draft-ietf-mmusic-sdp-srcfilter-09.txt   draft-ietf-mmusic-sdp-srcfilter-10.txt 
Network Working Group Bob Quinn Network Working Group Bob Quinn
INTERNET-DRAFT Celox Networks INTERNET-DRAFT Celox Networks
Category: Standards Track Ross Finlayson Category: Standards Track Ross Finlayson
Expires: December 2005 LIVE.COM Expires: March 2006 Live Networks, Inc.
June 16, 2005 September 22, 2005
Session Description Protocol (SDP) Source Filters Session Description Protocol (SDP) Source Filters
<draft-ietf-mmusic-sdp-srcfilter-09.txt> <draft-ietf-mmusic-sdp-srcfilter-10.txt>
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that By submitting this Internet-Draft, each author represents that
any applicable patent or other IPR claims of which he or she is any applicable patent or other IPR claims of which he or she is
aware have been or will be disclosed, and any of which he or she aware have been or will be disclosed, and any of which he or she
becomes aware will be disclosed, in accordance with Section 6 of becomes aware will be disclosed, in accordance with Section 6 of
BCP 79. BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
skipping to change at line 404 skipping to change at line 404
authenticity. authenticity.
Using the source IP address for authentication is weak, since Using the source IP address for authentication is weak, since
addresses are often dynamically assigned and it is possible for a addresses are often dynamically assigned and it is possible for a
sender to "spoof" its source address (i.e., use one other than its sender to "spoof" its source address (i.e., use one other than its
own) in datagrams that it sends. Proper router configuration, own) in datagrams that it sends. Proper router configuration,
however, can reduce the likelihood of "spoofed" source addresses however, can reduce the likelihood of "spoofed" source addresses
being sent to or from a network. Specifically, border routers are being sent to or from a network. Specifically, border routers are
encouraged to filter traffic so that datagrams with invalid source encouraged to filter traffic so that datagrams with invalid source
addresses are not forwarded (e.g., routers drop datagrams if the addresses are not forwarded (e.g., routers drop datagrams if the
source address is non-local) [CA-96.21]. This, however, does not source address is non-local) [FILTERING]. This, however, does not
prevent IP source addresses from being spoofed on a LAN. prevent IP source addresses from being spoofed on a LAN.
Also, as noted in section 3 above, tunneling or NAT mechanisms Also, as noted in section 3 above, tunneling or NAT mechanisms
may require corresponding translation of the addresses specified in may require corresponding translation of the addresses specified in
the SDP "source-filter" attribute, and furthermore, may cause a set the SDP "source-filter" attribute, and furthermore, may cause a set
of original source addresses to be translated to a smaller set of of original source addresses to be translated to a smaller set of
source addresses as seen by the receiver. source addresses as seen by the receiver.
Use of FQDNs for either <dest-address> or <src-list> values provides Use of FQDNs for either <dest-address> or <src-list> values provides
a layer of indirection that provides great flexibility. However, it a layer of indirection that provides great flexibility. However, it
also exposes the source-filter to any security inadequacies that the also exposes the source-filter to any security inadequacies that the
DNS system may have. If unsecured, it is conceivable that the DNS DNS system may have. If unsecured, it is conceivable that the DNS
server could return illegitimate addresses. server could return illegitimate addresses.
In addition, if source-filtering is implemented by sharing the
source-filter information with network elements, then the security of
the protocol(s) that are used for this (e.g., [IGMPv3]) becomes
important, to ensure that legitimate traffic (and only legitimate
traffic) is received.
For these reasons, receivers SHOULD NOT treat the SDP "source-filter" For these reasons, receivers SHOULD NOT treat the SDP "source-filter"
attribute as being its sole mechanism for protecting the integrity attribute as being its sole mechanism for protecting the integrity
of received content. of received content.
6. IANA Considerations 6. IANA Considerations
As recommended by [SDP] (Appendix B), the new attribute name As recommended by [SDP] (Appendix B), the new attribute name
"source-filter" should be registered with IANA, as follows: "source-filter" should be registered with IANA, as follows:
The following contact information shall be used for all The following contact information shall be used for all
registrations included here: registrations included here:
Contact: Ross Finlayson Contact: Ross Finlayson
email: finlayson (at) live.com email: finlayson (at) live555.com
phone: +1-650-254-1184 phone: +1-650-254-1184
SDP Attribute ("att-field"): SDP Attribute ("att-field"):
Attribute name: source-filter Attribute name: source-filter
Long form: Source Filter Long form: Source Filter
Type of name: att-field Type of name: att-field
Type of attribute: Session level or media level Type of attribute: Session level or media level
Subject to charset: No Subject to charset: No
Purpose: See this document Purpose: See this document
Reference: This document Reference: This document
skipping to change at line 461 skipping to change at line 467
8. Normative References 8. Normative References
[ABNF] Crocker, D., P. Overell, "Augmented BNF for Syntax [ABNF] Crocker, D., P. Overell, "Augmented BNF for Syntax
Specifications: ABNF," RFC 2234, November 1997. Specifications: ABNF," RFC 2234, November 1997.
[REQMNT] Bradner, S., "Key words for use in RFCs to Indicate [REQMNT] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels," BCP 14, RFC 2119, March 1997. Requirement Levels," BCP 14, RFC 2119, March 1997.
[RTCP-SSM] Chesterfield, J., E. Schooler, J. Ott, [RTCP-SSM] Chesterfield, J., E. Schooler, J. Ott,
"RTCP Extensions for Single-Source Multicast Sessions "RTCP Extensions for Single-Source Multicast Sessions
with Unicast Feedback," Work in progress, October 2004 with Unicast Feedback," Work in progress, October 2004.
[SDP] Handley, M., V. Jacobson, C. Perkins, [SDP] Handley, M., V. Jacobson, C. Perkins,
"SDP: Session Description Protocol," "SDP: Session Description Protocol,"
Work in Progress, February 2005. Work in Progress, February 2005.
[UTF-8] Yergeau, F., "UTF-8, a transformation format of [UTF-8] Yergeau, F., "UTF-8, a transformation format of
ISO 10646," RFC 3629, October 1996. ISO 10646," RFC 3629, October 1996.
9. Informative References 9. Informative References
[CA-96.21] CERT Advisory CA-96.21, "TCP SYN Flooding and IP [FILTERING] Ferguson, P., D. Senie, "Network Ingress Filtering:
Spoofing Attacks," September 1996. Defeating Denial of Service Attacks which employ IP
Source Address Spoofing," BCP 38, RFC 2827, May 2000.
[IGMPv1] Deering, S., "Host Extensions for IP Multicasting," [IGMPv1] Deering, S., "Host Extensions for IP Multicasting,"
RFC 1112 (STD 5), August 1989. RFC 1112 (STD 5), August 1989.
[IGMPv3] Cain, B. et al. "Internet Group Management Protocol, [IGMPv3] Cain, B. et al. "Internet Group Management Protocol,
Version 3,", RFC 3376, October 2002. Version 3,", RFC 3376, October 2002.
[MSF API] Thaler, D., B. Fenner, B. Quinn, "Socket Interface [MSF API] Thaler, D., B. Fenner, B. Quinn, "Socket Interface
Extensions for Multicast Source Filters," Extensions for Multicast Source Filters,"
RFC 3678, January 2004. RFC 3678, January 2004.
skipping to change at line 502 skipping to change at line 509
10. Authors' Addresses 10. Authors' Addresses
Bob Quinn Bob Quinn
Celox Networks Celox Networks
2 Park Central Drive 2 Park Central Drive
Southborough, MA 01772 Southborough, MA 01772
phone: 508-305-7000 phone: 508-305-7000
email: bquinn (at) celoxnetworks.com email: bquinn (at) celoxnetworks.com
Ross Finlayson Ross Finlayson
Live Networks, Inc. (LIVE.COM) Live Networks, Inc.
650 Castro St., suite 120-196 650 Castro St., suite 120-196
Mountain View, CA 94041 Mountain View, CA 94041
email: finlayson (at) live.com email: finlayson (at) live555.com
11. IPR Notice 11. IPR Notice
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed Intellectual Property Rights or other rights that might be claimed
to pertain to the implementation or use of the technology to pertain to the implementation or use of the technology
described in this document or the extent to which any license described in this document or the extent to which any license
under such rights might or might not be available; nor does it under such rights might or might not be available; nor does it
represent that it has made any independent effort to identify any represent that it has made any independent effort to identify any
such rights. Information on the procedures with respect to rights such rights. Information on the procedures with respect to rights
skipping to change at line 556 skipping to change at line 563
Appendix A. Source-Filter Attribute Syntax Appendix A. Source-Filter Attribute Syntax
This appendix provides an Augmented BNF [ABNF] grammar for expressing This appendix provides an Augmented BNF [ABNF] grammar for expressing
an exclusion or inclusion list of one or more (IPv4 or IPv6) unicast an exclusion or inclusion list of one or more (IPv4 or IPv6) unicast
source addresses. It is intended as an extension to the grammar for source addresses. It is intended as an extension to the grammar for
the Session Description Protocol, as defined in [SDP]. Specifically, the Session Description Protocol, as defined in [SDP]. Specifically,
it describes the syntax for the new "source-filter" attribute field, it describes the syntax for the new "source-filter" attribute field,
which MAY be either a session-level or media-level attribute. which MAY be either a session-level or media-level attribute.
The "connection-address" value in each source filter field MUST match The "dest-address" value in each source filter field MUST match
an existing connection-field value, unless the wildcard connection- an existing connection-field value, unless the wildcard connection-
address value "*" is specified. address value "*" is specified.
source-filter = "source-filter" ":" SP filter-mode SP filter-spec source-filter = "source-filter" ":" SP filter-mode SP filter-spec
; SP is the ASCII 'space' character ; SP is the ASCII 'space' character
; (0x20, defined in [ABNF]). ; (0x20, defined in [ABNF]).
filter-mode = "excl" / "incl" filter-mode = "excl" / "incl"
; either exclusion or inclusion mode ; either exclusion or inclusion mode
filter-spec = nettype SP address-types SP dest-address SP src-list filter-spec = nettype SP address-types SP dest-address SP src-list
; nettype is as defined in [SDP]. ; nettype is as defined in [SDP].
address-types = "*" / addrtype address-types = "*" / addrtype
; "*" for all address types (both IP4 and IP6), ; "*" for all address types (both IP4 and IP6),
; but only when <dest-address> and <src-list> ; but only when <dest-address> and <src-list>
; reference FQDNs. ; reference FQDNs.
; addrtype is as defined in [SDP]. ; addrtype is as defined in [SDP].
dest-address = "*" / IP4-address / IP6-address / FQDN dest-address = "*" / basic-multicast-address / unicast-address
; "*" applies to all connection-address values. ; "*" applies to all connection-address values.
; IP4-address, IP6-address, FQDN are as defined ; unicast-address is as defined in [SDP].
; in [SDP].
src-list = *(addr SP) unicast-address src-list = *(unicast-address SP) unicast-address
; one or more unicast source addresses (in ; one or more unicast source addresses (in
; standard IPv4 or IPv6 ASCII-notation form) ; standard IPv4 or IPv6 ASCII-notation form)
; or FQDNs. ; or FQDNs.
; unicast-address is as defined in [SDP]. ; unicast-address is as defined in [SDP].
Expires: December 2005 June 16, 2005 basic-multicast-address = basic-IP4-multicast / basic-IP6-multicast
/ FQDN / extn-addr
; i.e., the same as multicast-address
; defined in [SDP], except that the
; /<ttl> and /<number of addresses>
; fields are not included.
; FQDN and extn-addr are as defined
; in [SDP].
basic-IP4-multicast = m1 3( "." decimal-uchar )
; m1 and decimal-uchar are as defined
; in [SDP].
basic-IP6-multicast = hexpart
; hexpart is as defined in [SDP].
Expires: March 2006 September 22, 2005
 End of changes. 14 change blocks. 
15 lines changed or deleted 21 lines changed or added

This html diff was produced by rfcdiff 1.27, available from http://www.levkowetz.com/ietf/tools/rfcdiff/