nanog mailing list archives
Re: IGMP and PIM protection
From: David Barak <thegameiam () yahoo com>
Date: Wed, 23 Dec 2009 05:06:34 -0800 (PST)
Multicast encryption using GDOI works well, although I haven't seen that implemented on a LAN. If you're trying to provide encryption for LAN listeners (more accurately to exclude some LAN listeners) you'll probably find more bang for the buck in implementing this on a per-application basis. That leaves the IGMP request subject to eavesdropping, but the data itself flows over a secure channel. If instead you want the IGMP itself to be encrypted, then you'll need all of the switches to participate in the security protocol, and I would imagine that there are far easier ways to provide secure connections. I believe GDOI is esp-only. Cisco's term for GDOI is GETVPN. -David Barak On Wed Dec 23rd, 2009 7:26 AM EST Peter Hicks wrote:
Glen Kent wrote:Any idea if folks use AH or ESP to protect IGMP/PIM packets? Wondering that if they do, then how would snooping switches work?Would encrypting multicast not fundamentally break the concept of multicast itself, unless you're encrypting multicast traffic over a backbone? Peter
Current thread:
- Re: IGMP and PIM protection, (continued)
- Re: IGMP and PIM protection Glen Kent (Dec 23)
- Re: IGMP and PIM protection Scott Morris (Dec 23)
- Re: IGMP and PIM protection Glen Kent (Dec 23)
- Re: IGMP and PIM protection Dobbins, Roland (Dec 23)
- Re: IGMP and PIM protection Glen Kent (Dec 23)
- Re: IGMP and PIM protection Dobbins, Roland (Dec 23)
- Re: IGMP and PIM protection Scott Morris (Dec 23)
- RE: IGMP and PIM protection Stefan Fouant (Dec 23)
- Re: IGMP and PIM protection Anton Kapela (Dec 23)
- Re: IGMP and PIM protection Glen Kent (Dec 23)
- Re: IGMP and PIM protection Glen Kent (Dec 23)
- Re: IGMP and PIM protection Glen Kent (Dec 23)