IGMP and PIM protection

Glen_Kent · December 23, 2009, 11:41am

Hi,

Any idea if folks use AH or ESP to protect IGMP/PIM packets? Wondering
that if they do, then how would snooping switches work?

Affably,
Kent

Peter_Hicks · December 23, 2009, 12:26pm

Glen Kent wrote:

Any idea if folks use AH or ESP to protect IGMP/PIM packets? Wondering
that if they do, then how would snooping switches work?

Would encrypting multicast not fundamentally break the concept of multicast itself, unless you're encrypting multicast traffic over a backbone?

Peter

Dobbins_Roland · December 23, 2009, 2:16pm

What are you trying to 'protect' them against?

Glen_Kent · December 23, 2009, 2:17pm

Would encrypting multicast not fundamentally break the concept of multicast
itself, unless you're encrypting multicast traffic over a backbone?

No, i wasnt alluding to encrypting the multicast traffic. I was
thinking of using ESP-NULL (AH is optional) for the IGMP/PIM packets.

Affably,
Kent

Glen_Kent · December 23, 2009, 2:19pm

Any idea if folks use AH or ESP to protect IGMP/PIM packets

What are you trying to 'protect' them against?

Just integrity protection to ensure that my reports, etc. are not
mangled when i recv them. OR to make sure that i only receive
reports/leaves from the folks who are supposed to send them.

Please note that i am NOT interested in encrypting the control traffic.

Kent

Dobbins_Roland · December 23, 2009, 2:22pm

I echo the previous respondent who noted that this is probably best done at the application layer, FWIW.

Scott_Morris · December 23, 2009, 2:24pm

So we're looking to complicate things for the same of complicating
them? Using a predictable "security" doesn't exactly make things secure
does it?

On the links that you are running PIM or IGMP on, do you not have a
predictable set of clients and therefore problems? Or are we trying to
protect against something I'm not thinking of?

Scott

Glen Kent wrote:

Scott_Morris · December 23, 2009, 2:26pm

But IGMP IS the control traffic with users. And PIM IS the control
traffic between multicast routers.

?

Scott

Glen Kent wrote:

Stefan_Fouant3 · December 23, 2009, 3:24pm

I think OP meant that he only wants an integrity check of the control
traffic, not confidentiality, hence the statement that he does not want to
encrypt the control traffic.

Stefan Fouant
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D

Anton_Kapela1 · December 23, 2009, 10:32pm

I read the OP to mean this, too.

Musing on the idea for a moment, it would surely be 'nice' to somehow
know that PIM v2 joins from some other network were, in fact, 'good'
or somehow well-formed, rate-limited, and/or somehow 'safe' to accept
& hold state for. However, it seems as if the OP isn't interested in
inter-domain "rp protection" -- and probably more interested in
authenticating more local igmp v2/3 joins for STB's and the like.

Glen, clarify?

-Tk

Glen_Kent · December 24, 2009, 12:12am

Musing on the idea for a moment, it would surely be 'nice' to somehow
know that PIM v2 joins from some other network were, in fact, 'good'
or somehow well-formed, rate-limited, and/or somehow 'safe' to accept
& hold state for. However, it seems as if the OP isn't interested in
inter-domain "rp protection" -- and probably more interested in
authenticating more local igmp v2/3 joins for STB's and the like.

Yup, i was currently looking at the IGMP v2/v3 joins only.

Kent

Glen_Kent · December 24, 2009, 12:13am

I think OP meant that he only wants an integrity check of the control
traffic, not confidentiality, hence the statement that he does not want to
encrypt the control traffic.

Yes, thats correct.

Kent