|
Hi Wensong,
Sorry for the delay. I probably need more time to play with your security
extension on syncd.
no problems, let me know if I can help.
As for the TTL issues, if we set TTL=255, it may create a lot of
unnecessary multicast traffic, because routers may forward our multicast
messages. So, I set TTL=1 to limit the traffic in the local network. ICV
is usually enough to authenticate incoming sync messages, right?
hmm, yes, the main reason IMHO is that testing for TTL=255 is less
CPU-consuming than computing the whole ICV upon receiving messages,
especially during DoS playground. On the other hand, mcast stream is
forwarded on other router interface only if there are some subscribers for
mcast group on these interfaces, if no subscribers, no stream forwarded.
From here we can have 2 scenario :
1. router connecting 2 ethernet segments : ----| LAN 1 |-----[Router]-----|
LAN 2 |---- : if LAN1 user join group and start sending datagram, router
igmp code will acknowledge, then if user on LAN2 performs the same igmp
join it will be able to receive stream from LAN1. If we want to controle
LAN2 membership, then we can set a firewalling rule for igmp on LAN2
router's interface (so that join request will be dropped).
2. router interconnected : ----| LAN 1 |-----[Router1]--...--[Routern]----|
LAN 2 |---- :
Considering a stream from a LAN1 source, Router1 is the 'First-hop router'
and Routern the 'Last-hop' (called 'leaf'). Someone at the upstream of
Router1 will see stream only if these routers are running a multicast
routing protocol that is in charge of reporting membership to last hop
routers. If no mcast routing protocol is used, then stream will not be
forwarded since no distribution tree will be created.
The 2. is the most used IMHO since loadbalancing stuff are done on some DMZ
segment not directly connected to ISP router. To be fully secure network
admin must set some filtering acl on the 'WAN' interface for IGMP.
hmm... OTOH, we can find complex multi-homed scenario where we want to
replicate IPVS connection table using mcast routing protocol to other
network segment... cool, with BGP, ... hmm... but connections learn by
syncd must expire after BGP convergence time... ... anyway this is other
topics here :)
anyway this is up to you :)
Regards,
Alexandre
|
