[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re

To: ssm-interest@cisco.com
Subject: Re
From: holbrook@cisco.com
Date: Tue, 17 Dec 2002 14:18:10 -0500 (EST)
Hi, Pekka.  My replies, re the ssm-arch draft:

> ssm-arch-01:
> 
> ==> In many places, there if a referrence to "IPv6 SSM address range
> FF2x::".  According to e.g. RFC3306, this perhaps should be FF3x:: -- or a 
> lot of clarification is required!

You're right.  As I said in a recent reply to the list these should
all be FF3x: and will be in the next revision.

> No globally agreed-upon administratively-scoped address range [ADMIN-
> SCOPE] is currently defined for source-specific multicast.  Note that 
> there is no possibility of address conflict between hosts in different  
> administrative domains (or between two hosts of any kind).
> Administrative scoping of SSM addresses can be implemented within an
> administrative domain by filtering at domain boundary routers.
> 
> ==> this seems to be an obvious oversight.
> Administrative scoping for SSM is very much existant for IPv6.

It's there in v6 because it just falls out of the IPv6 addressing
architecture.  I'm not personally convinced that there is a need for
an administratively scoped SSM address range.  I'd like to hear
arguments, though.

If the working group comes to an agreement that we should provide
admin scoping for SSM in IPv4, I'd like to defer the details to a
separate draft and not hold this one up.  I think it will be fairly
contentious trying to nail down the specific admin-scoped SSM address
ranges.

Assuming that we defer admin-scoping to a separate draft, is there any
text change you'd like to see in *this* draft?

> Source Routing [RFC791] (both Loose and Strict) in combination with
> source address spoofing may be used to allow an impostor of the true
> channel source to inject packets onto an SSM channel.  An SSM router
> MUST have a configuration option to disable source routing to an SSM    
> destination addresses, and the default value SHOULD be to disable Source
> Routing to an SSM destination address.  Anti-source spoofing mechanisms
> like source address filtering at the edges of the network are also
> strongly encouraged.
> 
> ==> this seems overly specificative to me.  IMO, if the default is to 
> disable source routing to multicast addresses, I believe there is no need 
> for a knob.  In any case, this is a bit like an implementation
> issue.

I think I agree with you, that mandating a configuration option is not
really the right way to say this.  Trying to translate your comments
into text:

  Source Routing [RFC791] (both Loose and Strict) in combination with
  source address spoofing may be used to allow an impostor of the true
  channel source to inject packets onto an SSM channel.  An SSM router
  SHOULD by default disallow source routing to an SSM destination
  addresses.  A router MAY have a configuration option to allow source
  routing.  Anti-source spoofing mechanisms such as source address
  filtering at the edges of the network are also strongly encouraged.

Comments?

Hugh


> -- 
> Pekka Savola                 "Tell me of difficulties surmounted,
> Netcore Oy                   not those you stumble over and fall"
> Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords
> 
>
Prev by Date: NOTE
Next by Date: ReMIME-Version: 1.0
Prev by thread: Re
Next by thread: Re
Index(es):
- Date
- Thread