RE: Multicast - Sparse-Dense-mode Security Issue

From: Mike Kraus \(mikraus\) (mikraus@cisco.com)
Date: Fri Jul 13 2007 - 09:48:07 ART

• Next message: Ahsan Mohiuddin: "Re: Project Schedule for R&S prepraration"
• Previous message: Serhat Aslan: "Re: IE CCIE Tech: HIERARCHICAL POLICY-MAPS FOR TRAFFIC POLICING"
• Maybe in reply to: Anderson Mota Alves: "Multicast - Sparse-Dense-mode Security Issue"
• Next in thread: Salau, Yemi: "RE: Multicast - Sparse-Dense-mode Security Issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

How about this?

- Use sparse-mode with ip pim autorp listener (to allow the Auto-RP
groups to still be dense-mode flooded).

- Continue to use the rp-announce-filter on mapping agents, to prevent
rogue RPs from being advertised by the MAs.

- Configure ip pim accept-rp across all of your PIM routers so that
join messages will only be processed for RPs in the list.

Although I have to say, if the customer is this worried about security
there are certainly other things besides multicast that can be broken by
rogue/malicious users. Sounds like a good environment for
802.1x/port-security/NAC, to reduce the likelihood of rogue devices
being introduced...

Thanks,
 Mike

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Anderson Mota Alves
Sent: Friday, July 13, 2007 7:20 AM
To: ccielab@groupstudy.com
Subject: Multicast - Sparse-Dense-mode Security Issue

Hi everyone, I'm having a little issue with Multicast in a real
environment and I'd like to know if someone here can give me a light for
a reasonable solutions for this.Customer wants to use PIM
Sparse-Dense-mode but he is concerned about someone putting a bogus
router on the network with a higher priority and this one start announce
himself as CA and MA for some groups causing discrepancy on the network
of course making some routers map him as RP for those groups. My first
approach was to configure the command "ip pim rp-announce-filter rp-list
x group-list x"with the correct RP address and the groups to be mapped
for those RPs, the problem is since the bogus router has an IP address
that is not the one configured in the rp-list this group is not accepted
to be mapped as sparse-mode (expected solution - which is fine at this
point) but then routers map this group through Dense-mode using the
bogus
router as the preferred for the traffic. I'm wondering which is the best
way to secure a Multicast network using sparse-dense-mode to not allow a
bogus router to announce himself as CA and MA causing the information on
network to be in discrepancy with the correct RP? Best regards, Andy

------------------------------------------------------------------------

FREE pop-up blocking with the new MSN Toolbar MSN Toolbar Get it now!

• Next message: Ahsan Mohiuddin: "Re: Project Schedule for R&S prepraration"
• Previous message: Serhat Aslan: "Re: IE CCIE Tech: HIERARCHICAL POLICY-MAPS FOR TRAFFIC POLICING"
• Maybe in reply to: Anderson Mota Alves: "Multicast - Sparse-Dense-mode Security Issue"
• Next in thread: Salau, Yemi: "RE: Multicast - Sparse-Dense-mode Security Issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:40 ART