[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ssm] what to say about scoping for v6 [was ...last call...]
Hugh Holbrook wrote:
>>Date: Wed, 12 Mar 2003 21:41:27 +0200 (EET)
>>From: Pekka Savola <pekkas@netcore.fi>
>>Cc: Brian Haberman <bkhabs@nc.rr.com>, <ssm@ietf.org>
>>
>>On Wed, 12 Mar 2003, Hugh Holbrook wrote:
>>
>>>>One should note that the use of IPv6 scoped addresses either in S or G may
>>>>cause significant complexities, for example regarding mismatching scopes
>>>>between S and G or regarding forwarding decisions for a scoped (S,G).
>>>>The implications of scoped addresses are described in other documents
>>>>[REF:SCOPED-ARCH]
>>>
>>>Isn't the scoping behavior simply that the most restrictive (smallest)
>>>scope applies. A packet is forwarded neither across a source-scope
>>>boundary nor across a destination-scope boundary. Unless I'm missing
>>>something, this actually sounds rather uncomplicated to me. Is there
>>>something that makes this tricky?
>>
>>At the moment, in practise (=implementation), everything related to
>>scoping is *undefined*, it seems to me.
>>
>>How your SSM-enabled router will/would react now, or in 1-2 years is a
>>complete question mark.
>
>
> Perhaps I'm not creative enough, but I can't imagine any
> implementation of scoped addresses that would not apply scope limits
> to both the source and destination.
>
Neither can I. In fact, that is one of the items in the scoped
addressing architecture that everyone agrees on. Both S & G have
to be checked when a scoped boundary is encountered.
>
>>>Is there something about this that makes it a Security Considerations
>>>issue?
>>
>>Yes, but only slightly: if people use e.g. site-local addresses as a
>>security measure, and use SSM with like (<site-local>, global-scope-SSM)
>>-- for whatever reason, e.g. the use of the same application (and
>>subsequent G) both site-locally and globally, the forwarding of such
>>multicasts might *NOT* be limited to your site-local S scope. This is an
>>uncertainty as the implementation is unclear.
>
>
> I don't dispute that implementations are not complete, but I can't see
> how the IETF could endorse a scheme in which a join for a site-local
> address S would allowed to be routed through a scoped boundary for S.
> S refers to two totally diferent hosts on the two sides of the scope
> boundary, so it's like sending the join to the wrong host.
>
I agree that would be dangerous. The situation is a little muddled
though, in that the PIM protocol would have to do checking of S &
G within the PIM Join/Prune messages. Of course, the actual
routing protocols will have to do the same too. So, it seems that
the scenario is already covered and is much larger than SSM.
> In fact, I would be ok with putting in text saying that for SSM joins
> and data, the scope boundaries MUST be applied to the source address
> in addition to the destination address.
>
That is what the scoped addressing architecture already says.
Do we need to repeat it?
>
>>On the hindsight, the text I proposed above seems better fit to some other
>>section, and something different might be more applicable to security
>>considerations, like:
>>
>> Note that when forwarding or processing SSM, the scope of both S and G
>> may have to be considered [SCOPED-ARCH]; in particular, if the unicast
>> scope of S is smaller than respective multicast scope of G, the packets
>> might end up forwarded outside of the scope of S. Therefore, limited
>
>
> I would prefer not to say this because I think it is not likely to
> ever be allowed. I'd be happy saying just that "scopes should not be
> used as a security mechanism..." and leaving it at that. I think
> it's overkill to say that limited scope addresses must be avoided with
> SSM, because I think they work fine as long as boundaries are applied
> to the source as well.
>
I agree with Hugh on this point.
Brian
_______________________________________________
ssm mailing list
ssm@ietf.org
https://www1.ietf.org/mailman/listinfo/ssm