Re: Multicast - Sparse-Dense-mode Security Issue

From: Anthony Bonilla (anthonybonilla.ccie@gmail.com)
Date: Fri Jul 13 2007 - 09:27:35 ART

• Next message: Serhat Aslan: "Re: IE CCIE Tech: HIERARCHICAL POLICY-MAPS FOR TRAFFIC POLICING"
• Previous message: Anderson Mota Alves: "Multicast - Sparse-Dense-mode Security Issue"
• Maybe in reply to: Anderson Mota Alves: "Multicast - Sparse-Dense-mode Security Issue"
• Next in thread: Mike Kraus \(mikraus\): "RE: Multicast - Sparse-Dense-mode Security Issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Anderson,

My first obvious question to your customer would be "what is the reason to
have dense mode configured in the first place"? It seems like that you have
AutoRP configured in the network and if so, you can actually only configure
sparse mode and auto-listener command so that only communication b/w RP and
MA would be running in dense mode whereas everything would use sparse mode.
Let me know if this sounds right.

Tony

On 7/13/07, Anderson Mota Alves <mota_anderson@hotmail.com> wrote:
>
> Hi everyone, I'm having a little issue with Multicast in a real
> environment and I'd like to know if someone here can give me a light for
> a reasonable solutions for this.Customer wants to use PIM
> Sparse-Dense-mode but he is concerned about someone putting a bogus
> router on the network with a higher priority and this one start announce
> himself as CA and MA for some groups causing discrepancy on the network
> of course making some routers map him as RP for those groups. My first
> approach was to configure the command "ip pim rp-announce-filter rp-list
> x group-list x"with the correct RP address and the groups to be mapped
> for those RPs, the problem is since the bogus router has an IP address
> that is not the one configured in the rp-list this group is not accepted
> to be mapped as sparse-mode (expected solution - which is fine at this
> point) but then routers map this group through Dense-mode using the bogus
> router as the preferred for the traffic. I'm wondering which is the best
> way to secure a Multicast network using sparse-dense-mode to not allow a
> bogus router to announce himself as CA and MA causing the information on
> network to be in discrepancy with the correct RP? Best regards, Andy
>
> ------------------------------------------------------------------------
>
> FREE pop-up blocking with the new MSN Toolbar MSN Toolbar Get it now!
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Serhat Aslan: "Re: IE CCIE Tech: HIERARCHICAL POLICY-MAPS FOR TRAFFIC POLICING"
• Previous message: Anderson Mota Alves: "Multicast - Sparse-Dense-mode Security Issue"
• Maybe in reply to: Anderson Mota Alves: "Multicast - Sparse-Dense-mode Security Issue"
• Next in thread: Mike Kraus \(mikraus\): "RE: Multicast - Sparse-Dense-mode Security Issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:40 ART