Re: [pim] pim-sm-v2-new-09 comments
Pekka Savola <pekkas@netcore.fi> Wed, 28 April 2004 12:01 UTC
Received: from optimus.ietf.org (iesg.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA09260 for <pim-archive@lists.ietf.org>; Wed, 28 Apr 2004 08:01:48 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BInN4-0007se-Eb; Wed, 28 Apr 2004 07:36:58 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BIkbc-0007M6-Qk for pim@optimus.ietf.org; Wed, 28 Apr 2004 04:39:48 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA01032 for <pim@ietf.org>; Wed, 28 Apr 2004 04:39:46 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BIkbX-0006VY-L4 for pim@ietf.org; Wed, 28 Apr 2004 04:39:43 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BIkab-0006Fl-00 for pim@ietf.org; Wed, 28 Apr 2004 04:38:47 -0400
Received: from netcore.fi ([193.94.160.1]) by ietf-mx with esmtp (Exim 4.12) id 1BIkZS-0005iQ-00 for pim@ietf.org; Wed, 28 Apr 2004 04:37:34 -0400
Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id i3S8awr01608 for <pim@ietf.org>; Wed, 28 Apr 2004 11:36:58 +0300
Date: Wed, 28 Apr 2004 11:36:58 +0300
From: Pekka Savola <pekkas@netcore.fi>
To: pim@ietf.org
Subject: Re: [pim] pim-sm-v2-new-09 comments
In-Reply-To: <Pine.LNX.4.44.0403241806070.32482-100000@netcore.fi>
Message-ID: <Pine.LNX.4.44.0404281136050.1597-100000@netcore.fi>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by netcore.fi id i3S8awr01608
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.60
Content-Transfer-Encoding: quoted-printable
Sender: pim-admin@ietf.org
Errors-To: pim-admin@ietf.org
X-BeenThere: pim@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/pim>, <mailto:pim-request@ietf.org?subject=unsubscribe>
List-Id: Protocol Independent Multicast <pim.ietf.org>
List-Post: <mailto:pim@ietf.org>
List-Help: <mailto:pim-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/pim>, <mailto:pim-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Hi, Another minor (but important) nit that I noticed: the document should say, in abstract/introduction, that is obsoletes RFC2362. On Wed, 24 Mar 2004, Pekka Savola wrote: > I already raised one specific issue, some others below... > > substantial > ----------- > > 1) I've raised this issue in the past, but I think it would be appropriate > to explicitly describe how PIM is run inter-domain at the protocol overview > section -- or just state that it's out of scope for this specification ?? > > 2) statement in 4.1.6, on page 25, says: > > RPF'(*,G) and RPF'(S,G) indicate the neighbor from which data packets > should be coming and to which joins should be sent on the RP tree and > SPT respectively. > > .. but based on on the security analysis draft, and comments made at MBONED > at IETF59, this is not correct. Data packets are checked only to come from > the _interface_ towards the neighbor, right? > > 3) there are slight inaccuracies with TTL/Hop Limit of the register > tunnell, like: > > Just like any forwarded packet, the TTL of the original data packet is > decremented after it is decapsulated from the Register Tunnel. > > ==> TTL is only decremented if the data packet is forwarded out of the box. > I.e., if the data packet was to be terminated at the router, it would not be > decremented. > > ==> the same applies to encapsulation to register tunnel. TTL is only > decremented if it was _forwarded_ to the register tunnel -- but not if it > was *originated* to the register tunnel (e.g., the router itself sending the > packet to a group). {section 4.10.3} > > 4) Is there any fundamental reason (broken implementations?) why you're > explicitly allowing invalid destination IP addresses, rather than the > multicast address, on a link: > > On unnumbered interfaces on point-to-point links, the router's address > should be the same as the source address it chose for the Hello message > it sent over that interface. However on point-to-point links we also > recommend that PIM Join/Prune messages with a destination address of all > zeros are also accepted. > > .. this seems strange to me... (same in other places..) > > 5) Section 4.7 on multicast border router behaviour describes the case > where PIM and non-PIM multicast domains should operate. However, section > 4.8 abuse this section to expand that to describe how the operation between > different PIM domains functions. The latter should be more clearly separate > from interworking with non-PIM protocols. > > 6) The issue raised in a separate mail about wildcard receivers, that is: > > o Another component of the PMBR is a wildcard receiver. In this case > the PIM-SM component of the PMBR must ensure that traffic from all > internal sources reaches the PMBR until it is informed otherwise. > > ... > > In the former case, the PMBR will need to send a Join(*,*,RP) to all the > RPs in the PIM-SM domain. This will cause all traffic in the domain to > reach the PMBR. The PMBR may then act as if it were a DR with directly > connected receivers, and trigger the transition to a shortest path tree > (see Section 4.2.1). > > ==> this presumes that PMBR is aware of all the transmissions in the > world(!!), and fails e.g. with SSM or Embedded-RP. As already mentioned, > this is a very dangerous capability DoS-wise as well. > > 7) Section 4.8 contains a technically unverifiable statement: > > Any RP address configured or learned MUST be a domain-wide reachable > address. > > .. the implementations have no way of ensuring this, so this sounds more > like an operational requirement. Maybe adequate health warnings should be > added, like: > > Note that in general, it is impossible to verify that the RP > address is in fact reachable, making this requirement practically > moot. > > 8) is the implementation of Address List option left to the discretion of > the implementor? I'd say it's a SHOULD at least, if not a MUST: > > Unknown options may be ignored. The "Holdtime" option MUST be > implemented; the "DR Priority" and "Generation ID" options SHOULD > be implemented. > > 9) Is there anything preventing the Prune Pending Timer to be shorter than > Join Pending time? AFAICS, the basics how these are formed are the same. > This would be highly disadvantageous if someone randomized the time for Join > Pending to be e.g. 1.0 seconds and Prune Pending to 0.8 seconds -- and state > would be removed before the Join would be sent? > > 10) Nowhere does it specify the reception rules for the packets sent, just > the rules which must be used for sending the packets. For example, if > someone sent you a PIM packet, over unicast, MUST it be discarded. These > should probably be formally specified. This stems from: > > 11) DoS descriptions in section 6.4 appear to be rather weak at this > point yet. I would refer informationally > to draft-savola-mboned-mroutesec-00.txt (soon > draft-ietf-mboned-mroutesec-00.txt), at least. > > These two attacks should probably be described a bit more. > > Additional one, described at the separate note, is the Multicast Border > attack: if you can associate yourself as a multicast border with a router, > you can make it send all groups in the Internet to you using a (single?) > message with a wildcard join. That must be spelled out unless the wildcard > join is removed from the spec. > > 12) references; > > [9] should probably be Informational; it is not critical in the text, and it > could create a blockage. [7] should probably also be Informational. [1] is > Informational and cannot be referred Normatively by PS; recommend moving to > info references, as it seems appropriate there. > > > 6.1.1. Forged link-local messages > > Join/Prune, Hello, and Assert messages are all sent to the link-local > ALL_PIM_ROUTERS multicast addresses, and thus are not forwarded by a > compliant router. A forged message of this type can only reach a LAN if > it was sent by a local host or if it was allowed onto the LAN by a > compromised or non-compliant router. > > > > semi-editorial > -------------- > PIM-SM routers need to know the address of the RP for each group for > which they have (*,G) state. This address is obtained either through a > bootstrap mechanism or through static configuration. > > ==> replace add "automatically, " before "bootstrap" (embedded-RP case) > > o Last RPF Neighbor towards RP that was used > > ==> this may be more than just an editorial issue, but would this be better > stated: "Last RPF Neighbor that was used towards RP" ? (same in many other > places.) > > void > CheckSwitchToSpt(S,G) { > if ( ( pim_include(*,G) (-) pim_exclude(S,G) > (+) pim_include(S,G) != NULL ) > AND SwitchToSptDesired(S,G) ) { > restart KeepaliveTimer(S,G); > } > } > > ==> you just indicate the desire for switchover, but do not actually > initiate the switchover (here or in the definition of switchover) ? > > neighbor.dr_priority > The DR Priority field of the PIM neighbor if it is present in > the Hello message. > > ==> and otherwise, if it is not present, dr_priority is ....? It must be > initialized to something, I guess.. > > for each neighbor on interface I { > if ( neighbor.lan_delay > delay ) { > delay = neighbor.lan_delay > } > } > > ==> you should probably clarify, (actually earlier but this is an example of > this), that the router must keep its own values on record as well .. > essentially considering it as a neighbor as well on all of its interfaces, > right? > > Within one Address List Hello option, all the addresses MUST be of the > same address family. It is not permitted to mix IPv4 and IPv6 addresses > within the same message. In addition, the address family of the fields > in the message SHOULD be the same as the IP source and destination > addresses of the packet header. > > ==> would it make sense to say how exactly this is to be verified (i.e., > going through encoded-unicast formatting) > > +-----------++----------------------------------------------------------- > | || Event > | ++-----------+------------+------------+------------+-------- > |Prev State ||Register- | Could | Could | Register- | RP chan > | ||Stop Timer | Register | Register | Stop | > | ||expires | ->True | ->False | received | > +-----------++-----------+------------+------------+------------+-------- > > ==> many tables go beyond the RFC-editor limit 72 lines. This is one of the > more important ID-nits, esp. for tables as they could be difficult to > compress. Could this be fixed easily? > > Subtracting off Register_Probe_Time is a bit unnecessary because it > is really small compared to Register_Suppression_Time, but was in > > ==> that could end up as negative as well if you right the timers -- what > would you do then? :) > > TU. The encapsulating DR may perform Path-MTU Discovery to the > RP to determine the effective MTU of the tunnel. This smaller MTU takes > both the outer IP header and the PIM register header overhead into > account. > > ==> s/Path-MTU/Path MTU/ for consistency? > ==> s/This smaller MTU takes/The assigned smaller MTU should take/ > (that is, just doing PMTUD does not give you the smaller MTU -- you have to > subtract the header lengths from that as well...) > > In IPv6, the DR MUST perform Path-MTU discovery, and an ICMP > Fragmentation Required message MUST be sent by the encapsulating DR if > > ==> s/Fragmentation Required/Packet Too Big/ > ==> you could maybe add informative refs to PMTUD spec here as well -- the > same would apply to the bit about copying ECN w/ tunnels. > > (sect 4.5.7, sending S,G J/P) > Finally, > if it sees the Generation ID of its upstream neighbor change, it knows > that the upstream neighbor has lost state, and it should refresh the > state by scheduling a Join(S,G) to be sent almost immediately. > > ==> why is this only discussed here -- this appears to be a more generic > even, which should triggger sending Joins for *all* groups or S,G pairs > immediately? > > MRIB.pref(X) and MRIB.metric(X) are the routing preference and routing > metrics associated with the route to a particular (unicast) destination > X > > ==> is it clear enough which specific preferences and metrics you're talking > about .. now that many implementations provide so many of them? > > This specification does not mandate the use of a single mechanism to > provide routers with the information to perform the group-to-RP mapping. > Currently three mechanisms are possible, and all three have associated > problems: > > Static Configuration > [...] > > ==> make that "at least three mechanisms", or just include Embedded-RP here, > with an informational reference. > > 4.9. Source-Specific Multicast > > The Source-Specific Multicast (SSM) service model [6] can be implemented > with a strict subset of the PIM-SM protocol mechanisms. Both regular IP > Multicast and SSM semantics can coexist on a single router and both can > be implemented using the PIM-SM protocol. A range of multicast > addresses, currently 232.0.0.0/8 in IPv4, is reserved for SSM > > ==> worth spelling out the equivalent in IPv6 as well? > > If the packet's length is > not an integral number of 16-bit words, the packet is padded with a > trailing byte of zero before performing the checksum. > > ==> this was under the IPv6 checksum part. If this isn't IPv6 specific, > separate as a paragraph of it's own. > > 11. Index > > ==> add the IPR and copyright sections. > > > > > > > > > > > > > editorial > --------- > > This document is a product of the IETF PIM WG. Comments should be > addressed to the authors, or the WG's mailing list at > pim@catarina.usc.edu. > > ==> the m-l is now pim@ietf.org > > Designated Router (DR): > A shared-media LAN like Ethernet may have multiple PIM-SM routers > connected to it. If the LAN has directly connected hosts, then a > single one of these routers, the DR, will act on behalf of those > hosts with respect to the PIM-SM protocol. > > ==> "If the LAN.." is not accurate, because this happens irrespective of > whether there are hosts on the LAN or not. Maybe like: > > "A single one of these routers, the DR, will act on behalf of directly > connected hosts with respect to the PIM-SM protocol." > > (the same in section 4.3) > > ..... > > MRIB Multicast Routing Information Base. This is the multicast > topology table, which is typically derived from the unicast > routing table, or routing protocols such as MBGP that carry > multicast-specific topology information. In PIM-SM, the MRIB is > used to decide where to send Join/Prune messages. > > ==> MRIB is used for other purposes as well, mainly, where to expect to > receive such messages, right? > > In phase one, a multicast receiver expresses its interest in receiving > traffic destined for a multicast group. Typically it does this using > IGMP [5] or MLD [3], but other mechanisms might also serve this purpose. > One of the receiver's local routers is elected as the Designated Router > (DR) for that subnet. > > ==> s/is elected/has been elected/ (this happens before anyone expressing > interest) > > The (*,G) Join travels > hop-by-hop towards the RP for the group, and in each router it passes > through, multicast tree state for group G is instantiated. > > ==> wouldn't "initialized" be better than "instantiated". Anyway.. works > for me (this happens a lot elsewhere as well..) > > o Traveling all the way to the RP, and then back down the shared tree > may entail the packets traveling a relatively long distance to reach > receivers that are close to the sender. For some applications, this > increased latency is undesirable. > > ==> s/latency/latency or bandwidth consumption/ ? > > While the RP is in the process of joining the source-specific tree for > S, the data packets will continue being encapsulated to the RP. > > ==> s/being/to be/ > > To obtain lower latencies, a router on the receiver's LAN, typically the > DR, may optionally initiate a transfer from the shared tree to a source- > specific shortest-path tree (SPT). > > ==> s/latencies/latencies or more efficient bandwidth consumption/ > > At this point the receiver (or a router upstream of the receiver) will > be receiving two copies of the data > > ==> s/receiver/receiver's DR/ ? (and/or remove the thing in ()'s) > > Multi-access Transit LANs > > The overview so far has concerned itself with point-to-point links. > > ==> s/links/transit links/ > > o Neighbor's Gen ID. > > ==> consistency: some places say "GenID", some others "Gen ID" or > "Generation ID". > > The SPTbit is used to indicate whether forwarding is taking place on the > > ==> consistency: some places say "SPTbit", others "SPT bit". make it > uniform. > > The primary IP address of a neighbor is the link-local > address that it uses as the source of its PIM Hello messages. > > ==> as these statements are generic, maybe do a lot of > s/link-local/(link-local)/ so it applies better to both v4 and v6. > > pim_include(*,G) = > { all interfaces I such that: > ( ( I_am_DR( I ) AND lost_assert(*,G,I) == FALSE ) > OR AssertWinner(*,G,I) == me ) > AND local_receiver_include(*,G,I) } > > ==> note that nowhere you seem to be defining "AssertWinner(x,x,x)" even > though that's rather straightforward. > > 4.2.1. Last-hop switchover to the SPT > > ==> s/switchover/Switchover/ (similar elsewhere as applicable) > > PIM-Hello messages are sent periodically on each PIM-enabled interface. > > ==> in some places it's "PIM-Hello", in others "PIM Hello". Make it > consistent. > > 4.3.4. Maintaining Secondary Address Lists > > Communication of a routers interface secondary addresses to its PIM > neighbors is necessary to provide the neighbors with a mechanism for > > ==> s/routers/router's/ > > if( I_am_RP(G) AND outer.dst == RP(G) ) { > bool sentRegisterStop = FALSE; > > ==> remove "bool" -- typically the variables don't have the type in the > pseudocode in this spec (same applies elsewhere as well) > > message SHOULD be discarded without further processing. In addition, if > the Hello message from a neighbor was authenticated using IPsec AH (see > Section 6.3) then all Join/Prune messages from that neighbor MUST also > > ==> s/AH/Authentication Header (AH)/ > > Join (J) > The interface has (*,*,RP) Join state which will cause us to > forward packets destined for any group handled by RP from this > interface except if there is also (S,G,rpt) prune information > (see Section 4.5.4) or the router lost an assert on this > interface. > > ==> cause "us" -- what's us? reword..? > > 4.7. PIM Multicast Border Router Behavior > > In some cases PIM-SM domains will interconnect with non-PIM domains. > > ==> s/non-PIM/non-PIM multicast/ > > 3ffe:b00:c18:1::10 would be computed as 0x3ffe0b00 ^ 0x0c180001 ^ > 0x00000000 ^ 0x00000010, where ^ represents the exclusive-or > operation. > > ==> use 2001:db8::/32 in the examples, please. > > The following rules override the normal PIM-SM behavior for a multicast > address G in the SSM reserved range: > > ==> remove "reserved" > > PIM messages are either unicast (e.g. Registers and Register-Stop), or > multicast with TTL 1 to the LL-PIM-ROUTERS' group (e.g. Join/Prune, > Asserts, etc.). The source address used for unicast messages is a > domain-wide reachable address; the source address used for multicast > messages is the link-local address of the interface on which the message > is being sent. > > ==> s/link-local/(link-local) primary/ ? > > The IPv4 LL-PIM-ROUTERS' group is à.0.0.13'. The IPv6 LL-PIM- > ROUTERS' group is f02::d'. > > 0 1 2 3 > 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > |PIM Ver| Type | Reserved | Checksum | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > ==> add a prelude before the bit diagram, like "PIM header common to all > messages is:" > > 0 1 2 3 > 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Type = 1 | Length = 2 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Holdtime | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > ==> s/Holdtime/Holdtime / > > OptionTypes 17 thru 65000 are assigned by the IANA. OptionTypes > 65001 through 65535 are reserved for Private Use, as defined in > [10]. > Unknown options may be ignored. The "Holdtime" option MUST be > implemented; the "DR Priority" and "Generation ID" options SHOULD > > ==> add a return after "[10]." > > 4.10.5. Join/Prune Message Format > > ==> please cut down the format by a few lines; it gets cut into two pages by > one line already, and it would be very nice if it fit in the same page > with the preamble of 4.10.5. > > Values 128 through 250 are designated to be assigned by the IANA > based upon IESG Approval, as defined in [10]. > > ==> s/assigned/assigned for PIM/ ? (at least so I think it said earlier in > the spec..) > > Similarly, a Designated > Router SHOULD NOT accept a Register-Stop packet whose IP source address > is not a valid RP address for the local domain. > > ==> s/for the local domain/as given by the group-to-RP mapping/ > > multicast messages is addressed (one such proposal is [9] ), the anti- > > ==> s/] /]/ > > > > -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings _______________________________________________ pim mailing list pim@ietf.org https://www1.ietf.org/mailman/listinfo/pim
- [pim] pim-sm-v2-new-09 comments Pekka Savola
- Re: [pim] pim-sm-v2-new-09 comments Pekka Savola