IGMP and PIM protection
Hi, Any idea if folks use AH or ESP to protect IGMP/PIM packets? Wondering that if they do, then how would snooping switches work? Affably, Kent
Glen Kent wrote:
Any idea if folks use AH or ESP to protect IGMP/PIM packets? Wondering that if they do, then how would snooping switches work?
Would encrypting multicast not fundamentally break the concept of multicast itself, unless you're encrypting multicast traffic over a backbone? Peter
Would encrypting multicast not fundamentally break the concept of multicast itself, unless you're encrypting multicast traffic over a backbone?
No, i wasnt alluding to encrypting the multicast traffic. I was thinking of using ESP-NULL (AH is optional) for the IGMP/PIM packets. Affably, Kent
So we're looking to complicate things for the same of complicating them? Using a predictable "security" doesn't exactly make things secure does it? On the links that you are running PIM or IGMP on, do you not have a predictable set of clients and therefore problems? Or are we trying to protect against something I'm not thinking of? ;) Scott Glen Kent wrote:
Would encrypting multicast not fundamentally break the concept of multicast itself, unless you're encrypting multicast traffic over a backbone?
No, i wasnt alluding to encrypting the multicast traffic. I was thinking of using ESP-NULL (AH is optional) for the IGMP/PIM packets.
Affably, Kent
On Dec 23, 2009, at 6:41 PM, Glen Kent wrote:
Any idea if folks use AH or ESP to protect IGMP/PIM packets
What are you trying to 'protect' them against? ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
On Wed, Dec 23, 2009 at 7:46 PM, Dobbins, Roland <rdobbins@arbor.net> wrote:
On Dec 23, 2009, at 6:41 PM, Glen Kent wrote:
Any idea if folks use AH or ESP to protect IGMP/PIM packets
What are you trying to 'protect' them against?
Just integrity protection to ensure that my reports, etc. are not mangled when i recv them. OR to make sure that i only receive reports/leaves from the folks who are supposed to send them. Please note that i am NOT interested in encrypting the control traffic. Kent
----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
On Dec 23, 2009, at 9:19 PM, Glen Kent wrote:
Just integrity protection to ensure that my reports, etc. are not mangled when i recv them. OR to make sure that i only receive reports/leaves from the folks who are supposed to send them.
I echo the previous respondent who noted that this is probably best done at the application layer, FWIW. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
But IGMP IS the control traffic with users. And PIM IS the control traffic between multicast routers. ? Scott Glen Kent wrote:
On Wed, Dec 23, 2009 at 7:46 PM, Dobbins, Roland <rdobbins@arbor.net> wrote:
On Dec 23, 2009, at 6:41 PM, Glen Kent wrote:
Any idea if folks use AH or ESP to protect IGMP/PIM packets
What are you trying to 'protect' them against?
Just integrity protection to ensure that my reports, etc. are not mangled when i recv them. OR to make sure that i only receive reports/leaves from the folks who are supposed to send them.
Please note that i am NOT interested in encrypting the control traffic.
Kent
----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
-----Original Message----- From: Scott Morris [mailto:swm@emanon.com] Sent: Wednesday, December 23, 2009 9:27 AM To: Glen Kent Cc: nanog@nanog.org Subject: Re: IGMP and PIM protection
But IGMP IS the control traffic with users. And PIM IS the control traffic between multicast routers.
I think OP meant that he only wants an integrity check of the control traffic, not confidentiality, hence the statement that he does not want to encrypt the control traffic. Stefan Fouant www.shortestpathfirst.net GPG Key ID: 0xB5E3803D
On Wed, Dec 23, 2009 at 10:24 AM, Stefan Fouant <sfouant@shortestpathfirst.net> wrote:
I think OP meant that he only wants an integrity check of the control traffic, not confidentiality, hence the statement that he does not want to encrypt the control traffic.
I read the OP to mean this, too. Musing on the idea for a moment, it would surely be 'nice' to somehow know that PIM v2 joins from some other network were, in fact, 'good' or somehow well-formed, rate-limited, and/or somehow 'safe' to accept & hold state for. However, it seems as if the OP isn't interested in inter-domain "rp protection" -- and probably more interested in authenticating more local igmp v2/3 joins for STB's and the like. Glen, clarify? -Tk
Musing on the idea for a moment, it would surely be 'nice' to somehow know that PIM v2 joins from some other network were, in fact, 'good' or somehow well-formed, rate-limited, and/or somehow 'safe' to accept & hold state for. However, it seems as if the OP isn't interested in inter-domain "rp protection" -- and probably more interested in authenticating more local igmp v2/3 joins for STB's and the like.
Yup, i was currently looking at the IGMP v2/v3 joins only. Kent
Glen, clarify?
-Tk
participants (6)
-
Anton Kapela -
Dobbins, Roland -
Glen Kent -
Peter Hicks -
Scott Morris -
Stefan Fouant