Re: Re: Re: [ssm] what to say about scoping for v6 [was ...last call...]

[Hugh Holbrook <holbrook@cisco.com>]

> Date: Wed, 12 Mar 2003 21:41:27 +0200 (EET)
> From: Pekka Savola <pekkas@netcore.fi>
> Cc: Brian Haberman <bkhabs@nc.rr.com>, <ssm@ietf.org>
> 
> On Wed, 12 Mar 2003, Hugh Holbrook wrote:
> > > One should note that the use of IPv6 scoped addresses either in S or G may
> > > cause significant complexities, for example regarding mismatching scopes
> > > between S and G or regarding forwarding decisions for a scoped (S,G).  
> > > The implications of scoped addresses are described in other documents
> > > [REF:SCOPED-ARCH]
> > 
> > Isn't the scoping behavior simply that the most restrictive (smallest)
> > scope applies.  A packet is forwarded neither across a source-scope
> > boundary nor across a destination-scope boundary.  Unless I'm missing
> > something, this actually sounds rather uncomplicated to me.  Is there
> > something that makes this tricky?
> 
> At the moment, in practise (=implementation), everything related to
> scoping is *undefined*, it seems to me.
> 
> How your SSM-enabled router will/would react now, or in 1-2 years is a 
> complete question mark.

Perhaps I'm not creative enough, but I can't imagine any
implementation of scoped addresses that would not apply scope limits
to both the source and destination.

> > Is there something about this that makes it a Security Considerations
> > issue?
> 
> Yes, but only slightly: if people use e.g. site-local addresses as a
> security measure, and use SSM with like (<site-local>, global-scope-SSM)  
> -- for whatever reason, e.g. the use of the same application (and
> subsequent G) both site-locally and globally, the forwarding of such
> multicasts might *NOT* be limited to your site-local S scope.  This is an
> uncertainty as the implementation is unclear.

I don't dispute that implementations are not complete, but I can't see
how the IETF could endorse a scheme in which a join for a site-local
address S would allowed to be routed through a scoped boundary for S.
S refers to two totally diferent hosts on the two sides of the scope
boundary, so it's like sending the join to the wrong host.

In fact, I would be ok with putting in text saying that for SSM joins
and data, the scope boundaries MUST be applied to the source address
in addition to the destination address.

> On the hindsight, the text I proposed above seems better fit to some other 
> section, and something different might be more applicable to security 
> considerations, like:
> 
>   Note that when forwarding or processing SSM, the scope of both S and G 
>   may have to be considered [SCOPED-ARCH]; in particular, if the unicast 
>   scope of S is smaller than respective multicast scope of G, the packets 
>   might end up forwarded outside of the scope of S.  Therefore, limited 

I would prefer not to say this because I think it is not likely to
ever be allowed.  I'd be happy saying just that "scopes should not be
used as a security mechanism..."  and leaving it at that.  I think
it's overkill to say that limited scope addresses must be avoided with
SSM, because I think they work fine as long as boundaries are applied
to the source as well.

-Hugh

>   scopes should be avoided and must not be used as a security mechanism.
>
> .. I wonder if that's any better ..
> 
> -- 
> Pekka Savola                 "You each name yourselves king, yet the
> Netcore Oy                    kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
> 
> 
> 
_______________________________________________
ssm mailing list
ssm@ietf.org
https://www1.ietf.org/mailman/listinfo/ssm