[pim] Re: Comment: PIm Sparse Mode to Proposed
Pekka Savola <pekkas@netcore.fi> Thu, 27 October 2005 19:57 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVDsm-000142-4y; Thu, 27 Oct 2005 15:57:52 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVDsk-00013m-LM; Thu, 27 Oct 2005 15:57:50 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA26602; Thu, 27 Oct 2005 15:57:34 -0400 (EDT)
Received: from netcore.fi ([193.94.160.1]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVE69-00019Q-H8; Thu, 27 Oct 2005 16:11:43 -0400
Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id j9RJvL128648; Thu, 27 Oct 2005 22:57:21 +0300
Date: Thu, 27 Oct 2005 22:57:20 +0300
From: Pekka Savola <pekkas@netcore.fi>
To: Sam Hartman <hartmans-ietf@mit.edu>
In-Reply-To: <20051027151919.1FBE9E0038@carter-zimmerman.mit.edu>
Message-ID: <Pine.LNX.4.64.0510272246050.28356@netcore.fi>
References: <20051027151919.1FBE9E0038@carter-zimmerman.mit.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4adaf050708fb13be3316a9eee889caa
Cc: iesg@ietf.org, pim@ietf.org, ietf@ietf.org
Subject: [pim] Re: Comment: PIm Sparse Mode to Proposed
X-BeenThere: pim@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Protocol Independent Multicast <pim.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/pim>, <mailto:pim-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:pim@ietf.org>
List-Help: <mailto:pim-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/pim>, <mailto:pim-request@ietf.org?subject=subscribe>
Sender: pim-bounces@ietf.org
Errors-To: pim-bounces@ietf.org
I'll add Cc: to PIM wg. On Thu, 27 Oct 2005, Sam Hartman wrote: > This comment is not a discuss, but I am certainly not thrilled with > the current situation. This document does not define a mandatory to > implement security mechanism. It does tell network administrators how > to use IPsec to secure PIM. ... > So I'm not going to block this document. However we must do better in > the future. The primary purpose of this comment is to say that I'm > not happy with this direction and that the fact that this document > passes IESG review may not be used as a justification that future work > should be allowed through. In my opinion, there seem to be two main classes of PIM vulnerabilities: 1) those relating to multicast routing infrastructures (between routers); these have been described in: draft-ietf-mboned-mroutesec-04.txt (in rfc-ed queue, waiting for the pim spec) 2) those relating to the interaction of users/apps and multicast routing infrastructures; these have been described in (expired) draft: http://netcore.fi/pekkas/ietf/draft-savola-pim-lasthop-threats-01.txt (this has been presented and discussed in PIM WG, with decision to wait and see until the PIM spec is reviewed/approved by the IESG). While there is not clear easy-to-use, robust security mechanism for 1), one has been described for 2) in those scenarios where there is only one multicast router on the LAN. ... I hope this clarifies what I believe is the PIM protocol threat "landscape", while the mitigation mechanisms may not be sufficient in all the cases. Unfortunately, it seems neither of these drafts is referred in the PIM spec. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings _______________________________________________ pim mailing list pim@ietf.org https://www1.ietf.org/mailman/listinfo/pim
- [pim] Re: Comment: PIm Sparse Mode to Proposed Pekka Savola