LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [PATCH 1/2] Syncd Strong authentication extension

To: wensong@xxxxxxxxxxxx
Subject: Re: [PATCH 1/2] Syncd Strong authentication extension
Cc: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Cc: Julian Anastasov <ja@xxxxxx>
Cc: keepalived-devel@xxxxxxxxxxxxxxxxxxxxx
From: Alexandre Cassen <Alexandre.Cassen@xxxxxxxxxx>
Date: Tue, 30 Mar 2004 22:20:06 +0200
Hi Wensong,

Sorry for the delay. I probably need more time to play with your security
extension on syncd.

no problems, let me know if I can help.

As for the TTL issues, if we set TTL=255, it may create a lot of
unnecessary multicast traffic, because routers may forward our multicast
messages. So, I set TTL=1 to limit the traffic in the local network. ICV
is usually enough to authenticate incoming sync messages, right?

hmm, yes, the main reason IMHO is that testing for TTL=255 is less CPU-consuming than computing the whole ICV upon receiving messages, especially during DoS playground. On the other hand, mcast stream is forwarded on other router interface only if there are some subscribers for mcast group on these interfaces, if no subscribers, no stream forwarded. From here we can have 2 scenario :

1. router connecting 2 ethernet segments : ----| LAN 1 |-----[Router]-----| LAN 2 |---- : if LAN1 user join group and start sending datagram, router igmp code will acknowledge, then if user on LAN2 performs the same igmp join it will be able to receive stream from LAN1. If we want to controle LAN2 membership, then we can set a firewalling rule for igmp on LAN2 router's interface (so that join request will be dropped).

2. router interconnected : ----| LAN 1 |-----[Router1]--...--[Routern]----| LAN 2 |---- : Considering a stream from a LAN1 source, Router1 is the 'First-hop router' and Routern the 'Last-hop' (called 'leaf'). Someone at the upstream of Router1 will see stream only if these routers are running a multicast routing protocol that is in charge of reporting membership to last hop routers. If no mcast routing protocol is used, then stream will not be forwarded since no distribution tree will be created.

The 2. is the most used IMHO since loadbalancing stuff are done on some DMZ segment not directly connected to ISP router. To be fully secure network admin must set some filtering acl on the 'WAN' interface for IGMP.

hmm... OTOH, we can find complex multi-homed scenario where we want to replicate IPVS connection table using mcast routing protocol to other network segment... cool, with BGP, ... hmm... but connections learn by syncd must expire after BGP convergence time... ... anyway this is other topics here :)

anyway this is up to you :)

Regards,
Alexandre

<Prev in Thread] Current Thread [Next in Thread>