Re: [secdir] secdir review of draft-ietf-6man-multicast-scopes-05
Brian Haberman <brian@innovationslab.net> Tue, 10 June 2014 12:20 UTC
Return-Path: <brian@innovationslab.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B04891A007F; Tue, 10 Jun 2014 05:20:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aFzVmjJ28Z1m; Tue, 10 Jun 2014 05:20:27 -0700 (PDT)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE7851A009C; Tue, 10 Jun 2014 05:20:13 -0700 (PDT)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id 96B37880E2; Tue, 10 Jun 2014 05:20:13 -0700 (PDT)
Received: from clemson.local (nat-gwifi.jhuapl.edu [128.244.87.132]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id 1B3C113680F2; Tue, 10 Jun 2014 05:20:13 -0700 (PDT)
Message-ID: <5396F7F4.8030507@innovationslab.net>
Date: Tue, 10 Jun 2014 08:20:04 -0400
From: Brian Haberman <brian@innovationslab.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Tom Yu <tlyu@MIT.EDU>
References: <ldvlht7weh2.fsf@sarnath.mit.edu> <5395A8D9.2070006@innovationslab.net> <ldvwqcpv1cd.fsf@sarnath.mit.edu>
In-Reply-To: <ldvwqcpv1cd.fsf@sarnath.mit.edu>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="7Tw40QAwjFRh8e9vGB5126agqtiW048gL"
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/eDbQCgsK6SrZChHk648fFsnaDCI
Cc: iesg@ietf.org, draft-ietf-6man-multicast-scopes.all@tools.ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-6man-multicast-scopes-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jun 2014 12:20:31 -0000
Hi Tom, On 6/10/14 12:24 AM, Tom Yu wrote: > Brian Haberman <brian@innovationslab.net> writes: > >> I do think that the rules in RFC 4007 adequately cover the boundary >> handling for realm-scoped multicast addresses. The general rule defined >> in 4007 is that a multicast packet is forwarded if there is forwarding >> state and a scope boundary is configured on the router that is equal to >> or greater than the scope contained in the multicast packet. > > I'm not sure I see where that behavior is defined in RFC 4007, but > perhaps I lack context or am misreading something. What happens when a > router receives a packet destined for an address having scope=3, but the > router doesn't have an explicitly-configured zone boundary for that > scope and also doesn't understand realm-local scope? Would it drop the > packet (no routing information for the unconfigured zone of scope=3) or > restrict it to the largest zone of lower scope (protect inter-zone > integrity)? I think the context needed is in the second list in section 5 of 4007. If a router does not have a boundary instantiated for scope=3 *or larger*, the packet would be forwarded if forwarding state exists for the multicast address. If no forwarding state exists for that address or a boundary exists for scope>=3, the packet is dropped. > > Wouldn't forwarding that packet within a larger zone and scope cause the > packet to possibly leave its intended zone, where its destination > address might have a meaning unintended by the sender? > There are two rules in 4007 that cover this... o Zones of the same scope cannot overlap; i.e., they can have no links or interfaces in common. o A zone of a given scope (less than global) falls completely within zones of larger scope. That is, a smaller scope zone cannot include more topology than would any larger scope zone with which it shares any links or interfaces. Regards, Brian