Re: draft-ietf-v6ops-cpe-simple-security-12.txt feedback

[james woodyatt <jhw@apple.com>]

On Jul 28, 2010, at 00:23 , Toerless Eckert wrote:

> The reason for this is that the largest scope that we specify in this draft
> will influence designers of ip multicast applications that use ASM multicast.
> The worst of such often written applications are using ASM multicast for
> discovery. When these applications are then deployed in other environments
> such as enterprises, they will send out IP multicast packets that will
> go across the whole organization, which in the case of an enterprise could
> be worldwide.

I don't see the concern.  If an enterprise expects their discovery protocol to be routed over the global scope multicast routing domain, then they should use global scope multicast addresses to be sure that IPv6 CPE simple-security will forward it.  Otherwise, the fact that CPE routers enforce organizational scope multicast boundary means that CPE routers will block those flows from extending into the service provider routing domain and potentially into networks owned by other subscribers.  If we reduce the scope boundary to site-local, then organizational scope discovery protocols will be blocked by the organizational boundary somewhere north of the subscriber gateway.  This doesn't strike me as a desirable outcome.  Why do you disagree?


--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering