Re: IGMP and PIM protection

> > I think OP meant that he only wants an integrity check of the control > traffic, not confidentiality, hence the statement that he does not want to > encrypt the control traffic. Yes, thats correct. Kent > > Stefan Fouant > www.shortestpathfirst.net > GPG Key ID: 0xB5E3803D > >

Re: IGMP and PIM protection

> > Musing on the idea for a moment, it would surely be 'nice' to somehow > know that PIM v2 joins from some other network were, in fact, 'good' > or somehow well-formed, rate-limited, and/or somehow 'safe' to accept > & hold state for. However, it seems as if the OP isn't interested in > inter-dom

Re: IGMP and PIM protection

On Wed, Dec 23, 2009 at 10:24 AM, Stefan Fouant wrote: > I think OP meant that he only wants an integrity check of the control > traffic, not confidentiality, hence the statement that he does not want to > encrypt the control traffic. I read the OP to mean this, too. Musing on the idea for a mom

RE: IGMP and PIM protection

> -Original Message- > From: Scott Morris [mailto:s...@emanon.com] > Sent: Wednesday, December 23, 2009 9:27 AM > To: Glen Kent > Cc: nanog@nanog.org > Subject: Re: IGMP and PIM protection > > But IGMP IS the control traffic with users. And PIM IS the control >

Re: IGMP and PIM protection

But IGMP IS the control traffic with users. And PIM IS the control traffic between multicast routers. ? Scott Glen Kent wrote: > On Wed, Dec 23, 2009 at 7:46 PM, Dobbins, Roland wrote: > >> On Dec 23, 2009, at 6:41 PM, Glen Kent wrote: >> >> >>> Any idea if folks use AH or ESP to prot

Re: IGMP and PIM protection

So we're looking to complicate things for the same of complicating them? Using a predictable "security" doesn't exactly make things secure does it? On the links that you are running PIM or IGMP on, do you not have a predictable set of clients and therefore problems? Or are we trying to protect

Re: IGMP and PIM protection

On Dec 23, 2009, at 9:19 PM, Glen Kent wrote: > Just integrity protection to ensure that my reports, etc. are not mangled > when i recv them. OR to make sure that i only receive reports/leaves from the > folks who are supposed to send them. I echo the previous respondent who noted that this is

Re: IGMP and PIM protection

On Wed, Dec 23, 2009 at 7:46 PM, Dobbins, Roland wrote: > > On Dec 23, 2009, at 6:41 PM, Glen Kent wrote: > >> Any idea if folks use AH or ESP to protect IGMP/PIM packets > > What are you trying to 'protect' them against? Just integrity protection to ensure that my reports, etc. are not mangled w

Re: IGMP and PIM protection

>> > > Would encrypting multicast not fundamentally break the concept of multicast > itself, unless you're encrypting multicast traffic over a backbone? > No, i wasnt alluding to encrypting the multicast traffic. I was thinking of using ESP-NULL (AH is optional) for the IGMP/PIM packets. Affably,

Re: IGMP and PIM protection

On Dec 23, 2009, at 6:41 PM, Glen Kent wrote: > Any idea if folks use AH or ESP to protect IGMP/PIM packets What are you trying to 'protect' them against? --- Roland Dobbins // Injustice is

Re: IGMP and PIM protection

Multicast encryption using GDOI works well, although I haven't seen that implemented on a LAN. If you're trying to provide encryption for LAN listeners (more accurately to exclude some LAN listeners) you'll probably find more bang for the buck in implementing this on a per-application basis. T

Re: IGMP and PIM protection

Glen Kent wrote: Any idea if folks use AH or ESP to protect IGMP/PIM packets? Wondering that if they do, then how would snooping switches work? Would encrypting multicast not fundamentally break the concept of multicast itself, unless you're encrypting multicast traffic over a backbone? P