Source-Specific Multicast for IP
draft-ietf-ssm-arch-07
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-08-22
|
07 | (System) | post-migration administrative database adjustment to the No Objection position for Margaret Wasserman |
2012-08-22
|
07 | (System) | post-migration administrative database adjustment to the Yes position for Bill Fenner |
2012-08-22
|
07 | (System) | post-migration administrative database adjustment to the No Objection position for Brian Carpenter |
2012-08-22
|
07 | (System) | post-migration administrative database adjustment to the No Objection position for Steven Bellovin |
2012-08-22
|
07 | (System) | post-migration administrative database adjustment to the No Objection position for Russ Housley |
2006-07-24
|
07 | Bill Fenner | State Change Notice email list have been change to ssm-chairs@tools.ietf.org from holbrook@cisco.com, supratik@sprintlabs.com |
2005-10-24
|
07 | Amy Vezza | State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza |
2005-10-18
|
07 | Amy Vezza | IESG state changed to Approved-announcement sent |
2005-10-18
|
07 | Amy Vezza | IESG has approved the document |
2005-10-18
|
07 | Amy Vezza | Closed "Approve" ballot |
2005-10-18
|
07 | Amy Vezza | [Ballot Position Update] Position for Bill Fenner has been changed to Yes from Discuss by Amy Vezza |
2005-10-17
|
07 | Amy Vezza | State Changes to Approved-announcement to be sent from IESG Evaluation by Amy Vezza |
2005-10-14
|
07 | (System) | Removed from agenda for telechat - 2005-10-13 |
2005-10-13
|
07 | Mark Townsley | [Ballot Position Update] New position, No Objection, has been recorded for Mark Townsley by Mark Townsley |
2005-10-13
|
07 | Michelle Cotton | IANA follow-up comments: Upon approval, we understand this document to update the references for SSM block at the following: http://www.iana.org/assignments/multicast-addresses IANA will also add an … IANA follow-up comments: Upon approval, we understand this document to update the references for SSM block at the following: http://www.iana.org/assignments/multicast-addresses IANA will also add an entry in the following registry to document the IPv6 SSM range: http://www.iana.org/assignments/ipv6-multicast-addresses |
2005-10-10
|
07 | Russ Housley | [Ballot comment] Overall, I am happy with the update. There is a cut-and-paste problem at the end of the first paragraph in section 7.2. The … [Ballot comment] Overall, I am happy with the update. There is a cut-and-paste problem at the end of the first paragraph in section 7.2. The meaning is unclear. |
2005-10-10
|
07 | Russ Housley | [Ballot Position Update] Position for Russ Housley has been changed to No Objection from Discuss by Russ Housley |
2005-10-06
|
07 | Brian Carpenter | [Ballot Position Update] Position for Brian Carpenter has been changed to No Objection from Discuss by Brian Carpenter |
2005-10-05
|
07 | Bill Fenner | Placed on agenda for telechat - 2005-10-13 by Bill Fenner |
2005-10-05
|
07 | Bill Fenner | State Changes to IESG Evaluation from IESG Evaluation::AD Followup by Bill Fenner |
2005-10-05
|
07 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2005-10-05
|
07 | (System) | New version available: draft-ietf-ssm-arch-07.txt |
2005-06-03
|
07 | Brian Carpenter | [Ballot discuss] Picking up Harald's DISCUSS asking for an important clarification: 4.1, top of page 7 - This section makes me think ASM listeners won't … [Ballot discuss] Picking up Harald's DISCUSS asking for an important clarification: 4.1, top of page 7 - This section makes me think ASM listeners won't be able to listen to SSM traffic, but the document doesn't explicitly say so, one way or the other. It's a little less vague on SSM listeners and ASM traffic, but could be clearer here, too. |
2005-06-03
|
07 | Brian Carpenter | [Ballot Position Update] New position, Discuss, has been recorded for Brian Carpenter by Brian Carpenter |
2004-10-28
|
07 | Amy Vezza | State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation by Amy Vezza |
2004-10-28
|
07 | Michelle Cotton | IANA Comments: IANA would like to clarify -exactly- what we need to do and to what registries. We will consult with ADs to be sure. |
2004-10-28
|
07 | Bill Fenner | [Ballot discuss] Placeholder for IANA to make sure they know what to do with the addresses. |
2004-10-28
|
07 | Bill Fenner | [Ballot Position Update] Position for Bill Fenner has been changed to Discuss from Yes by Bill Fenner |
2004-10-28
|
07 | Bert Wijnen | [Ballot Position Update] New position, No Objection, has been recorded for Bert Wijnen by Bert Wijnen |
2004-10-27
|
07 | Margaret Cullen | [Ballot Position Update] Position for Margaret Wasserman has been changed to No Objection from Discuss by Margaret Wasserman |
2004-10-27
|
07 | David Kessens | [Ballot comment] From Pekka Savola, OPS directorate: From 'high view', I think this is OK. The comments in the tracker need to be taken into … [Ballot comment] From Pekka Savola, OPS directorate: From 'high view', I think this is OK. The comments in the tracker need to be taken into account. SSM is already out there, and many other related specs already specify a lot of the same things that this spec does, but from a different perspective. As a bigger comment: As a matter of fact, IMHO a lot clarity problems that seem to have come up from those who first read the spec stem from the fact that the specification has been distributed in a large number of documents, and there is substantial overlap. At least these deal with SSM: - 'ssm overview', RFC 3569 - 'ssm architecture', this document - draft-ietf-mboned-ssm232-08.txt [rfc ed queue] - draft-holbrook-idmr-igmpv3-ssm-08.txt [rfc ed queue] - [ draft-ietf-pim-sm-v2-new ] For example, draft-ietf-mboned-ssm232-08.txt specifies much better how the hosts and routers should treat with ASM inside the SSM prefix. I think the reasoning has been that the architecture describes the generic architecture, and protocols or address ranges are described in other documents as they might change a bit more, but I don't think this has entirely successful, because the architecture has ended up also discussing the protocols and numbers a lot, which was not the original intent AFAICS. I'm not sure how to fix this properly, and whether it's even worth fixing up properly, but one option (if it's deemed useful, personally this might be beyond the point of diminishing returns already) might be using more normative references to the abovementioned specs, and making this spec as barebones as reasonable. ... It has been at least a year since I last looked at this, and only skimming now, two comments: 4.3. Allocation of Source-Specific Multicast Addresses The SSM destination address 232.0.0.0 is reserved, and a system MUST NOT send a datagram with a destination address of 232.0.0.0. ==> this seems bogus and should probably be removed. We don't restrict hosts from sending packets to address 0.0.0.0, 224.0.0.0 or a number of other clearly invalid addresses either, but this seems to be wrong place to specify that such transmissions must be prevented. And how would that even be implemented -- should the hosts be able to send packets to 232.0.0.0 using raw sockets? As a suggestion, just say: The SSM destination address 232.0.0.0 is reserved, and it must not be used as a destination address. ... A host operating system SHOULD provide an interface to allow an application to request a unique allocation of a channel destination address in advance of a session's commencement, and this allocation database SHOULD persist across host reboots. ==> a worthy goal, but I don't know any implementation which is providing such an interface.. well, this stuff can probably be removed if this spec is ever pushed forward to draft standard.. nits: - there are a large number of improperly used uppercase keywords - s/RFC2373/RFC3513/ - s/FF3x:3FFF:FFFF/FF3x::3FFF:FFFF/ |
2004-10-27
|
07 | (System) | State Changes to IESG Evaluation from IESG Evaluation - Defer by system |
2004-10-19
|
07 | Russ Housley | [Ballot comment] Thoughout the document: s/IPSec/IPsec/ In the Abstract and in the Introduction: s/IP addresses in the 232/IP version 4 (IPv4) addresses … [Ballot comment] Thoughout the document: s/IPSec/IPsec/ In the Abstract and in the Introduction: s/IP addresses in the 232/IP version 4 (IPv4) addresses in the 232/ |
2004-10-19
|
07 | Russ Housley | [Ballot discuss] Section 7.1 does not reflect the compromise worked out between the MSEC WG and the IPsec WG. Please review draft-ietf-ipsec-rfc2401bis-03, … [Ballot discuss] Section 7.1 does not reflect the compromise worked out between the MSEC WG and the IPsec WG. Please review draft-ietf-ipsec-rfc2401bis-03, especially sections 4.1, 4.4.1.1, 4.4.2, and 4.6. Explicit provisions for multicast SA lookup added a long time ago (at least a year ago). Steve Kent has provided this extract from the most recent versions of AHbis, ESPbis, and 21401bis, with protocol-specific references removed: In many secure multicast architectures, e.g., [RFC3740], a central Group Controller/Key Server unilaterally assigns the group security association's SPI. This SPI assignment is not negotiated or coordinated with the key management (e.g., IKE) subsystems that reside in the individual end systems that comprise the group. Consequently, it is possible that a group security association and a unicast security association can simultaneously use the same SPI. A multicast-capable IPsec implementation MUST correctly de-multiplex inbound traffic even in the context of SPI collisions. Each entry in the Security Association Database (SAD) [Ken-Arch] must indicate whether the SA lookup makes use of the destination, or destination and source, IP addresses, in addition to the SPI. For multicast SAs, the protocol field is not employed for SA lookups. For each inbound, IPsec-protected packet, an implementation must conduct its search of the SAD such that it finds the entry that matches the "longest" SA identifier. In this context, if two or more SAD entries match based on the SPI value, then the entry that also matches based on destination, or destination and source, address comparison(as indicated in the SAD entry) is the "longest" match. This implies a logical ordering of the SAD search as follows: 1. Search the SAD for a match on {SPI, destination address, source address}. If a SAD entry matches then process the inbound packet with that matching SAD entry. Otherwise, proceed to step 2. 2. Search the SAD for a match on {SPI, destination address}. If the SAD entry matches then process the inbound packet with that matching SAD entry. Otherwise, proceed to step 3. 3. Search the SAD for a match on only {SPI} if the receiver has chosen to maintain a single SPI space for AH and ESP, or on {SPI, protocol} otherwise. If an SAD entry matches then process the inbound packet with that matching SAD entry. Otherwise, discard the packet and log an auditable event. The indication of whether source and destination address matching is required to map inbound IPsec traffic to SAs MUST be set either as a side effect of manual SA configuration or via negotiation using an SA management protocol, e.g., IKE or GDOI [RFC3547]. Typically, Source- Specific Multicast (SSM) [HC03] groups use a 3-tuple SA identifier composed of an SPI, a destination multicast address, and source address. An Any-Source Multicast group SA requires only an SPI and a destination multicast address as an identifier. |
2004-10-19
|
07 | Russ Housley | [Ballot discuss] Section 7.1 does not reflect the compromise worked out between the MSEC WG and the IPsec WG. Please review draft-ietf-ipsec-rfc2401bis-03, … [Ballot discuss] Section 7.1 does not reflect the compromise worked out between the MSEC WG and the IPsec WG. Please review draft-ietf-ipsec-rfc2401bis-03, especially sections 4.1, 4.4.1.1, 4.4.2, and 4.6. Explicit provisions for multicast SA lookup added a long time ago (at least a year ago). Steve Kent has provided this extract from the most recent versions of AHbis, ESPbis, and 21401bis, with protocol-specific references removed: In many secure multicast architectures, e.g., [RFC3740], a central Group Controller/Key Server unilaterally assigns the group security association's SPI. This SPI assignment is not negotiated or coordinated with the key management (e.g., IKE) subsystems that reside in the individual end systems that comprise the group. Consequently, it is possible that a group security association and a unicast security association can simultaneously use the same SPI. A multicast-capable IPsec implementation MUST correctly de-multiplex inbound traffic even in the context of SPI collisions. Each entry in the Security Association Database (SAD) [Ken-Arch] must indicate whether the SA lookup makes use of the destination, or destination and source, IP addresses, in addition to the SPI. For multicast SAs, the protocol field is not employed for SA lookups. For each inbound, IPsec-protected packet, an implementation must conduct its search of the SAD such that it finds the entry that matches the "longest" SA identifier. In this context, if two or more SAD entries match based on the SPI value, then the entry that also matches based on destination, or destination and source, address comparison(as indicated in the SAD entry) is the "longest" match. This implies a logical ordering of the SAD search as follows: 1. Search the SAD for a match on {SPI, destination address, source address}. If a SAD entry matches then process the inbound packet with that matching SAD entry. Otherwise, proceed to step 2. 2. Search the SAD for a match on {SPI, destination address}. If the SAD entry matches then process the inbound packet with that matching SAD entry. Otherwise, proceed to step 3. 3. Search the SAD for a match on only {SPI} if the receiver has chosen to maintain a single SPI space for AH and ESP, or on {SPI, protocol} otherwise. If an SAD entry matches then process the inbound packet with that matching SAD entry. Otherwise, discard the packet and log an auditable event. The indication of whether source and destination address matching is required to map inbound IPsec traffic to SAs MUST be set either as a side effect of manual SA configuration or via negotiation using an SA management protocol, e.g., IKE or GDOI [RFC3547]. Typically, Source- Specific Multicast (SSM) [HC03] groups use a 3-tuple SA identifier composed of an SPI, a destination multicast address, and source address. An Any-Source Multicast group SA requires only an SPI and a destination multicast address as an identifier. |
2004-10-14
|
07 | Steven Bellovin | [Ballot Position Update] Position for Steve Bellovin has been changed to No Objection from Discuss by Steve Bellovin |
2004-10-14
|
07 | Margaret Cullen | State Changes to IESG Evaluation - Defer from IESG Evaluation by Margaret Wasserman |
2004-10-14
|
07 | Margaret Cullen | [Ballot discuss] I need to defer this document, but I don't now how to do it... |
2004-10-14
|
07 | Margaret Cullen | [Ballot Position Update] Position for Margaret Wasserman has been changed to Discuss from No Objection by Margaret Wasserman |
2004-10-14
|
07 | Russ Housley | [Ballot discuss] Section 7.1 does not reflect the compromise worked out between the MSEC WG and the IPsec WG. Please review draft-ietf-ipsec-rfc2401bis-03, … [Ballot discuss] Section 7.1 does not reflect the compromise worked out between the MSEC WG and the IPsec WG. Please review draft-ietf-ipsec-rfc2401bis-03, especially sections 4.1, 4.4.1.1, 4.4.2, and 4.6. |
2004-10-14
|
07 | Allison Mankin | [Ballot comment] Some other groups (RMT is one) have been eagerly awaiting this. It's clear and well-written. I hope that the IESG discussion will resolve … [Ballot comment] Some other groups (RMT is one) have been eagerly awaiting this. It's clear and well-written. I hope that the IESG discussion will resolve with clarity. If it would be helpful to have some RMT developers who depend on this technology, and intend to use it security features, participate in any discussions, let me know. |
2004-10-14
|
07 | Allison Mankin | [Ballot Position Update] New position, Yes, has been recorded for Allison Mankin by Allison Mankin |
2004-10-14
|
07 | Bill Fenner | [Ballot Position Update] New position, Yes, has been recorded for Bill Fenner by Bill Fenner |
2004-10-14
|
07 | Jon Peterson | [Ballot Position Update] New position, No Objection, has been recorded for Jon Peterson by Jon Peterson |
2004-10-13
|
07 | David Kessens | [Ballot Position Update] New position, No Objection, has been recorded for David Kessens by David Kessens |
2004-10-13
|
07 | Harald Alvestrand | [Ballot comment] Reviewed by Spencer Dawkins, Gen-ART His review: This document is on the right track, but is still a couple of stops from the … [Ballot comment] Reviewed by Spencer Dawkins, Gen-ART His review: This document is on the right track, but is still a couple of stops from the end of the line :-) Introduction - The first four paragraphs aren't appropriate for an Introduction - they are fine, but they should be in a following section, by themselves. The fifth paragraph begins a high-level description and justification of SSM - THAT'S what an Introduction should look like. 4.1, top of page 7 - This section makes me think ASM listeners won't be able to listen to SSM traffic, but the document doesn't explicitly say so, one way or the other. It's a little less vague on SSM listeners and ASM traffic, but could be clearer here, too. 4.3 - No justification of the MUST NOT for 232.0.0.0. In general, the justifications in this section are weak, missing, or separated from specific requirements. I'm sure the authors understand all this stuff; the goal is that people who DIDN'T write the document will know how to extend it in the future. 7.1 - points out that SSM can break in the presence of SPI collisions by two senders, but doesn't say whether either senders or receivers can detect this condition automatically - they promise a solution, but don't describe the ability of participants to identify the problem in the meanwhile. 7.1 and 7.3 call out AH - my impression is that the use of AH in standards-track protocols is almost non-existent, and Steve Bellovin keeps telling me that there's no reason for AH. Probably good if these sections aren't too dependent on AH. 7.2 Not sure where "A router MAY have a configuration option to allow source routing" came from - I think this is actually an unintentional use of capitals; surely router requirements for source routing support aren't being specified in the security considerations section of SSM :-) 8 is called "Transition Considerations". What's the vision here - coexistence or transition from ASM to SSM? Is it the same vision in IPv4 and IPv6? |
2004-10-13
|
07 | Harald Alvestrand | [Ballot discuss] I believe the lack of clarity Spencer noted about ASM/SSM deserves to be addressed. Either it should be known to work or it … [Ballot discuss] I believe the lack of clarity Spencer noted about ASM/SSM deserves to be addressed. Either it should be known to work or it should be known to not work. Spencer said: 4.1, top of page 7 - This section makes me think ASM listeners won't be able to listen to SSM traffic, but the document doesn't explicitly say so, one way or the other. It's a little less vague on SSM listeners and ASM traffic, but could be clearer here, too. His other comments are worth thinking about, but I don't think they should be blocking. |
2004-10-13
|
07 | Harald Alvestrand | [Ballot Position Update] Position for Harald Alvestrand has been changed to Discuss from Undefined by Harald Alvestrand |
2004-10-13
|
07 | Harald Alvestrand | [Ballot Position Update] New position, Undefined, has been recorded for Harald Alvestrand by Harald Alvestrand |
2004-10-12
|
07 | Russ Housley | [Ballot comment] In the Abstract and in the Introduction: s/IP addresses in the 232/IP version 4 (IPv4) addresses in the 232/ |
2004-10-12
|
07 | Russ Housley | [Ballot discuss] Section 7.1 does not reflect the compromise worked out between the MSEC WG and the IPsec WG. |
2004-10-12
|
07 | Russ Housley | [Ballot Position Update] New position, Discuss, has been recorded for Russ Housley by Russ Housley |
2004-10-12
|
07 | Ted Hardie | [Ballot Position Update] New position, No Objection, has been recorded for Ted Hardie by Ted Hardie |
2004-10-11
|
07 | Steven Bellovin | [Ballot discuss] The discussion of IPsec in Section 7.1 appears to be incorrect. Senders do not chose or allocate SPIs; rather, SPIs are chosen by … [Ballot discuss] The discussion of IPsec in Section 7.1 appears to be incorrect. Senders do not chose or allocate SPIs; rather, SPIs are chosen by the "owner" of the destination address; the owner then informs the sender. In the unicast world, that's easy; In the multicast world, the owner would be whoever allocated the multicast group address. The real question here is how the multicast SA is set up. |
2004-10-11
|
07 | Steven Bellovin | [Ballot Position Update] New position, Discuss, has been recorded for Steve Bellovin by Steve Bellovin |
2004-10-11
|
07 | Scott Hollenbeck | [Ballot Position Update] New position, No Objection, has been recorded for Scott Hollenbeck by Scott Hollenbeck |
2004-10-10
|
07 | Margaret Cullen | [Ballot Position Update] New position, No Objection, has been recorded for Margaret Wasserman by Margaret Wasserman |
2004-10-08
|
07 | Alex Zinin | [Ballot Position Update] New position, Yes, has been recorded for Alex Zinin |
2004-10-08
|
07 | Alex Zinin | Ballot has been issued by Alex Zinin |
2004-10-08
|
07 | Alex Zinin | Created "Approve" ballot |
2004-10-04
|
07 | Alex Zinin | Placed on agenda for telechat - 2004-10-14 by Alex Zinin |
2004-10-04
|
07 | Alex Zinin | State Changes to IESG Evaluation from Waiting for AD Go-Ahead by Alex Zinin |
2004-09-29
|
07 | (System) | State has been changed to Waiting for AD Go-Ahead from In Last Call by system |
2004-09-15
|
07 | Amy Vezza | Last call sent |
2004-09-15
|
07 | Amy Vezza | State Changes to In Last Call from Last Call Requested by Amy Vezza |
2004-09-15
|
07 | Alex Zinin | State Changes to Last Call Requested from AD Evaluation::External Party by Alex Zinin |
2004-09-15
|
07 | Alex Zinin | Last Call was requested by Alex Zinin |
2004-09-15
|
07 | (System) | Ballot writeup text was added |
2004-09-15
|
07 | (System) | Last call text was added |
2004-09-15
|
07 | (System) | Ballot approval text was added |
2004-09-08
|
06 | (System) | New version available: draft-ietf-ssm-arch-06.txt |
2004-08-27
|
07 | Alex Zinin | State Changes to AD Evaluation::External Party from AD Evaluation::AD Followup by Alex Zinin |
2004-08-27
|
07 | Alex Zinin | checking with Hugh if he could send a rev with new boilerplates. |
2004-07-19
|
07 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2004-07-19
|
05 | (System) | New version available: draft-ietf-ssm-arch-05.txt |
2004-04-22
|
07 | Alex Zinin | State Changes to AD Evaluation::Revised ID Needed from AD Evaluation by Alex Zinin |
2004-04-22
|
07 | Alex Zinin | AD-review comments posted on Apr-13-2004: Generally the document is in a great shape. Very good job. I have one meta issue and one editorial nit. … AD-review comments posted on Apr-13-2004: Generally the document is in a great shape. Very good job. I have one meta issue and one editorial nit. Meta: The document does not spell out what protocols hosts and routers MUST implement. I.e., this kind of document is expected to specify the mandatory-to-implement mechanisms that will ensure that hosts and routers can interoperate. However, there is no place in the document where it says something like "hosts supporting the SSM network service MUST implement IGMPv3 for IPv4 and MLDv2 for IPv6", or "routers supporting the SSM network service MUST implement PIM-SSM..." Editorial The following part: > The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", > "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this > document are to be interpreted as described in RFC 2119 [RFC 2119]. should be moved inside the body of the document (preferably not in Abstract) Abstract: > IP addresses in the 232/8 (232.0.0.0 to 232.255.255.255) range are > designated as source-specific multicast (SSM) destination addresses and > are reserved for use by source-specific applications and protocols. For > IP version 6 (IPv6), the address prefix FF3x::/32 is reserved for > source-specific multicast use. It defines an extension to the Internet ^^ needs to be expanded. "This document" ? Section "Intellectual Property Rights Notice". To reflect the situation with Apple, this section also needs to include the following paragraph from RFC 2026. "The IETF has been notified of intellectual property rights claimed in regard to some or all of the specification contained in this document. For more information consult the online list of claimed rights." |
2004-04-12
|
07 | Alex Zinin | State Changes to AD Evaluation from Publication Requested by Alex Zinin |
2004-03-25
|
07 | Alex Zinin | Draft Added by Alex Zinin |
2003-10-22
|
04 | (System) | New version available: draft-ietf-ssm-arch-04.txt |
2003-05-08
|
03 | (System) | New version available: draft-ietf-ssm-arch-03.txt |
2003-03-10
|
(System) | Posted related IPR disclosure: Apple's Patent Statement pertaining to draft-ietf-ssm-arch-02.txt entitled 'Source Specific Multicast for IP.' | |
2003-03-05
|
02 | (System) | New version available: draft-ietf-ssm-arch-02.txt |
2002-11-07
|
01 | (System) | New version available: draft-ietf-ssm-arch-01.txt |
2002-02-04
|
00 | (System) | New version available: draft-ietf-ssm-arch-00.txt |