Re: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp

Marshall Eubanks <tme@multicasttech.com> Mon, 15 December 2008 15:03 UTC

Return-Path: <l3vpn-bounces@ietf.org>
X-Original-To: l3vpn-archive@megatron.ietf.org
Delivered-To: ietfarch-l3vpn-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2E41D28C0E9; Mon, 15 Dec 2008 07:03:09 -0800 (PST)
X-Original-To: l3vpn@core3.amsl.com
Delivered-To: l3vpn@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6189628C0E9 for <l3vpn@core3.amsl.com>; Mon, 15 Dec 2008 07:03:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.551
X-Spam-Level:
X-Spam-Status: No, score=-103.551 tagged_above=-999 required=5 tests=[AWL=0.048, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id trfH6LTV-+um for <l3vpn@core3.amsl.com>; Mon, 15 Dec 2008 07:03:06 -0800 (PST)
Received: from multicasttech.com (lennon.multicasttech.com [63.105.122.7]) by core3.amsl.com (Postfix) with ESMTP id 2650D28C0D6 for <l3vpn@ietf.org>; Mon, 15 Dec 2008 07:03:06 -0800 (PST)
Received: from [63.105.122.7] (account marshall_eubanks HELO [IPv6:::1]) by multicasttech.com (CommuniGate Pro SMTP 3.4.8) with ESMTP-TLS id 13948431; Mon, 15 Dec 2008 10:02:58 -0500
Message-Id: <AAE960D7-EEB2-4340-90F6-3D7FCABD18DD@multicasttech.com>
From: Marshall Eubanks <tme@multicasttech.com>
To: "NAPIERALA, MARIA H, ATTLABS" <mnapierala@att.com>
In-Reply-To: <2F1DE4DFCFF32144B771BD2C246E6A200166D77C@misout7msgusr7e.ugd.att.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v929.2)
Subject: Re: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp
Date: Mon, 15 Dec 2008 10:02:58 -0500
References: <F9AA9B4C-3FEA-4723-BBBD-7FF91270E07D@tcb.net> <2F1DE4DFCFF32144B771BD2C246E6A200166D5CF@misout7msgusr7e.ugd.att.com> <EC8F87C1-E3AA-4606-A89A-4D02110355FA@multicasttech.com> <2F1DE4DFCFF32144B771BD2C246E6A200166D77C@misout7msgusr7e.ugd.att.com>
X-Mailer: Apple Mail (2.929.2)
Cc: l3vpn@ietf.org, Danny McPherson <danny@tcb.net>
X-BeenThere: l3vpn@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <l3vpn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/l3vpn>
List-Post: <mailto:l3vpn@ietf.org>
List-Help: <mailto:l3vpn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=subscribe>
Sender: l3vpn-bounces@ietf.org
Errors-To: l3vpn-bounces@ietf.org

On Dec 14, 2008, at 8:59 PM, NAPIERALA, MARIA H, ATTLABS wrote:

> Hi Marshall,
>
>> Might there be situations where receivers want to set up a multicast
>> route for
>> source regardless of whether the source is currently active, to  
>> reduce
>> the time for source data to propagate ? So in that case this would be
>> legitimate.
>>
>> Otherwise, joins to sources that are not active will generally stop.
>> Or are you worried about
>> DOS attacks ?
>>
>
> Yes, I think that triggering Source Active A-D routes when receiving
> (S,G) Joins without the knowledge that S is actually "active"  
> creates a
> security issue.  A single end-user PC can generate a lot of spurious
> IGMP (S,G) joins that could trigger lots of BGP updates and  
> potentially
> useless S-PMSIs in VPN core.
>

This is of course true for normal (non L3VPN) multicasts, and has  
largely been dealt with
by a combination of filtering and rate limiting - see, e.g.,

http://www.juniper.net/solutions/literature/app_note/350051.pdf

I would think that the VPN situation would be even easier to control  
(it should be easier to
determine what is and isn't authorized, for example).

Are you saying that you have seen these kinds of DOS attacks in  
practice, or are
you just worried about the principle ?

Wearing no hats of any kind;
Marshall


> Maria
>
>> -----Original Message-----
>> From: Marshall Eubanks [mailto:tme@multicasttech.com]
>> Sent: Sunday, December 14, 2008 8:33 AM
>> To: NAPIERALA, MARIA H, ATTLABS
>> Cc: Danny McPherson; l3vpn@ietf.org
>> Subject: Re: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp
>>
>> Dear Maria;
>>
>> On Dec 12, 2008, at 4:17 PM, NAPIERALA, MARIA H, ATTLABS wrote:
>>
>>> PIM-SM/RFC 4601 permits, quote, "a receiver to join a group and
>>> specify
>>> that it only wants to receive traffic for a group if that traffic
>>> comes
>>> from a particular source. If a receiver does this, and no other
>>> receiver
>>> on the LAN requires all the traffic for the group, then the DR may
>>> omit
>>> performing a (*,G) join to set up the shared tree, and instead issue
>> a
>>> source-specific (S,G) join only."
>>>
>>> Such behavior of end systems in PIM-SM means that a PE can receive
>>> Join
>>> (C-S, C-G) even for sources that are not active.
>>>
>>> Section 13.1 of draft-ietf-l3vpn-2547bis-mcast-bgp-05 requires that
>>> "whenever a PE creates an <C-S,C-G> state as a result of receiving a
>>> Source Tree Join C-multicast route for <C-S, C-G> from some other
> PE,
>>> the PE that creates the state MUST originate a Source Active A-D
>>> route."
>>>
>>> The procedure as described in section 13.1 might lead to useless S-
>>> PMSI
>>> creation for C-sources operating in sparse groups which are not
>>> active.
>>> This procedure should be enhanced to prevent triggering of S-PMSIs
> in
>>> such cases.
>>
>> Might there be situations where receivers want to set up a multicast
>> route for
>> source regardless of whether the source is currently active, to  
>> reduce
>> the time for source data to propagate ? So in that case this would be
>> legitimate.
>>
>> Otherwise, joins to sources that are not active will generally stop.
>> Or are you worried about
>> DOS attacks ?
>>
>> Regards
>> Marshall
>>
>>>
>>>
>>> Maria
>>>
>>>> -----Original Message-----
>>>> From: l3vpn-bounces@ietf.org [mailto:l3vpn-bounces@ietf.org] On
>>>> Behalf
>>>> Of Danny McPherson
>>>> Sent: Friday, November 21, 2008 8:52 AM
>>>> To: l3vpn@ietf.org
>>>> Subject: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp
>>>>
>>>>
>>>> Please consider today the start of a 2-week last call
>>>> for draft-ietf-l3vpn-2547bis-mcast-bgp, available here:
>>>>
>>>> http://tools.ietf.org/html/draft-ietf-l3vpn-2547bis-mcast-bgp-05
>>>>
>>>> Input on this draft's suitability for publication as an
>>>> Internet Standards Track document is solicited, feedback
>>>> ends December 9, 2008.
>>>>
>>>> Thanks in advance for your feedback!
>>>>
>>>> Danny & Marshall
>