Re: IGMP and PIM protection

2009-12-23 Thread Glen Kent 
>
> I think OP meant that he only wants an integrity check of the control
> traffic, not confidentiality, hence the statement that he does not want to
> encrypt the control traffic.

Yes, thats correct.

Kent

>
> Stefan Fouant
> www.shortestpathfirst.net
> GPG Key ID: 0xB5E3803D
>
>

Re: IGMP and PIM protection

2009-12-23 Thread Glen Kent 
>
> Musing on the idea for a moment, it would surely be 'nice' to somehow
> know that PIM v2 joins from some other network were, in fact, 'good'
> or somehow well-formed, rate-limited, and/or somehow 'safe' to accept
> & hold state for. However, it seems as if the OP isn't interested in
> inter-domain "rp protection" -- and probably more interested in
> authenticating more local igmp v2/3 joins for STB's and the like.

Yup, i was currently looking at the IGMP v2/v3 joins only.

Kent

>
> Glen, clarify?
>
> -Tk
>

Re: IGMP and PIM protection

2009-12-23 Thread Anton Kapela 
On Wed, Dec 23, 2009 at 10:24 AM, Stefan Fouant
 wrote:
> I think OP meant that he only wants an integrity check of the control
> traffic, not confidentiality, hence the statement that he does not want to
> encrypt the control traffic.

I read the OP to mean this, too.

Musing on the idea for a moment, it would surely be 'nice' to somehow
know that PIM v2 joins from some other network were, in fact, 'good'
or somehow well-formed, rate-limited, and/or somehow 'safe' to accept
& hold state for. However, it seems as if the OP isn't interested in
inter-domain "rp protection" -- and probably more interested in
authenticating more local igmp v2/3 joins for STB's and the like.

Glen, clarify?

-Tk

RE: IGMP and PIM protection

2009-12-23 Thread Stefan Fouant 
> -Original Message-
> From: Scott Morris [mailto:s...@emanon.com]
> Sent: Wednesday, December 23, 2009 9:27 AM
> To: Glen Kent
> Cc: nanog@nanog.org
> Subject: Re: IGMP and PIM protection
> 
> But IGMP IS the control traffic with users.  And PIM IS the control
> traffic between multicast routers.

I think OP meant that he only wants an integrity check of the control
traffic, not confidentiality, hence the statement that he does not want to
encrypt the control traffic.

Stefan Fouant
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D

Re: IGMP and PIM protection

2009-12-23 Thread Scott Morris 
But IGMP IS the control traffic with users.  And PIM IS the control
traffic between multicast routers.

?


Scott

Glen Kent wrote:
> On Wed, Dec 23, 2009 at 7:46 PM, Dobbins, Roland  wrote:
>   
>> On Dec 23, 2009, at 6:41 PM, Glen Kent wrote:
>>
>> 
>>> Any idea if folks use AH or ESP to protect IGMP/PIM packets
>>>   
>> What are you trying to 'protect' them against?
>> 
>
> Just integrity protection to ensure that my reports, etc. are not
> mangled when i recv them. OR to make sure that i only receive
> reports/leaves from the folks who are supposed to send them.
>
> Please note that i am NOT interested in encrypting the control traffic.
>
> Kent
>
>   
>> ---
>> Roland Dobbins  // 
>>
>>Injustice is relatively easy to bear; what stings is justice.
>>
>>-- H.L. Mencken
>>
>>
>>
>>
>>
>> 
>
>
>

Re: IGMP and PIM protection

2009-12-23 Thread Scott Morris 
So we're looking to complicate things for the same of complicating
them?  Using a predictable "security" doesn't exactly make things secure
does it?

On the links that you are running PIM or IGMP on, do you not have  a
predictable set of clients and therefore problems?  Or are we trying to
protect against something I'm not thinking of?  ;)

Scott


Glen Kent wrote:
>> Would encrypting multicast not fundamentally break the concept of multicast
>> itself, unless you're encrypting multicast traffic over a backbone?
>>
>> 
>
> No, i wasnt alluding to encrypting the multicast traffic. I was
> thinking of using ESP-NULL (AH is optional) for the IGMP/PIM packets.
>
> Affably,
> Kent
>
>
>

Re: IGMP and PIM protection

2009-12-23 Thread Dobbins, Roland 

On Dec 23, 2009, at 9:19 PM, Glen Kent wrote:

> Just integrity protection to ensure that my reports, etc. are not mangled 
> when i recv them. OR to make sure that i only receive reports/leaves from the 
> folks who are supposed to send them.

I echo the previous respondent who noted that this is probably best done at the 
application layer, FWIW.

---
Roland Dobbins  // 

Injustice is relatively easy to bear; what stings is justice.

-- H.L. Mencken

Re: IGMP and PIM protection

2009-12-23 Thread Glen Kent 
On Wed, Dec 23, 2009 at 7:46 PM, Dobbins, Roland  wrote:
>
> On Dec 23, 2009, at 6:41 PM, Glen Kent wrote:
>
>> Any idea if folks use AH or ESP to protect IGMP/PIM packets
>
> What are you trying to 'protect' them against?

Just integrity protection to ensure that my reports, etc. are not
mangled when i recv them. OR to make sure that i only receive
reports/leaves from the folks who are supposed to send them.

Please note that i am NOT interested in encrypting the control traffic.

Kent

>
> ---
> Roland Dobbins  // 
>
>    Injustice is relatively easy to bear; what stings is justice.
>
>                        -- H.L. Mencken
>
>
>
>
>

Re: IGMP and PIM protection

2009-12-23 Thread Glen Kent 
>>
>
> Would encrypting multicast not fundamentally break the concept of multicast
> itself, unless you're encrypting multicast traffic over a backbone?
>

No, i wasnt alluding to encrypting the multicast traffic. I was
thinking of using ESP-NULL (AH is optional) for the IGMP/PIM packets.

Affably,
Kent

Re: IGMP and PIM protection

2009-12-23 Thread Dobbins, Roland 

On Dec 23, 2009, at 6:41 PM, Glen Kent wrote:

> Any idea if folks use AH or ESP to protect IGMP/PIM packets

What are you trying to 'protect' them against?

---
Roland Dobbins  // 

Injustice is relatively easy to bear; what stings is justice.

-- H.L. Mencken

Re: IGMP and PIM protection

2009-12-23 Thread David Barak 
Multicast encryption using GDOI works well, although I haven't seen that 
implemented on a LAN.  If you're trying to provide encryption for LAN listeners 
(more accurately to exclude some LAN listeners) you'll probably find more bang 
for the buck in implementing this on a per-application basis.  That leaves the 
IGMP request subject to eavesdropping, but the data itself flows over a secure 
channel.  If instead you want the IGMP itself to be encrypted, then you'll need 
all of the switches to participate in the security protocol, and I would 
imagine that there are far easier ways to provide secure connections.  I 
believe GDOI is esp-only.

Cisco's term for GDOI is GETVPN.

-David Barak

On Wed Dec 23rd, 2009 7:26 AM EST Peter Hicks wrote:

>Glen Kent wrote:
>> Any idea if folks use AH or ESP to protect IGMP/PIM packets? Wondering
>> that if they do, then how would snooping switches work?
>>   
>Would encrypting multicast not fundamentally break the concept of multicast 
>itself, unless you're encrypting multicast traffic over a backbone?
>
>
>Peter
>
>
>

Re: IGMP and PIM protection

2009-12-23 Thread Peter Hicks 

Glen Kent wrote:

Any idea if folks use AH or ESP to protect IGMP/PIM packets? Wondering
that if they do, then how would snooping switches work?
  
Would encrypting multicast not fundamentally break the concept of 
multicast itself, unless you're encrypting multicast traffic over a 
backbone?



Peter