rfc2337.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.


RFC 2337            IP multicast over ATM using PIM           April 1998


6. Security Considerations

   In general, the security issues relevant to the proposal outlined in
   the memo are subsumed by those faced by PIM-SM. While work in
   proceeding on security for PIM-SM, it is worthwhile noting that
   several issues have been raised in conjunction with multicast routing
   and with PIM-SM in particular. These issues include but are not
   limited to:

      (i).   Unauthorized Senders

      (ii).  Unauthorized Receivers

      (iii). Unauthorized use of the RP

      (iv).  Unauthorized "last hop" switching to shortest path
             tree.

6.1. General Comments on Multicast Routing Protocol Security

   Historically, routing protocols used within the Internet have lacked
   strong authentication mechanisms [RFC1704]. In the late 1980s,
   analysis revealed that there were a number of security problems in
   Internet routing protocols then in use [BELLOVIN89].  During the
   early 1990s it became clear that adversaries were selectively
   attacking various intra-domain and inter-domain routing protocols
   (e.g. via TCP session stealing of BGP sessions) [CERTCA9501,
   RFC1636]. More recently, cryptographic authentication mechanisms have
   been developed for RIPv2, OSPF, and the proprietary EIGRP routing
   protocols.  BGP protection, in the form of a Keyed MD5 option for
   TCP, has also become widely deployed.

   At present, most multicast routing protocols lack strong
   cryptographic protection.  One possible approach to this is to
   incorporate a strong cryptographic protection mechanism (e.g. Keyed
   HMAC MD5 [RFC2104]) within the routing protocol itself.  Alternately,
   the routing protocol could be designed and specified to use the IP
   Authentication Header (AH) [RFC1825, RFC1826, RFC2085] to provide
   cryptographic authentication.

   Because the intent of any routing protocol is to propagate routing
   information to other parties, confidentiality is not generally
   required in routing protocols.  In those few cases where local
   security policy might require confidentiality, the use of the IP
   Encapsulating Security Payload (ESP) [RFC1825, RFC1827] is
   recommended.





Farinacci, et. al.            Experimental                      [Page 5]

RFC 2337            IP multicast over ATM using PIM           April 1998


   Scalable dynamic multicast key management is an active research area
   at this time. Candidate technologies for scalable dynamic multicast
   key management include CBT-based key management [RFC1949] and the
   Group Key Management Protocol (GKMP) [RFC2093,RFC2094].  The IETF IP
   Security Working Group is actively working on GKMP extensions to the
   standards-track ISAKMP key management protocol being developed in the
   same working group.

7. References

   [BELLOVIN89] S. Bellovin, "Security Problems in the TCP/IP
                Protocol Suite", ACM Computer Communications Review,
                Volume 19, Number 2, pp. 32-48, April 1989.

   [CERTCA9501] CERT, "IP Spoofing Attacks and Hijacked Terminal
                Connections", ftp://ftp.cert.org/cert_advisories/,
                January 1995.

   [MARS]       Armitage, G., "Support for Multicast over UNI 3.0/3.1
                based ATM Networks.", RFC 2022, November 1996.

   [PIM-SM]     Estrin, D, et. al., "Protocol Independent Multicast
                Sparse Mode (PIM-SM): Protocol Specification", Work in
                Progress.

   [RFC1636]    Braden, R., Clark, D., Crocker, S., and C. Huitema,
                "Report of IAB Workshop on Security in the Internet
                Architecture February 8-10, 1994", RFC 1636, June 1994.

   [RFC1704]    Haller, N., and R. Atkinson, "On Internet
                Authentication", RFC 1704, October 1994.

   [RFC1825]    Atkinson, R., "IP Security Architecture", RFC 1825,
                August 1995.

   [RFC1826]    Atkinson, R., "IP Authentication Header", RFC 1826,
                August 1995.

   [RFC1827]    Atkinson, R., "IP Encapsulating Security Payload",
                RFC 1827, August 1995.

   [RFC1949]    Ballardie, A., "Scalable Multicast Key Distribution",
                RFC1949, June 1996.

   [RFC2085]    Oehler, M., and R. Glenn, "HMAC-MD5 IP Authentication
                with Replay Prevention", RFC 2085, February 1997.





Farinacci, et. al.            Experimental                      [Page 6]

RFC 2337            IP multicast over ATM using PIM           April 1998


   [RFC2093]    Harney, H., and C. Muckenhirn, "Group Key Management
                Protocol (GKMP) Specification", RFC 2093, July 1997.

   [RFC2094]    Harney, H., and C. Muckenhirn, "Group Key Management
                Protocol (GKMP) Architecture", RFC 2094, July 1997.

   [RFC2104]    Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed
                Hashing for Message Authentication", RFC 2104, February
                1997.

   [RFC2225]    Laubach, M., and J. Halpern, "Classical IP and ARP over
                ATM", RFC 2225, April 1998.

8. Acknowledgments

   Petri Helenius provided several insightful comments on earlier
   versions of this document.

9. Author Information

   Dino Farinacci
   Cisco Systems
   170 Tasman Dr.
   San Jose, CA 95134

   Phone: (408) 526-4696
   EMail: dino@cisco.com


   David Meyer
   Cisco Systems
   170 Tasman Dr.
   San Jose, CA 95134

   Phone: (541) 687-2581
   EMail: dmm@cisco.com


   Yakov Rekhter
   cisco Systems, Inc.
   170 Tasman Dr.
   San Jose, CA 95134

   Phone: (914) 528-0090
   EMail: yakov@cisco.com






Farinacci, et. al.            Experimental                      [Page 7]

RFC 2337            IP multicast over ATM using PIM           April 1998


10.  Full Copyright Statement

   Copyright (C) The Internet Society (1998).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
























Farinacci, et. al.            Experimental                      [Page 8]