IETF Logo Mail Archive

Re: [pim] Stephen Farrell's Discuss on draft-ietf-pim-rfc4601bis-05: (with DISCUSS)

William Atwood <william.atwood@concordia.ca> Thu, 28 May 2015 15:54 UTC

Return-Path: <william.atwood@concordia.ca>
X-Original-To: pim@ietfa.amsl.com
Delivered-To: pim@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B2201B2AEA; Thu, 28 May 2015 08:54:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.544
X-Spam-Level:
X-Spam-Status: No, score=-3.544 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vWPetYUASpi3; Thu, 28 May 2015 08:54:34 -0700 (PDT)
Received: from oldperseverance.encs.concordia.ca (oldperseverance.encs.concordia.ca [132.205.96.92]) by ietfa.amsl.com (Postfix) with ESMTP id 025C61B2BE0; Thu, 28 May 2015 08:51:10 -0700 (PDT)
Received: from [IPv6:::1] (bill@poise.encs.concordia.ca [132.205.2.209]) by oldperseverance.encs.concordia.ca (envelope-from william.atwood@concordia.ca) (8.13.7/8.13.7) with ESMTP id t4SFp0OU018483; Thu, 28 May 2015 11:51:00 -0400
Message-ID: <5567396A.7050906@concordia.ca>
Date: Thu, 28 May 2015 11:51:06 -0400
From: William Atwood <william.atwood@concordia.ca>
Organization: Concordia University, Montreal
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <20150526130833.24322.71081.idtracker@ietfa.amsl.com> <5564833F.6060004@innovationslab.net> <55648A58.30002@cs.tcd.ie> <CAKKJt-cBn_MtLag=aDx7bD9G3NhDXYtvF6OG41eaFK3SHCQjvg@mail.gmail.com>
In-Reply-To: <CAKKJt-cBn_MtLag=aDx7bD9G3NhDXYtvF6OG41eaFK3SHCQjvg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------030405010302060706060405"
X-Scanned-By: MIMEDefang 2.58 on oldperseverance.encs.concordia.ca at 2015-05-28 11:51:03 EDT
Archived-At: <http://mailarchive.ietf.org/arch/msg/pim/ADrUFS-Xb6W1XMHjZI4VbdqtEwE>
Cc: draft-ietf-pim-rfc4601bis@ietf.org, Brian Haberman <brian@innovationslab.net>, pim-chairs@ietf.org, The IESG <iesg@ietf.org>, pim@ietf.org
Subject: Re: [pim] Stephen Farrell's Discuss on draft-ietf-pim-rfc4601bis-05: (with DISCUSS)
X-BeenThere: pim@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Protocol Independent Multicast <pim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pim>, <mailto:pim-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pim/>
List-Post: <mailto:pim@ietf.org>
List-Help: <mailto:pim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pim>, <mailto:pim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2015 15:54:43 -0000

Hi, Spenser,

On 28/05/2015 9:21 AM, Spencer Dawkins at IETF wrote:
> Hi, Stephen,
>
> On Tue, May 26, 2015 at 9:59 AM, Stephen Farrell
> <stephen.farrell@cs.tcd.ie <mailto:stephen.farrell@cs.tcd.ie>> wrote:
>
>
>
>     On 26/05/15 15:29, Brian Haberman wrote:
>     > Hi Stephen,
>     >
>     > On 5/26/15 9:08 AM, Stephen Farrell wrote:
>     >> Stephen Farrell has entered the following ballot position for
>     >> draft-ietf-pim-rfc4601bis-05: Discuss
>     >>
>     >> When responding, please keep the subject line intact and reply
>     to all
>     >> email addresses included in the To and CC lines. (Feel free to
>     cut this
>     >> introductory paragraph, however.)
>     >>
>     >>
>     >> Please refer to
>     https://www.ietf.org/iesg/statement/discuss-criteria.html
>     >> for more information about IESG DISCUSS and COMMENT positions.
>     >>
>     >>
>     >> The document, along with other ballot positions, can be found here:
>     >> https://datatracker.ietf.org/doc/draft-ietf-pim-rfc4601bis/
>     >>
>     >>
>     >>
>     >>
>     ----------------------------------------------------------------------
>     >> DISCUSS:
>     >>
>     ----------------------------------------------------------------------
>     >>
>     >>
>     >>
>     >> 4601 used IPsec AH for it's MTI security. This removes that and
>     >> points at 5796 which defines how to use ESP for link local
>     >> addresses and with manual keying. That raises one technical
>     >> question and two ickky process questions. The ickky process
>     >> questions are probably best discussed between the IESG at least
>     >> initially in case we don't need to bother the authors/wg with
>     >> 'em.
>     >>
>     >> (1) I'd like to check that 5796 defines a way in which one can
>     >> secure all PIM messages that are defined here in 4601bis (should
>     >> one want to do that). If there are cases where PIM-SM can be
>     >> used and where there is no well defined security then I think
>     >> that would be a problem. And I think maybe there are such cases.
>     >> Am I wrong? If not, then how does one secure those?
>     >
>     > 5796 focuses on the link-local messages (i.e., directly-connected
>     > peers), but does say
>     >
>     >    Securing the unicast messages can be achieved by the use of a
>     normal
>     >    unicast IPsec Security Association (SA) between the two
>     communicants.
>     >
>     > The above refers to the set of PIM messages that are not sent as
>     > link-local.  My opinion is that this is sufficient given the
>     uses of PIM
>     > as defined in 4601.
>
>     Hmm. So you're saying that the way to secure PIM-SM is to have a set
>     of unicast IPsec SAs that cover all of the routers in the MC group?
>     That seems a bit odd doesn't it?
>
No, it's a set of unicast IPsec SAs that cover all of the
_routers_closest_to_senders_ in the MC group.  For the cases where
multicast really makes a difference (i.e., few senders, many receivers)
this is likely to be a much smaller set.

  Bill
>
>
>     >> (2) Is it ok for an IS to depend on a PS for it's MTI security
>     >> mechanism? (I think it is, but yeah, someone else might not.)
>     >
>     > I don't see why not.
>
>     I agree I think, but would like to check if that's an IESG opinion
>     or just you and me. (Can be done on the call.)
>
>
> We can talk about it on the call, but I'm agreeing with you and with
> Barry, as is Alvero.
>
> Spencer
>  
>
>     >
>     >>
>     >> (3) Is it ok for an IS to not conform to BCP107? (I think it
>     >> depends, and I'm not sure in this case.)
>     >
>     > I am not sure how BCP 107 relates since it discusses Guidelines for
>     > Cryptographic Key Management and the crypto stuff is now
>     referred to via
>     > 5796.
>
>     Abstract of 5796 says it only supports manual keying. BCP107 says
>     you have to define automated keying (with some exceptions into which
>     PIM-SM doesn't fit). Those do seem to be in conflict I think.
>
>     S.
>
>
>     >
>     > Regards,
>     > Brian
>     >
>
>
>
>
> _______________________________________________
> pim mailing list
> pim@ietf.org
> https://www.ietf.org/mailman/listinfo/pim

-- 
Dr. J.W. Atwood, Eng.             tel:   +1 (514) 848-2424 x3046
Distinguished Professor Emeritus  fax:   +1 (514) 848-2830
Department of Computer Science
   and Software Engineering
Concordia University EV 3.185     email:william.atwood@concordia.ca
1455 de Maisonneuve Blvd. West    http://users.encs.concordia.ca/~bill
Montreal, Quebec Canada H3G 1M8

v2.23.0 | Report a Bug | By Email