Re: [ssm] Document Action: An Overview of Source-Specific Multicast(SSM) Deployment to Informational
Toerless Eckert <eckert@cisco.com> Tue, 10 June 2003 14:45 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA03604 for <ssm-archive@lists.ietf.org>; Tue, 10 Jun 2003 10:45:28 -0400 (EDT)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h5AEifB28473; Tue, 10 Jun 2003 10:44:41 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h5AEeXB28269 for <ssm@optimus.ietf.org>; Tue, 10 Jun 2003 10:40:33 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA03493 for <ssm@ietf.org>; Tue, 10 Jun 2003 10:40:27 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19PkGX-0006zz-00 for ssm@ietf.org; Tue, 10 Jun 2003 10:38:25 -0400
Received: from sj-core-2.cisco.com ([171.71.177.254]) by ietf-mx with esmtp (Exim 4.12) id 19PkGW-0006zw-00 for ssm@ietf.org; Tue, 10 Jun 2003 10:38:25 -0400
Received: from cisco.com (cypher.cisco.com [171.69.11.143]) by sj-core-2.cisco.com (8.12.9/8.12.6) with ESMTP id h5AEdtCL028271; Tue, 10 Jun 2003 07:39:55 -0700 (PDT)
Received: (from eckert@localhost) by cisco.com (8.8.8/2.6/Cisco List Logging/8.8.8) id HAA07613; Tue, 10 Jun 2003 07:39:55 -0700 (PDT)
Date: Tue, 10 Jun 2003 07:39:54 -0700
From: Toerless Eckert <eckert@cisco.com>
To: Jon Zeeff <jzeeff@internet2.edu>
Cc: Toerless Eckert <eckert@cisco.com>, Bill Fenner <fenner@research.att.com>, ssm@ietf.org
Subject: Re: [ssm] Document Action: An Overview of Source-Specific Multicast(SSM) Deployment to Informational
Message-ID: <20030610143954.GK23388@cypher.cisco.com>
References: <5.1.0.14.2.20030606144813.01d03370@mail.internet2.edu> <200306040550.h545oaD08547@windsor.research.att.com> <5.1.0.14.2.20030606144813.01d03370@mail.internet2.edu> <5.1.0.14.2.20030610085539.023c1740@mail.internet2.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5.1.0.14.2.20030610085539.023c1740@mail.internet2.edu>
User-Agent: Mutt/1.4i
Sender: ssm-admin@ietf.org
Errors-To: ssm-admin@ietf.org
X-BeenThere: ssm@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ssm>, <mailto:ssm-request@ietf.org?subject=unsubscribe>
List-Id: Source-Specific Multicast <ssm.ietf.org>
List-Post: <mailto:ssm@ietf.org>
List-Help: <mailto:ssm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ssm>, <mailto:ssm-request@ietf.org?subject=subscribe>
On Tue, Jun 10, 2003 at 09:04:52AM -0400, Jon Zeeff wrote: > > > >From my experience, windows XP does send IGMPv2 reports if it sees IGMPv2 > >queries. > >It MUST do this according to the IGMPv3 spec. > > So if I do manage to get my LAN completely IGMPv3 capable and thus allow > the use of SSM, all it takes is one person > plugging in a machine running IGMPv2 and SSM breaks. This probably means > that SSM is unimplementable except > in some special cases (example: one host per vlan). While i completely agree that IGMPv3 sucks if all you want is SSM mainly because it's is some orders of magnitue unnecessarily too complex for that purpose. The actuall attack scenarios can all be solved: The real issue is in the presence of older routers sending IGMPv1 or IGMPv2 queries because they cause a host to (MUST) fall back to IGMPv1/v2 reports, whereas other hosts IGMPv1/v2 reports MAY just cause this (unlikely given that it makes a host implementation much more complex). So, there is definitely a conflict of interest between SSM and backward compatbility in IGMPv3: You do not want to have an older router on a network in which you wan to run SSM. Now, for all i care, everything RFC3376 says only applies to legally present entities in a network, eg: Just because RFC3376 demands properties from implementations does not imply uncontrolled deployment. RFC3376 itself will not ensure complete protection against DoS attacks by unwanted IGMPv1/IGMPv2 group queries, - rather the opposite -, but in most deployments you can quite well ensure such protection. The magic formula is quite simple: Put an intelligent layer2 switch into the network and connect only one host (or one set of hosts in a common trust domain) per switched L2 port and solve access control and DoS protection on the switch. That actually is the most common wired ethernet deployment today and IGMPv2 queries aren't the only DoS reason why such deployments are typically considered necessary to guarantee protection in an even moderately friendly environment. Heck, if you go into potentially hostile deployments, you even see stronger efforts of L2 protection, and those have been put into place for much more fundamental L2 issues than just what we're talking about here (see for example private VLANs on Cisco Catalyst switches - and likely similar technologies in other vendor products). Do all L2 switches provide for good protection against unwanted IGMPv2 queries - heck, no, but most of them could via simple software updates: Unless security is strongly being taken care of by the IETF protocol process, it is left up to vendors and actual customer demand. Talk to your vendor of choice ;-) Sure, it would have been nicer if the whole IGMPv3 spec process would have been revisited much harder in the face of IGMPv3 requirements - we tried, but we clearly reached a wall there given the long time in the process that was spend without thinking about SSM already. > >So, as far as easy gradual migration to SSM with DoS attack prevention is > >concerned, this has almost completely been ignored by the IETF process. > > I see similar lack of concern about real world security in wireless routing > protocols (and DHCP and IPv6 and PIM and ...). Well, it's as simple as this: IGMPv3 was NOT MADE for SSM, so it's a bit hart to shift the blame onto it completely. Once there is sufficient interest in SSM and people come to realize that SSM alone is sufficient in many cases on hosts, one could make much stronger statements about an SSM subset (and extensions) of IGMPv3 implementations in hosts: subset: - Ignore all IGMPv1/v2 queries - Don't implent any exclude mode reports extension: - trigger unsolicited IS_INCLUDE mode reports after 60 seconds without a query. Makes a really simple & safe SSM only implementation, and is completely compatible with IGMPv3 routers. But as long as the host needs to support both ASM _and_ SSM, it is really hard to strip down the complexity: Even that part of "which group is SSM, which is ASM" is contentuous. I for once am a strong proponent of using SSM also within 239/8 because of admin scoping, so how does a host determine wether a group is SSM or not ? MSNIP SSM range ? Well, that's another requirement for a host stack, and if i look at how long it takes for new requirements to be implemented into host stack *oh well*... Cheers Toerless _______________________________________________ ssm mailing list ssm@ietf.org https://www1.ietf.org/mailman/listinfo/ssm
- [ssm] Document Action: An Overview of Source-Spec… Bill Fenner
- Re: [ssm] Document Action: An Overview of Source-… Jon Zeeff
- Re: [ssm] Document Action: An Overview of Source-… Toerless Eckert
- Re: [ssm] Document Action: An Overview of Source-… Jon Zeeff
- Re: [ssm] Document Action: An Overview of Source-… Hitoshi Asaeda
- Re: [ssm] Document Action: An Overview of Source-… Toerless Eckert
- Re: [ssm] Document Action: An Overview of Source-… Toerless Eckert
- Re: [ssm] Document Action: An Overview of Source-… Hitoshi Asaeda
- Re: [ssm] Document Action: An Overview of Source-… Toerless Eckert
- Re: [ssm] Document Action: An Overview of Source-… Hitoshi Asaeda
- Re: Re: [ssm] Document Action: An Overview of Sou… Hugh Holbrook
- Re: [ssm] Document Action: An Overview of Source-… Hitoshi Asaeda
- Re: [ssm] Document Action: An Overview of Source-… Jean-Jacques Pansiot