Re: Re: [ssm] SSM with IPSec
Hugh Holbrook <holbrook@cisco.com> Wed, 15 January 2003 16:58 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA03204 for <ssm-archive@lists.ietf.org>; Wed, 15 Jan 2003 11:58:19 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h0FHCVJ26470; Wed, 15 Jan 2003 12:12:31 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h0FH2eJ25174 for <ssm@optimus.ietf.org>; Wed, 15 Jan 2003 12:02:40 -0500
Received: from sj-msg-core-3.cisco.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA03040 for <ssm@ietf.org>; Wed, 15 Jan 2003 11:47:28 -0500 (EST)
Received: from holbrook-laptop.cisco.com (sjc-vpn1-676.cisco.com [10.21.98.164]) by sj-msg-core-3.cisco.com (8.12.2/8.12.2) with ESMTP id h0FGo6jS007231; Wed, 15 Jan 2003 08:50:06 -0800 (PST)
Received: by holbrook-laptop.cisco.com (Postfix, from userid 500) id 6B2EF10B7A7; Wed, 15 Jan 2003 11:48:22 -0500 (EST)
From: Hugh Holbrook <holbrook@cisco.com>
To: Brad Huntting <huntting@glarp.com>
Cc: holbrook@cisco.com, ssm@ietf.org, mbaugher@cisco.com, bew@cisco.com
In-reply-to: <200301151557.h0FFv5Lq041831@hunkular.glarp.com>
Subject: Re: Re: [ssm] SSM with IPSec
Reply-To: holbrook@cisco.com
Message-Id: <20030115164822.6B2EF10B7A7@holbrook-laptop.cisco.com>
Date: Wed, 15 Jan 2003 11:48:22 -0500
Sender: ssm-admin@ietf.org
Errors-To: ssm-admin@ietf.org
X-BeenThere: ssm@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ssm>, <mailto:ssm-request@ietf.org?subject=unsubscribe>
List-Id: Source-Specific Multicast <ssm.ietf.org>
List-Post: <mailto:ssm@ietf.org>
List-Help: <mailto:ssm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ssm>, <mailto:ssm-request@ietf.org?subject=subscribe>
I agree with you, and I didn't mean to imply that this was an SSM-only problem. NTP is a good example of an ASM app that has the same problem. The fact that this problem occurs with ASM is a complicating factor in determining the right solution (which is a major reason that I don't want to tackle it in SSM). I think it would be relatively easy to specify IPSec modifications to fix the SSM problem. But to solve the ASM problem you have to do source-based SAD lookups in some cases for ASM addresses. There are some design choices to consider in how to specify the SAD lookups and some and backwards compatibility issues that need to be worked out to solve the ASM problem, or so I am told. Given that the tricky issues arise mostly from ASM and that msec has the ipsec expertise and the charter, I think it makes sense to solve this in msec rather than in ssm. Sounds like you agree with that anyway.. I'll find out where msec is at in terms of solving this problem and report back. -Hugh > Cc: ssm@ietf.org, mbaugher@cisco.com, bew@cisco.com > Date: Wed, 15 Jan 2003 08:57:05 -0700 > From: Brad Huntting <huntting@glarp.com> > > > > The solution that I most like is fairly easy to state: require the > > source address to be part of the SA lookup when the destination > > address is an SSM address. Mark and Brian inform me that the msec > > working group is looking at solving the problem this way. > > What if the destination address is not in the SSM range? For > example: A host wishes to receive NTP (network time protocol) > multicast traffic (destination address 224.0.1.1) from three specific > hosts that it trusts (whether PIM-SSM can honor this request > efficiently is, I think, a separate issue). I assume there is no > global group `owner' for this well known address 224.0.1.1, so the > SA for this traffic would, I suspect, need to be indexed by source > and destination just like SSM. > > One could easily imagine similar situations for other group addresses. > However, as you pointed out, it's probably not necessary that the > SSM group solve this problem; at least not right away. > > > brad > _______________________________________________ > ssm mailing list > ssm@ietf.org > https://www1.ietf.org/mailman/listinfo/ssm _______________________________________________ ssm mailing list ssm@ietf.org https://www1.ietf.org/mailman/listinfo/ssm
- [ssm] SSM with IPSec Hugh Holbrook
- Re: [ssm] SSM with IPSec Brian Haberman
- Re: [ssm] SSM with IPSec Brad Huntting
- Re: Re: [ssm] SSM with IPSec Hugh Holbrook
- Re: [ssm] SSM with IPSec Mark Baugher
- Re: Re: [ssm] SSM with IPSec Toerless Eckert
- Re: Re: Re: [ssm] SSM with IPSec Hugh Holbrook
- Re: Re: Re: [ssm] SSM with IPSec Mark Baugher
- Re: Re: Re: [ssm] SSM with IPSec Toerless Eckert
- Re: Re: Re: [ssm] SSM with IPSec Mark Baugher
- Re: Re: Re: [ssm] SSM with IPSec Toerless Eckert