Multicast encryption using GDOI works well, although I haven't seen that 
implemented on a LAN.  If you're trying to provide encryption for LAN listeners 
(more accurately to exclude some LAN listeners) you'll probably find more bang 
for the buck in implementing this on a per-application basis.  That leaves the 
IGMP request subject to eavesdropping, but the data itself flows over a secure 
channel.  If instead you want the IGMP itself to be encrypted, then you'll need 
all of the switches to participate in the security protocol, and I would 
imagine that there are far easier ways to provide secure connections.  I 
believe GDOI is esp-only.

Cisco's term for GDOI is GETVPN.

-David Barak

On Wed Dec 23rd, 2009 7:26 AM EST Peter Hicks wrote:

>Glen Kent wrote:
>> Any idea if folks use AH or ESP to protect IGMP/PIM packets? Wondering
>> that if they do, then how would snooping switches work?
>>   
>Would encrypting multicast not fundamentally break the concept of multicast 
>itself, unless you're encrypting multicast traffic over a backbone?
>
>
>Peter
>
>
>



      

Reply via email to