From: Salau, Yemi (yemi.salau@siemens.com)
Date: Fri Jul 13 2007 - 11:47:34 ART
I hope you have your answers by now ... Most real life deployment, due
to security reason, engineers prefer to go the sparse-mode way, this is
not to say that you can't secure or prevent bogus MA and RP within
sparse-dense/dense mode. It's just that you have more control with using
just sparse-mode.
I've had this discussion/argument at work before, but this same question
keep popping up: "What would justify using a dense-mode in a bandwidth
critical environment, peradventure there was a feed without a valid RP,
that could potentially cost you some bandwidth you know as the feeds
will be distributed all over the place/interface where multicast is
enabled, esp. a situation where an RP crashes. There is another school
of thought that using sparse-dense-mode gives the option to learn the
unknown RP information via MA(s). Personally, I will trade off this
"flexibility" for the sake of flooding in circumstances where the RP for
a specific group goes offline/unreachable, that could impact network
from bandwidth utilisation perspective.
We have fantastic solutions to mitigate against rogue RPs, but how do
you mitigate against rogue MPs (with higher loopback address), at the
end of the day, an RP can only request groups it wants to represent from
the MP, the MP could filter which RP announces for which group. I am
curious to know how you can mitigate against a bogus/rogue MP with
higher announcement interface. What's the possibility of such taking
charge over the RP-to-group-mapping and allowing someone malicious to
add their own rogue RP via this bogus rogue MP.
Many Thanks
Yemi Salau
----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Mike Kraus (mikraus)
Sent: Friday, July 13, 2007 1:48 PM
To: Anderson Mota Alves; ccielab@groupstudy.com
Subject: RE: Multicast - Sparse-Dense-mode Security Issue
How about this?
- Use sparse-mode with ip pim autorp listener (to allow the Auto-RP
groups to still be dense-mode flooded).
- Continue to use the rp-announce-filter on mapping agents, to prevent
rogue RPs from being advertised by the MAs.
- Configure ip pim accept-rp across all of your PIM routers so that
join messages will only be processed for RPs in the list.
Although I have to say, if the customer is this worried about security
there are certainly other things besides multicast that can be broken by
rogue/malicious users. Sounds like a good environment for
802.1x/port-security/NAC, to reduce the likelihood of rogue devices
being introduced...
Thanks,
Mike
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Anderson Mota Alves
Sent: Friday, July 13, 2007 7:20 AM
To: ccielab@groupstudy.com
Subject: Multicast - Sparse-Dense-mode Security Issue
Hi everyone, I'm having a little issue with Multicast in a real
environment and I'd like to know if someone here can give me a light for
a reasonable solutions for this.Customer wants to use PIM
Sparse-Dense-mode but he is concerned about someone putting a bogus
router on the network with a higher priority and this one start announce
himself as CA and MA for some groups causing discrepancy on the network
of course making some routers map him as RP for those groups. My first
approach was to configure the command "ip pim rp-announce-filter rp-list
x group-list x"with the correct RP address and the groups to be mapped
for those RPs, the problem is since the bogus router has an IP address
that is not the one configured in the rp-list this group is not accepted
to be mapped as sparse-mode (expected solution - which is fine at this
point) but then routers map this group through Dense-mode using the
bogus
router as the preferred for the traffic. I'm wondering which is the best
way to secure a Multicast network using sparse-dense-mode to not allow a
bogus router to announce himself as CA and MA causing the information on
network to be in discrepancy with the correct RP? Best regards, Andy
------------------------------------------------------------------------
FREE pop-up blocking with the new MSN Toolbar MSN Toolbar Get it now!
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:40 ART