Re: Comment: PIm Sparse Mode to Proposed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'll add Cc: to PIM wg.

On Thu, 27 Oct 2005, Sam Hartman wrote:
This comment is not a discuss, but I am certainly not thrilled with
the current situation.  This document does not define a mandatory to
implement security mechanism.  It does tell network administrators how
to use IPsec to secure PIM.
...
So I'm not going to block this document.  However we must do better in
the future.  The primary purpose of this comment is to say that I'm
not happy with this direction and that the fact that this document
passes IESG review may not be used as a justification that future work
should be allowed through.

In my opinion, there seem to be two main classes of PIM vulnerabilities:

1) those relating to multicast routing infrastructures (between routers); these have been described in: draft-ietf-mboned-mroutesec-04.txt (in rfc-ed queue, waiting for the pim spec)

2) those relating to the interaction of users/apps and multicast routing infrastructures; these have been described in (expired) draft:
http://netcore.fi/pekkas/ietf/draft-savola-pim-lasthop-threats-01.txt

(this has been presented and discussed in PIM WG, with decision to wait and see until the PIM spec is reviewed/approved by the IESG).

While there is not clear easy-to-use, robust security mechanism for 1), one has been described for 2) in those scenarios where there is only one multicast router on the LAN.

...

I hope this clarifies what I believe is the PIM protocol threat "landscape", while the mitigation mechanisms may not be sufficient in all the cases.

Unfortunately, it seems neither of these drafts is referred in the PIM spec.

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]