[140222] in North American Network Operators' Group
RE: How do you put a TV station on the Mbone?
daemon@ATHENA.MIT.EDU (Antonio Querubin)
Thu May 5 12:29:09 2011
Date: Thu, 5 May 2011 06:26:48 -1000 (HST)
From: Antonio Querubin <tony@lavanauts.org>
To: George Bonser <gbonser@seven.com>
In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0C9E30EF@RWC-EX1.corp.seven.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, 4 May 2011, George Bonser wrote:
>> SSM with encryption?
>
> Well, certainly, but source address can be very easily spoofed with a
> UDP multicast stream. Now that could be mitigated with a lot of network
> configuration rules but something is needed that just works without all
> that.
It's harder to effectively use spoofed source addresses in multicasting
because of RPF. When you couple it with SSM you're forcing the attacker
to either use multiple injection points, or gain access to a router close
to the real source address. Couple that with encryption and you're
denying spoofed addresses as an effective intrusion venue for large groups
of viewers listening to a specific SSM source.
Perfect is the enemy of good.
Antonio Querubin
e-mail: tony@lavanauts.org
xmpp: antonioquerubin@gmail.com
