[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ReMIME-Version: 1.0

To: ssm-interest@cisco.com
Subject: ReMIME-Version: 1.0
From: bkhabs@nc.rr.com
Date: Tue, 17 Dec 2002 16:22:33 -0500 (EST)




holbrook@cisco.com wrote:
> Hi, Pekka.  My replies, re the ssm-arch draft:
> 
> 
>>ssm-arch-01:
>>
>>==> In many places, there if a referrence to "IPv6 SSM address range
>>FF2x::".  According to e.g. RFC3306, this perhaps should be FF3x:: -- or a 
>>lot of clarification is required!
> 
> 
> You're right.  As I said in a recent reply to the list these should
> all be FF3x: and will be in the next revision.
> 
> 
>>No globally agreed-upon administratively-scoped address range [ADMIN-
>>SCOPE] is currently defined for source-specific multicast.  Note that 
>>there is no possibility of address conflict between hosts in different  
>>administrative domains (or between two hosts of any kind).
>>Administrative scoping of SSM addresses can be implemented within an
>>administrative domain by filtering at domain boundary routers.
>>
>>==> this seems to be an obvious oversight.
>>Administrative scoping for SSM is very much existant for IPv6.
> 
> 
> It's there in v6 because it just falls out of the IPv6 addressing
> architecture.  I'm not personally convinced that there is a need for
> an administratively scoped SSM address range.  I'd like to hear
> arguments, though.
> 
> If the working group comes to an agreement that we should provide
> admin scoping for SSM in IPv4, I'd like to defer the details to a
> separate draft and not hold this one up.  I think it will be fairly
> contentious trying to nail down the specific admin-scoped SSM address
> ranges.
> 
> Assuming that we defer admin-scoping to a separate draft, is there any
> text change you'd like to see in *this* draft?
> 

I don't see a need for additional text in this document.

> 
>>Source Routing [RFC791] (both Loose and Strict) in combination with
>>source address spoofing may be used to allow an impostor of the true
>>channel source to inject packets onto an SSM channel.  An SSM router
>>MUST have a configuration option to disable source routing to an SSM    
>>destination addresses, and the default value SHOULD be to disable Source
>>Routing to an SSM destination address.  Anti-source spoofing mechanisms
>>like source address filtering at the edges of the network are also
>>strongly encouraged.
>>
>>==> this seems overly specificative to me.  IMO, if the default is to 
>>disable source routing to multicast addresses, I believe there is no need 
>>for a knob.  In any case, this is a bit like an implementation
>>issue.
> 
> 
> I think I agree with you, that mandating a configuration option is not
> really the right way to say this.  Trying to translate your comments
> into text:
> 
>   Source Routing [RFC791] (both Loose and Strict) in combination with
>   source address spoofing may be used to allow an impostor of the true
>   channel source to inject packets onto an SSM channel.  An SSM router
>   SHOULD by default disallow source routing to an SSM destination
>   addresses.  A router MAY have a configuration option to allow source
>   routing.  Anti-source spoofing mechanisms such as source address
>   filtering at the edges of the network are also strongly encouraged.
> 
> Comments?

The IPv6 spec (RFC 2460) specifically forbids the use of multicast
addresses in the routing header.  But, I don't see a comparable
restriction for v4.

And I would assume that the above text would go in the Security
Considerations section.

Brian

Prev by Date: ReMIME-Version: 1.0
Next by Date: Re
Prev by thread: ReMIME-Version: 1.0
Next by thread: ReMIME-Version: 1.0
Index(es):
- Date
- Thread