Re: [MBONED] Benjamin Kaduk's Discuss on draft-ietf-mboned-ieee802-mcast-problems-11: (with DISCUSS and COMMENT)

Alvaro Retana <> Thu, 09 January 2020 13:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A31421200C1; Thu, 9 Jan 2020 05:51:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id C5xFoFTzUoMn; Thu, 9 Jan 2020 05:51:16 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 14AF81200EF; Thu, 9 Jan 2020 05:51:16 -0800 (PST)
Received: by with SMTP id bx28so5623567edb.11; Thu, 09 Jan 2020 05:51:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc:content-transfer-encoding; bh=hmmpQkLWZEq7ePfeSAUtmfLd+4LIdKsj4Ky6HV7tJgU=; b=YiBWl4knkW6YMI6deQ5356fqTGRBdlBByFySE8Vdf5UaWce0lABbyZZ+B7LptNK6qj sTamXZuVRCMtw1V8n3ZcAQjrLCRakT71oRf6+00JaCy0Y07HncKCFvLH9wHAs54y69Ej kmQMduxUGJ8lKx+fJ7iEGYhVM4zxOcjF451zdumEruLhrEO4KAy4A5odWayKJoIdk4Pz dzL84PBfsgfHP9tSnOTZpmPeD33ryP4wRLB0XjVsztz4qnez1vZIqniycGjbMzSkRKaz Tydin30gcLfKFs2y6S8zUlfrZbD4tpcErQXZXtXw4jTQJzJedljEMml+kA4bBdcnFj8E SZAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc:content-transfer-encoding; bh=hmmpQkLWZEq7ePfeSAUtmfLd+4LIdKsj4Ky6HV7tJgU=; b=Pya9V5yQ9I3HsLwMuLP1l11Rn8TiXa6hRnXbrIvPrnWBzypg1K902kSFnvUyh42feW DVwQYSRZVXBRh0kJ9CUx7C3mX7lyeQsmfiePl1IJW9IqG64yNjYeauq8ldHcfOUJdP43 h95FgpYNHdcaZDRC0XiEOdVmfJoe9AFK4inpzaYRyLGTkr3ZOvs3Q3lPbeypMvCpb3TX Tu1TmePfuWnG61tXmqrxnic6AS5gl8bYj1vMKOXnP9Borw0Xmr5Z2xTiqdAfAlYsnDLf cLi9M9OoMtsIjws1PawmFYM+SnRPB4/Kax/m+8b3p917kOPImnqPBLJrjAqmDqoC3PG8 8PKg==
X-Gm-Message-State: APjAAAWBPVMbHSOu+LsuuxiFqY3fUTt7yTuD3sfzcPmqL2ayG4GTcRGu B20Mg1OK36dOHAMM9RNfYfApkoCSgORBvBZ+e3Q=
X-Google-Smtp-Source: APXvYqxIfT3abXCHIGYgfY6Lj4WhQaxP3qXvrcdyL/hJJfptC3Yf8PPYwIjLrgOIJtGibHwyASBeyDLepjb4CJwY8SQ=
X-Received: by 2002:a17:906:19c8:: with SMTP id h8mr10665240ejd.250.1578577874606; Thu, 09 Jan 2020 05:51:14 -0800 (PST)
Received: from 1058052472880 named unknown by with HTTPREST; Thu, 9 Jan 2020 05:51:13 -0800
From: Alvaro Retana <>
In-Reply-To: <>
References: <>
MIME-Version: 1.0
Date: Thu, 9 Jan 2020 05:51:13 -0800
Message-ID: <>
To: Benjamin Kaduk <>, The IESG <>, Benjamin Kaduk via Datatracker <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [MBONED] Benjamin Kaduk's Discuss on draft-ietf-mboned-ieee802-mcast-problems-11: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mail List for the Mboned Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 09 Jan 2020 13:51:18 -0000

On January 8, 2020 at 5:20:00 PM, Benjamin Kaduk via Datatracker wrote:


> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> Section 9 says that "[RFC4601], for instance, mandates the use of IPsec
> to ensure authentication of the link-local messages in the Protocol
> Independent Multicast - Sparse Mode (PIM-SM) routing protocol" but I
> could not find where such use of IPsec was mandated. (I do recognize
> that a similar statement appears almost verbatim in RFC 5796, but RFC
> 5796 seems focused on extending PIM-SM to support ESP in additon to the
> AH usage that was the main focus of the RFC 4601 descriptions, and does
> not help clarify the RFC 4601 requirements for me.) The closest I found
> was in Section 6.3.1 of RFC 4601: "The network administrator defines an
> SA and SPI that are to be used to authenticate all link-local PIM
> protocol messages (Hello, Join/Prune, and Assert) on each link in a PIM
> domain" but I do not think that applies to all usage of PIM-SM. Am I
> missing something obvious?

It looks like everyone (including me) missed the nit that rfc4601 has
been Obsoleted by rfc7761.  One of the changes between the two is that
rfc7761 removed the requirement for authentication using IPSec "due to
lack of sufficient implementation and deployment experience".

This is what rfc7761 says about authentication:

   6.3.  Authentication

      This document refers to RFC 5796 [8], which specifies mechanisms to
      authenticate PIM-SM link-local messages using the IPsec Encapsulating
      Security Payload (ESP) or (optionally) the Authentication Header
      (AH).  It also points out that non-link-local PIM-SM messages (i.e.,
      Register and Register-Stop messages) can be secured by a normal
      unicast IPsec Security Association (SA) between two communicants.