Re: [ssm] what to say about scoping for v6 [was ...last call...]

Hugh Holbrook wrote:
>>Date: Wed, 12 Mar 2003 21:41:27 +0200 (EET)
>>From: Pekka Savola <pekkas@netcore.fi>
>>Cc: Brian Haberman <bkhabs@nc.rr.com>, <ssm@ietf.org>
>>
>>On Wed, 12 Mar 2003, Hugh Holbrook wrote:
>>
>>>>One should note that the use of IPv6 scoped addresses either in S or G may
>>>>cause significant complexities, for example regarding mismatching scopes
>>>>between S and G or regarding forwarding decisions for a scoped (S,G).  
>>>>The implications of scoped addresses are described in other documents
>>>>[REF:SCOPED-ARCH]
>>>
>>>Isn't the scoping behavior simply that the most restrictive (smallest)
>>>scope applies.  A packet is forwarded neither across a source-scope
>>>boundary nor across a destination-scope boundary.  Unless I'm missing
>>>something, this actually sounds rather uncomplicated to me.  Is there
>>>something that makes this tricky?
>>
>>At the moment, in practise (=implementation), everything related to
>>scoping is *undefined*, it seems to me.
>>
>>How your SSM-enabled router will/would react now, or in 1-2 years is a 
>>complete question mark.
> 
> 
> Perhaps I'm not creative enough, but I can't imagine any
> implementation of scoped addresses that would not apply scope limits
> to both the source and destination.
> 

Neither can I.  In fact, that is one of the items in the scoped
addressing architecture that everyone agrees on.  Both S & G have
to be checked when a scoped boundary is encountered.

> 
>>>Is there something about this that makes it a Security Considerations
>>>issue?
>>
>>Yes, but only slightly: if people use e.g. site-local addresses as a
>>security measure, and use SSM with like (<site-local>, global-scope-SSM)  
>>-- for whatever reason, e.g. the use of the same application (and
>>subsequent G) both site-locally and globally, the forwarding of such
>>multicasts might *NOT* be limited to your site-local S scope.  This is an
>>uncertainty as the implementation is unclear.
> 
> 
> I don't dispute that implementations are not complete, but I can't see
> how the IETF could endorse a scheme in which a join for a site-local
> address S would allowed to be routed through a scoped boundary for S.
> S refers to two totally diferent hosts on the two sides of the scope
> boundary, so it's like sending the join to the wrong host.
> 

I agree that would be dangerous.  The situation is a little muddled
though, in that the PIM protocol would have to do checking of S &
G within the PIM Join/Prune messages.  Of course, the actual
routing protocols will have to do the same too.  So, it seems that
the scenario is already covered and is much larger than SSM.

> In fact, I would be ok with putting in text saying that for SSM joins
> and data, the scope boundaries MUST be applied to the source address
> in addition to the destination address.
> 

That is what the scoped addressing architecture already says.
Do we need to repeat it?

> 
>>On the hindsight, the text I proposed above seems better fit to some other 
>>section, and something different might be more applicable to security 
>>considerations, like:
>>
>>  Note that when forwarding or processing SSM, the scope of both S and G 
>>  may have to be considered [SCOPED-ARCH]; in particular, if the unicast 
>>  scope of S is smaller than respective multicast scope of G, the packets 
>>  might end up forwarded outside of the scope of S.  Therefore, limited 
> 
> 
> I would prefer not to say this because I think it is not likely to
> ever be allowed.  I'd be happy saying just that "scopes should not be
> used as a security mechanism..."  and leaving it at that.  I think
> it's overkill to say that limited scope addresses must be avoided with
> SSM, because I think they work fine as long as boundaries are applied
> to the source as well.
> 

I agree with Hugh on this point.

Brian

_______________________________________________
ssm mailing list
ssm@ietf.org
https://www1.ietf.org/mailman/listinfo/ssm