Monday Nov 6th, IETF 67 PIM WG pim mib forwarded to bill after wglc andy brought up fact that we could use number assigned bill status - mib doctor review dan sent two requests but no one has picked up on it yet after mib doctor review, iesg last call for 2 weeks not more than about 4 weeks after that you can get OID bsr mib limited resources of mib doctors should focus on pim mib and not bsr mib then we can have them look at bsr mib it has passed wglc and been sent to bill who never saw it pim join attributes draft wglc success minor nits fixed pim rpf vector draft need wglc since changes made pim last hop threats needs wg review linklocal atwood to present during this meeting bidir sent to IESG waiting on bill to look for gotchas like security considerations nothing for wg to do recharting remove promote dino - should 1000's be 2000, 10000, 100000 milestones j/p refresh reduction proposal? submit improved assert processing? submit pim-snooping? tom pusateri - should solve real problems cain pim snooping in VPLS draft needs to document best common practices dino if AMT picks up steam, where does amt/pim interworking belong mboned or pim? Toerless in response to Dino, need special Dino not sure if there is a problem but for example, consider preference of using RPF for pim or amt Bill Does Thalers multiple protocol interop document already handle this? RFC 2715 Toerless we don't have interaction currently Venu want to revive the refresh reduction complexity in BGP to do PIM would be easier if were just done in PIM Tom we either need to update milestones and charter or close Bill Atwood security pim sm link-local messages motivation goal: permit authenticating router-to-router traffic sent to ALL_PIM_ROUTERS no effort to secure unicast pim messages see slides Toerless are you effectively reducing PIM to point-to-point neighbor relationships? you will have N+1 SAs one SA for outgoing N SA's (one per peer) Lorenzo could you explain why source address is enough to lookup SA attwood: they have to use globally routable addresses Stig must use link-local for IPv6 hello option to send all addresses but parallel links on unnumbered links would allow same address Toerless link local scope addresses should be unique Stig Private addresses RFC 1918 may also create same addresses Fenner PIM spec says "between the lines" that the link local address is used for all messages for IPv6. Atwood conclusion changed then www.cse.concordia.ca/~bill/internet-drafts/IETF67-LinkLocal-00.pdf Toerless is anyone else doing this for other link local multicast packets atwood: yes, neighbor discovery would like to see this done for other protocols (general solution) Brian W. SA management 1 sa per sender (can use anti-replay) otherwise, just use GDI and 1 SA for all senders Atwood Do we need confidentiality Toerless if you have snooping switches, may not want it Stig Agree Brian If you just use ESP, you let security policy of user decide Should automated key management be must, should, or may? Toerless Can't decide until we see specific proposal Bill There is a document that says must use automatic key management but may be wiggle room if we can't figure out how to do it but certainly a push to do automatic key management Brian W. GDOI solves problem of key management so don't need to invent something new. Bill RFC 2947 guidelines for cryptographic systems RFC 4535 GSAKMP Dorian Kim Is there operational requirement for confidentiality? Not even considered as an operator so I don't think it is needed. don't think its even needed for OSPF Atwood can I go against pim spec recommendation to use AH Fenner Don't feel constrained by pim spec, the security guys didn't like it anyway Atwood Next slides: Group key Management for pim sm routers www.cse.concordia.ca/~bill/internet-drafts/IETF67-KeyManagement.pdf Bill You looked at GDOI and think its too heavy weight? yes Have you looked at GSAKMP? Brian W. We have implemented it and don't find it too heavy (from author)