Re: WG LC: draft-ietf-l3vpn-2547bis-mcast
Thomas Morin <thomas.morin@orange-ftgroup.com> Thu, 11 December 2008 10:03 UTC
Return-Path: <l3vpn-bounces@ietf.org>
X-Original-To: l3vpn-archive@megatron.ietf.org
Delivered-To: ietfarch-l3vpn-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 860083A6C43; Thu, 11 Dec 2008 02:03:57 -0800 (PST)
X-Original-To: l3vpn@core3.amsl.com
Delivered-To: l3vpn@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 687BA3A6A2B for <l3vpn@core3.amsl.com>; Thu, 11 Dec 2008 02:03:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.14
X-Spam-Level:
X-Spam-Status: No, score=-3.14 tagged_above=-999 required=5 tests=[AWL=0.109, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TZjKfz-CnFYT for <l3vpn@core3.amsl.com>; Thu, 11 Dec 2008 02:03:55 -0800 (PST)
Received: from p-mail2.rd.francetelecom.com (p-mail2.rd.francetelecom.com [195.101.245.16]) by core3.amsl.com (Postfix) with ESMTP id 3F0473A6C43 for <l3vpn@ietf.org>; Thu, 11 Dec 2008 02:03:55 -0800 (PST)
Received: from ftrdmel10.rd.francetelecom.fr ([10.193.117.156]) by ftrdsmtp1.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.1830); Thu, 11 Dec 2008 11:03:22 +0100
Received: from [10.193.15.230] ([10.193.15.230]) by ftrdmel10.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.1830); Thu, 11 Dec 2008 11:03:22 +0100
Subject: Re: WG LC: draft-ietf-l3vpn-2547bis-mcast
From: Thomas Morin <thomas.morin@orange-ftgroup.com>
To: erosen@cisco.com
In-Reply-To: <11375.1228930191@erosen-linux>
References: <11375.1228930191@erosen-linux>
Content-Type: text/plain
Organization: France Telecom R&D - Orange Labs
Date: Thu, 11 Dec 2008 11:03:36 +0100
Message-Id: <1228989816.5312.65.camel@l-at11168.FTRD>
Mime-Version: 1.0
X-Mailer: Evolution 2.22.3.1
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 11 Dec 2008 10:03:22.0304 (UTC) FILETIME=[B33BB400:01C95B77]
Cc: L3VPN <l3vpn@ietf.org>, Rahul Aggarwal <rahul@juniper.net>
X-BeenThere: l3vpn@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <l3vpn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/l3vpn>
List-Post: <mailto:l3vpn@ietf.org>
List-Help: <mailto:l3vpn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=subscribe>
Sender: l3vpn-bounces@ietf.org
Errors-To: l3vpn-bounces@ietf.org
Hi Eric,
Eric Rosen :
> > Indeed there is no valid semantic for S-PMSI Join packets received from
> > a CE. But a wrong semantic can very easily be given to such packets by
> > a implementation not having been carefully written in this respect,
>
> Implementation errors which cause packets to be processed with incorrect
> semantics can cause a variety of problems. However, we cannot expect the
> security considerations section to list all the things that an
> implementation could possibly get wrong.
Of course. But among all the things that an implementation can get
wrong, not all of them are likely, not all are security issues, and few
or them are both. So, if there happens to be one thing that is easy to
get wrong (and that actually happened in the past) and has significant
impact on security, it seems wise to raise a warning.
> However, if it makes you happy, I suppose we could replace:
>
> If one uses the UDP-based protocol for switching to S-PMSI (as
> specified in Section 7.2.1), then by default each PE router MUST
> install packet filters that would result in discarding all UDP
> packets with the destination port 3232 that the PE router receives
> from the CE routers connected to the PE router.
>
> with
>
> The S-PMSI Join messages defined in section 7.4.2 are valid only when
> received over a PMSI, and MUST NOT be processed in other contexts.
This is "less wrong" than previous wording, but I think that it does not
yet restrict things enough in the light of past issues.
I would propose:
The S-PMSI Join messages defined in section 7.4.2 are valid
only when received over an MI-PMSI, and with a destination address
of ALL-PIM-ROUTERS, and MUST NOT be processed in other contexts.
Ideally, I think it would be good to add some text to explain (a) why
this is a MUST NOT and (b) why this is expected to prevent illegitimate
S-PMSI Join packets sent by a CE to be processed by a PE (*because*
messages sent to the ALL-PIM-ROUTERS address are link local and *not*
forwarded). Tell me if you want text for this.
Thanks,
-Thomas
- WG LC: draft-ietf-l3vpn-2547bis-mcast Danny McPherson
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast Thomas Morin
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast Thomas Morin
- Identifying an ingress PE in ingress replication … Xu Xiaohu
- re: Identifying an ingress PE in ingress replicat… Xu Xiaohu
- Re: Identifying an ingress PE in ingress replicat… Eric Rosen
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast Eric Rosen
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast Eric Rosen
- re: Identifying an ingress PE in ingress replicat… Xu Xiaohu
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast Thomas Morin
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast Thomas Morin
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast Eric Rosen
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast Thomas Morin
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast Eric Rosen
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast Thomas Morin
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast Mark Fine
- Re: WG LC: draft-ietf-l3vpn-2547bis-mcast-bgp Mark Fine