IETF Logo Mail Archive

Re: [pim] Stephen Farrell's Discuss on draft-ietf-pim-rfc4601bis-05: (with DISCUSS)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 26 May 2015 14:59 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: pim@ietfa.amsl.com
Delivered-To: pim@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E81E21A0171; Tue, 26 May 2015 07:59:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DCvtGYiPvgxo; Tue, 26 May 2015 07:59:44 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84C031A00DB; Tue, 26 May 2015 07:59:43 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 0E7B2BED6; Tue, 26 May 2015 15:59:42 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0zvuVphjY3qw; Tue, 26 May 2015 15:59:40 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.42.20.233]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 5451CBED7; Tue, 26 May 2015 15:59:38 +0100 (IST)
Message-ID: <55648A58.30002@cs.tcd.ie>
Date: Tue, 26 May 2015 15:59:36 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Brian Haberman <brian@innovationslab.net>, The IESG <iesg@ietf.org>
References: <20150526130833.24322.71081.idtracker@ietfa.amsl.com> <5564833F.6060004@innovationslab.net>
In-Reply-To: <5564833F.6060004@innovationslab.net>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="T2CdKerNRV3Svm7hmkCf1FjfUON5xF3iV"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pim/mR-podWsaXMHstFoWgi18QHWcMA>
Cc: draft-ietf-pim-rfc4601bis@ietf.org, pim-chairs@ietf.org, pim@ietf.org
Subject: Re: [pim] Stephen Farrell's Discuss on draft-ietf-pim-rfc4601bis-05: (with DISCUSS)
X-BeenThere: pim@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Protocol Independent Multicast <pim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pim>, <mailto:pim-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pim/>
List-Post: <mailto:pim@ietf.org>
List-Help: <mailto:pim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pim>, <mailto:pim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 14:59:47 -0000


On 26/05/15 15:29, Brian Haberman wrote:
> Hi Stephen,
> 
> On 5/26/15 9:08 AM, Stephen Farrell wrote:
>> Stephen Farrell has entered the following ballot position for
>> draft-ietf-pim-rfc4601bis-05: Discuss
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>
>>
>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-pim-rfc4601bis/
>>
>>
>>
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>>
>>
>>
>> 4601 used IPsec AH for it's MTI security. This removes that and
>> points at 5796 which defines how to use ESP for link local
>> addresses and with manual keying. That raises one technical
>> question and two ickky process questions. The ickky process
>> questions are probably best discussed between the IESG at least
>> initially in case we don't need to bother the authors/wg with
>> 'em.
>>
>> (1) I'd like to check that 5796 defines a way in which one can
>> secure all PIM messages that are defined here in 4601bis (should
>> one want to do that). If there are cases where PIM-SM can be
>> used and where there is no well defined security then I think
>> that would be a problem. And I think maybe there are such cases.
>> Am I wrong? If not, then how does one secure those?
> 
> 5796 focuses on the link-local messages (i.e., directly-connected
> peers), but does say
> 
>    Securing the unicast messages can be achieved by the use of a normal
>    unicast IPsec Security Association (SA) between the two communicants.
> 
> The above refers to the set of PIM messages that are not sent as
> link-local.  My opinion is that this is sufficient given the uses of PIM
> as defined in 4601.

Hmm. So you're saying that the way to secure PIM-SM is to have a set
of unicast IPsec SAs that cover all of the routers in the MC group?
That seems a bit odd doesn't it?

>> (2) Is it ok for an IS to depend on a PS for it's MTI security
>> mechanism? (I think it is, but yeah, someone else might not.) 
> 
> I don't see why not.

I agree I think, but would like to check if that's an IESG opinion
or just you and me. (Can be done on the call.)

> 
>>
>> (3) Is it ok for an IS to not conform to BCP107? (I think it
>> depends, and I'm not sure in this case.)
> 
> I am not sure how BCP 107 relates since it discusses Guidelines for
> Cryptographic Key Management and the crypto stuff is now referred to via
> 5796.

Abstract of 5796 says it only supports manual keying. BCP107 says
you have to define automated keying (with some exceptions into which
PIM-SM doesn't fit). Those do seem to be in conflict I think.

S.


> 
> Regards,
> Brian
>

v2.23.0 | Report a Bug | By Email