Re: [pim] Questions about draft-ietf-pim-sm-linklocal
Pekka Savola <pekkas@netcore.fi> Tue, 17 October 2006 06:38 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GZiaU-0004cS-Oi; Tue, 17 Oct 2006 02:38:06 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GZiaT-0004a8-VK for pim@ietf.org; Tue, 17 Oct 2006 02:38:05 -0400
Received: from eunet-gw.ipv6.netcore.fi ([2001:670:86:3001::1] helo=netcore.fi) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GZiaT-0005fb-BV for pim@ietf.org; Tue, 17 Oct 2006 02:38:05 -0400
Received: from localhost (pekkas@localhost) by netcore.fi (8.12.11.20060614/8.12.11) with ESMTP id k9H6bQjc025345; Tue, 17 Oct 2006 09:37:27 +0300
Date: Tue, 17 Oct 2006 09:37:26 +0300
From: Pekka Savola <pekkas@netcore.fi>
To: JW Atwood <bill@cse.concordia.ca>
Subject: Re: [pim] Questions about draft-ietf-pim-sm-linklocal
In-Reply-To: <4533FEF9.6060601@cse.concordia.ca>
Message-ID: <Pine.LNX.4.64.0610170927170.22793@netcore.fi>
References: <4533FEF9.6060601@cse.concordia.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Virus-Scanned: ClamAV 0.88.4/2038/Tue Oct 17 01:48:19 2006 on otso.netcore.fi
X-Virus-Status: Clean
X-Spam-Status: No, score=-1.3 required=5.0 tests=AWL, BAYES_20, NO_RELAYS autolearn=ham version=3.1.4
X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on otso.netcore.fi
X-Spam-Score: -2.8 (--)
X-Scan-Signature: c0bedb65cce30976f0bf60a0a39edea4
Cc: pim@ietf.org
X-BeenThere: pim@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Protocol Independent Multicast <pim.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/pim>, <mailto:pim-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:pim@ietf.org>
List-Help: <mailto:pim-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/pim>, <mailto:pim-request@ietf.org?subject=subscribe>
Errors-To: pim-bounces@ietf.org
Hi, BTW, the draft doesn't yet describe what the SPDs would look like in practice. You will also need to describe what PAD entries (assuming automated key management) will look like. draft-ietf-v6ops-ipsec-tunnels-03.txt might give some ideas. Inline, On Mon, 16 Oct 2006, JW Atwood wrote: > 1) Is there an operational need for confidentiality as well as > authentication? If so, we will adopt appropriate text from RFC 4552 and > recommend the use of ESP in addition to AH. I doubt so, and if so, maybe it would be better to use only ESP (because that can provide payload integrity as well), as the benefit of ESP+AH might not be worth it. > 2) One reply to the posting of draft-atwood-pim-sm-linklocal strongly > suggested the use of automated group key management for a community of PIM-SM > routers. The arguments were convincing to us. Does anyone have any > observations on the utility of this? Should it be mandatory (MUST), or > recommended (SHOULD), or optional (MAY)? If this document aims to be on standards track, this is probably needed, see Security ADs review of PIM-SM spec: https://datatracker.ietf.org/public/pidtracker.cgi?command=view_comment&id=41358 I'd say that a automatic key management mechanism should be a MUST if this approach is adopted. The number of PIM routers is high enough that no one will want to set up SAs manually. > 3) RFC 4601 states: > "IPsec [8] allows (but does not require) there to be different Security > Policy Databases (SPD) for each router interface. If available, it may be > desirable to configure the Security Policy Database at a PIM router such that > all incoming and outgoing Join/Prune, Assert, and Hello packets use a > different SA for each incoming and outgoing interface." > The solution that we propose uses the source address as a selector, and thus > avoids the necessity of multiple SPDs. For this reason, we did _not_ adopt > the text from RFC 4552 that requires the ability to choose a specific SPD > based on the interface. Does anyone see any disadvantages to this decision? > (NOTE: OSFPv3 speakers (RFC 4552) cannot rely on the limited number (and > distance) of peers that we will have with PIM-SM link-local messages.) I suspect you will require interface-specific SPDs. This is because with both v4 (unnumbered interface = packet sent with 0.0.0.0 source address AFAIR) and v6 (link-local address) multiple interfaces could use the same address. Using the address is sufficient for cases where you'll need to use domain-wide reachable addresses (e.g., for Register/Register-Stop). > 4) Is it preferable to continue to use ALL_PIM_ROUTERS (with the proposed new > semantics for secured messages), or to define a new SSM address to be used > for exchanging the secured messages? I haven't thought this much, but given that non-IPsec traffic is protocol 103 and IPsec is either protocol 50 or 51, it isn't possible to confuse the two kinds of packets even if they'd use the same address. Hence using the same address might be preferable. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings _______________________________________________ pim mailing list pim@ietf.org https://www1.ietf.org/mailman/listinfo/pim