Re: draft-ietf-v6ops-cpe-simple-security-12.txt feedback

[Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>]

Hi Fred,

On Sat, 7 Aug 2010 06:06:20 +0200
Fred Baker <fred@cisco.com> wrote:

> On Aug 6, 2010, at 10:20 PM, james woodyatt wrote:
> 
> > I'm really not sure why people seem to think that subscribers ought to be lumped into the same organizational zone as their service provider. I must need to be educated about operational considerations again.
> 
> On Aug 7, 2010, at 2:49 AM, Mark Smith wrote:
> 
> > There's quite a lot of IPTV interest in the .au market at the moment,
> > and one of the branded service wholesale IPTV providers to ISPs is
> > using IPv4 multicast to deliver it. The provider is originating the
> > multicast traffic outside the ISP networks, so in an IPv6 context I
> > think the scope for that traffic would need to be global.
> 
> OK, Mark, what are you arguing here?
> 
> I *think* you are arguing that the router SHOULD be configurable by some means (manual? UPnP? what?) to accept a multicast from the ISP and repeat it on the (a?) local LAN, or more generally, that a CPE router SHOULD be configurable to forward an identified class of multicast traffic between subnets to which it is attached. Is that correct? If so, I'll suggest we think about that recommendation for the CPE Router discussion that we just initiated.
> 

Yes. I would assume that the multicast functionality would be achieved
by having the CPE act as an MLD proxy.

> With respect to security, which is the subject of this draft, how would you recommend identifying the class of traffic? Are you suggesting that a simple home firewall should prevent the home from being ddos'd using unicast but should be default be ddos-able using multicast?

No. 

Firstly I think the upstream network's multicast forwarding capability
provides a level of protection. If the upstream ISP network doesn't
support multicast forwarding, then the CPE would only receive multicast
traffic on it's WAN interface from on-link peers. If the CPE is acting
as an MLD proxy, then that multicast traffic would only be forwarded
onto the LAN ports if there were subscriptions for groups towards which
this malicious multicast traffic were being sent to. So current threat
from malicious multicast traffic is quite low level. Even if the
upstream ISPs network is multicast enabled, the Internet isn't, so the
threat isn't a global one.

Secondly, when the ISPs network is configured to multicast route, for
multicast traffic inbound towards the home LAN, it would seem to me
that MLD / MLD proxy would in effect serve as a "multicast firewall
configuration" protocol. Traffic for groups that are subscribed to,
regardless of their scope, could be permitted to be forwarded by the
CPE from the WAN to appropriate LAN interfaces. Any other inbound
multicast traffic not be forwarded.

I can't really think of a use for outbound multicast i.e. the
unique multicast source is attached to the home LAN. However, with IPv6
restoring or attempting to restore the peer-to-peer communications
nature of the Internet, the are probably some use cases. They're
probably worth trying to avoid constraining if doing so doesn't reduce
security unacceptably.

In the context of this draft, I think CPE multicast security is possibly
is not simple enough to just use multicast address scopes as security
discriminators in determining if the traffic should be forwarded or
not. It might be better to say in this draft something like, "all
multicast traffic is not to be forwarded by the CPE, unless appropriate
multicast traffic security mechanisms have been implemented. Such
multicast security mechanisms are out of scope for this memo." (or
addressed in a multicast security RFC that I'm not aware of.)

Regards,
Mark.