Protocol Independent Multicast (pim)

Yakov Rekhter | 14 Dec 2005 15:56

Re: PIM Snooping

Suresh,

[clipped...]

> If we want to preserve the transparency to the C routers (i.e. not
> requiring them to disable Join suppression), then the PEs will have to
> do something like:
> 
> 1) Consume the Join/Prune messages seen on the AC. This means we might
> have to consume other PIM packets (Hello, Assert, BSM) and then send
> them so that the ordering between the messages is preserved. (An Assert
> sent to an upstream router that does not have a downstream state will be
> dropped, for example, since the Join came after the Assert when actually
> it was sent before the Assert).
> 2) Separate the Joins from the Prunes: This means the PE is generating
> packets on behalf of the C routers.
> 3) Unicast joins to the upstream router and multicast the Prunes to all
> routers.

How the above would work (especially the part where the PE is
generating packets on behalf of the C routers) if one uses IPSec
authentication header to provide data integrity protection and data
origin authentication of PIM protocol messages ?

Yakov.

headers

Suresh Boddapati | 15 Dec 2005 20:05

RE: PIM Snooping

.
> 
> How the above would work (especially the part where the PE is
> generating packets on behalf of the C routers) if one uses IPSec
> authentication header to provide data integrity protection and data
> origin authentication of PIM protocol messages ?
> 
Yakov, you make a good point. I am not an IPSEC expert, but it seems
like if authentication header is used, then we will still be able to
snoop, but will not be able to do proxy, since we won't have the
security associations. I guess we need to make some hard calls here. If
the requirement is not to require CE routers to disable Join
Suppression, then proxy as a solution does not still give you pure plug
and play in at least one case that you pointed out. Plus, the solution
has more complexity than just snooping. This seems like one more
argument to not go the proxy way and stick with pure snooping.

Another thing to consider is how many routers actually support
authentication of PIM packets using IPSEC and how many deployments of
this are out there. If they plan to move to an authentication scheme in
the future, they anyway have to upgrade (assuming all routers do not
support this), in which case requiring disabling Join suppression may
still be ok.

What do you think?

Thanks,

Suresh

(Continue reading)