (this critical to protect P routers, and is true independently of the protocol used to signal S-PMSIs) * S-A A-D routes are also created based on customer activity: -> in the context of section 13, they are only created based on Source Tree Join routes, so if these are properly bounded, it should be fine -> in the context of section 14, they are created based on RP activity, or PIM registers, or MSDP : bounds would typically also setup here -> if we want more solive boundaries, it seems to me that it makes sense to suggest that implementation should provide a way to set an upper bound to the number of S-A A-D routes that can be advertised from a VRF Cheers, -Thomas > > -----Original Message----- > > From: Marshall Eubanks [mailto:tme@multicasttech.com] > > Sent: Sunday, December 14, 2008 8:33 AM > > To: NAPIERALA, MARIA H, ATTLABS > > Cc: Danny McPherson; l3vpn@ietf.org > > Subject: Re: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp > > > > Dear Maria; > > > > On Dec 12, 2008, at 4:17 PM, NAPIERALA, MARIA H, ATTLABS wrote: > > > > > PIM-SM/RFC 4601 permits, quote, "a receiver to join a group and > > > specify > > > that it only wants to receive traffic for a group if that traffic > > > comes > > > from a particular source. If a receiver does this, and no other > > > receiver > > > on the LAN requires all the traffic for the group, then the DR may > > > omit > > > performing a (*,G) join to set up the shared tree, and instead issue > > a > > > source-specific (S,G) join only." > > > > > > Such behavior of end systems in PIM-SM means that a PE can receive > > > Join > > > (C-S, C-G) even for sources that are not active. > > > > > > Section 13.1 of draft-ietf-l3vpn-2547bis-mcast-bgp-05 requires that > > > "whenever a PE creates an <C-S,C-G> state as a result of receiving a > > > Source Tree Join C-multicast route for <C-S, C-G> from some other > PE, > > > the PE that creates the state MUST originate a Source Active A-D > > > route." > > > > > > The procedure as described in section 13.1 might lead to useless S- > > > PMSI > > > creation for C-sources operating in sparse groups which are not > > > active. > > > This procedure should be enhanced to prevent triggering of S-PMSIs > in > > > such cases. > > > > Might there be situations where receivers want to set up a multicast > > route for > > source regardless of whether the source is currently active, to reduce > > the time for source data to propagate ? So in that case this would be > > legitimate. > > > > Otherwise, joins to sources that are not active will generally stop. > > Or are you worried about > > DOS attacks ? > > > > Regards > > Marshall > > > > > > > > > > > Maria > > > > > >> -----Original Message----- > > >> From: l3vpn-bounces@ietf.org [mailto:l3vpn-bounces@ietf.org] On > > >> Behalf > > >> Of Danny McPherson > > >> Sent: Friday, November 21, 2008 8:52 AM > > >> To: l3vpn@ietf.org > > >> Subject: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp > > >> > > >> > > >> Please consider today the start of a 2-week last call > > >> for draft-ietf-l3vpn-2547bis-mcast-bgp, available here: > > >> > > >> http://tools.ietf.org/html/draft-ietf-l3vpn-2547bis-mcast-bgp-05 > > >> > > >> Input on this draft's suitability for publication as an > > >> Internet Standards Track document is solicited, feedback > > >> ends December 9, 2008. > > >> > > >> Thanks in advance for your feedback! > > >> > > >> Danny & Marshall >
- WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp Danny McPherson
- RE: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp NAPIERALA, MARIA H, ATTLABS
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp Thomas Morin
- RE: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp NAPIERALA, MARIA H, ATTLABS
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp Yakov Rekhter
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp Marshall Eubanks
- RE: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp NAPIERALA, MARIA H, ATTLABS
- RE: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp NAPIERALA, MARIA H, ATTLABS
- RE: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp NAPIERALA, MARIA H, ATTLABS
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp Yakov Rekhter
- RE: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp NAPIERALA, MARIA H, ATTLABS
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp Yakov Rekhter
- RE: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp NAPIERALA, MARIA H, ATTLABS
- RE: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp Thomas Morin
- RE: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp NAPIERALA, MARIA H, ATTLABS
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp Marshall Eubanks
- RE: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp NAPIERALA, MARIA H, ATTLABS
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp Yakov Rekhter
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp Yakov Rekhter
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp Yakov Rekhter
- RE: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp NAPIERALA, MARIA H, ATTLABS
- RE: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp NAPIERALA, MARIA H, ATTLABS
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp Yakov Rekhter
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp Yakov Rekhter