From: Salau, Yemi (yemi.salau@siemens.com)
Date: Mon Jul 16 2007 - 05:45:39 ART
I choose to believe you're 100% spot on!
Spoofing in the true sense of security is simply someone trying to be
who they're not. What if an Hacker setup up his own Fiticious Router
with same IP Address configuration and advertising for same group as the
original Router you've got in place, how do you mitigate against the
"True" RP Spoofing
Also, how do you mitigate against an Auto-RP MA spoofing?
I've asked these questions so many times on GS, but no one seems to have
the answer. Is the scope of this requirement out of Multicast capability
of Cisco Routers, maybe we'll have to resolve to using NAC to make sure
people are who they say they are in the IP network. Just maybe this is
the true solution to Multicast "Spoofing"
Many Thanks
Yemi Salau
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
darth router
Sent: Monday, July 16, 2007 5:22 AM
To: ccielab@groupstudy.com
Subject: Auto RP spoofing prevention
A simple permit on the mapping agent with the rp-list and grouplist
would
prevent any other RP from becoming the RP for these groups correct? For
example, if I wanted to map 232.22.22.22 to a particular 150.1.4.4
ip pim rp-announce-filter rp-list 10 group-list 20
access-list 10 permit 150.1.4.4
access-list 20 permit 232.22.22.22
This itself would create an implicit deny on any other RP announcing
itself
with the group of 232.22.22.22, right? I have labbed this up and it
seems so
but I want to make sure there are no other caveats.
DR
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:41 ART