From: Anderson Mota Alves (mota_anderson@hotmail.com)
Date: Fri Jul 13 2007 - 14:02:37 ART
Hi Anthony and Mike,
That was a good point, I knew about the autorp listener but I never tried
to convince the customer to change his mind about Dense-mode and go for
sparse-mode with autorp listener, I think he will accept it since I think
the only good reason he wants to use dense-mode is for the flooding of
the Auto-RP groups.
Thanks a lot,
Andy
--------------------------------------------------------------------
From: "Mike Kraus (mikraus)" <mikraus@cisco.com>
To: "Anderson Mota Alves" <mota_anderson@hotmail.com>,
<ccielab@groupstudy.com>
Subject: RE: Multicast - Sparse-Dense-mode Security Issue
Date: Fri, 13 Jul 2007 08:48:07 -0400
>How about this?
>
>- Use sparse-mode with ip pim autorp listener (to allow the Auto-RP
>groups to still be dense-mode flooded).
>
>- Continue to use the rp-announce-filter on mapping agents, to
prevent
>rogue RPs from being advertised by the MAs.
>
>- Configure ip pim accept-rp across all of your PIM routers so that
>join messages will only be processed for RPs in the list.
>
>Although I have to say, if the customer is this worried about
security
>there are certainly other things besides multicast that can be
broken by
>rogue/malicious users. Sounds like a good environment for
>802.1x/port-security/NAC, to reduce the likelihood of rogue devices
>being introduced...
>
>Thanks,
> Mike
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
>Anderson Mota Alves
>Sent: Friday, July 13, 2007 7:20 AM
>To: ccielab@groupstudy.com
>Subject: Multicast - Sparse-Dense-mode Security Issue
>
>Hi everyone, I'm having a little issue with Multicast in a real
>environment and I'd like to know if someone here can give me a light
for
>a reasonable solutions for this.Customer wants to use PIM
>Sparse-Dense-mode but he is concerned about someone putting a bogus
>router on the network with a higher priority and this one start
announce
>himself as CA and MA for some groups causing discrepancy on the
network
>of course making some routers map him as RP for those groups. My
first
>approach was to configure the command "ip pim rp-announce-filter
rp-list
>x group-list x"with the correct RP address and the groups to be
mapped
>for those RPs, the problem is since the bogus router has an IP
address
>that is not the one configured in the rp-list this group is not
accepted
>to be mapped as sparse-mode (expected solution - which is fine at
this
>point) but then routers map this group through Dense-mode using the
>bogus
>router as the preferred for the traffic. I'm wondering which is the
best
>way to secure a Multicast network using sparse-dense-mode to not
allow a
>bogus router to announce himself as CA and MA causing the
information on
>network to be in discrepancy with the correct RP? Best regards, Andy
>
>------------------------------------------------------------------------
>
>FREE pop-up blocking with the new MSN Toolbar MSN Toolbar Get it
now!
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
------------------------------------------------------------------------
Express yourself instantly with MSN Messenger! MSN Messenger Download
today it's FREE!
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:40 ART