Re: rp spoofing

From: akyccie (akyccie@gmail.com)
Date: Sat May 31 2008 - 07:01:22 ART

• Next message: Yash Arb: "R&S Lab date Dubai, Swap"
• Previous message: Kiran Parashare: "OSPF-Authenticatio"
• Maybe in reply to: David Lonnie: "rp spoofing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Filtering RP Addresses
You can use the ip pim rp-announce-filter rp-list access-list group-list
access-list command to filter certain RPs for certain multicast groups.

The ip pim rp-announce-filter rp-list access-list group-list access-list
command only has meaning if it is configured at the mapping agent. The
rp-list access-list defines an access-list of candidate RPs that, if
permitted, are accepted for the multicast ranges specified in the group-list
access-list command.

Note: Use this command with caution. RPs that are matched by rp-list
(allowed by a permit statement) have their multicast groups filtered by
group-list. RPs that are denied (either by an explicit or implicit deny) are
not subject to the filtering of their multicast groups and are "blindly"
accepted as candidate RPs for all of their groups. In other words, only RPs
that are permitted by rp-list have their multicast-groups filtered by
group-list. All other RPs are accepted without examination.

----- Original Message -----
From: "David Lonnie" <david.lonnie@gmail.com>
To: "Jude Chou" <qingjiong@gmail.com>
Cc: "Thomas Fowles" <tfowles@gmail.com>; <ccielab@groupstudy.com>
Sent: Saturday, May 31, 2008 2:36 PM
Subject: Re: rp spoofing

> In my option, only this works.
>
> access-list 3 deny any
> access-list 4 permit 2.2.2.2
> ip pim rp-announce-filter rp-list 4 group-list 3
>
>
>
> ==============
> On Sat, May 31, 2008 at 4:54 PM, Jude Chou <qingjiong@gmail.com> wrote:
>
>> Hi Tom:
>>
>> Look this:
>> rp-announce rp-announce
>> router 1 router 2
>> | |
>> ---------------------
>> |
>> router 3 rp-agent
>> |
>> |
>> router 4
>>
>> router 1
>> ip multicast-routing
>> int lo0
>> ip address 1.1.1.1 255.255.255.255
>> ip igmp join 224.1.1.1
>> ip igmp join 224.2.2.2
>> ip pim sparse-dense-mode
>> int e0/0
>> ip address 192.168.123.1 255.255.255.0
>> ip pim sparse-dense-mode
>>
>> access-list 1 permit 224.1.1.1
>> access-list 1 permit 224.2.2.2
>> ip pim send-rp-announce lo0 scope 16 group-list 1
>>
>> router 2
>> ip multicast-routing
>> int lo0
>> ip address 2.2.2.2 255.255.255.255
>> ip igmp join 224.1.1.1
>> ip igmp join 224.2.2.2
>> ip pim sparse-dense-mode
>> int e0/0
>> ip address 192.168.123.2 255.255.255.0
>> ip pim sparse-dense-mode
>> access-list 1 permit 224.1.1.1
>> access-list 1 permit 224.2.2.2
>> ip pim send-rp-announce lo0 scope 16 group-list 1
>>
>> router 3
>> ip multicast-routing
>> int lo0
>> ip add 3.3.3.3 255.255.255.255
>> ip pim sparse-dense-mode
>> int e0/0
>> ip address 192.168.123.3 255.255.255.0
>> ip pim sparse-dense-mode
>> int e0/1
>> ip address 192.168.34.3 255.255.255.0
>>
>> router 4
>> ip multicast-routing
>> int e0/1
>> ip address 192.168.34.4 255.255.255.0
>> ip pim sparse-dense-mode
>>
>> What should i do on router 3 when use command "show ip pim rp mapping"
>> then
>> display like this:
>>
>> Group(s) 224.1.1.1/32
>> RP 1.1.1.1 (?), v2v1
>> Info source: 3.3.3.3 (?), elected via Auto-RP
>> Uptime: 00:23:25, expires: 00:02:22
>> Group(s) 224.2.2.2/32
>> RP 1.1.1.1 (?), v2v1
>> Info source: 3.3.3.3 (?), elected via Auto-RP
>> Uptime: 00:23:25, expires: 00:02:19
>>
>> Is this OK?
>>
>> access-list 1 permit 224.1.1.1
>> access-list 1 permit 224.2.2.2
>> access-list 2 permit 1.1.1.1
>> ip pim rp-announce-filter rp-list 2 group-list 1
>>
>> Or
>>
>> access-list 1 permit 224.1.1.1
>> access-list 1 permit 224.2.2.2
>> access-list 2 permit 1.1.1.1
>> ip pim rp-announce-filter rp-list 2 group-list 1
>>
>> access-list 3 deny any
>> access-list 4 permit 2.2.2.2
>> ip pim rp-announce-filter rp-list 4 group-list 3
>>
>> Why?
>>
>> Regards
>>
>> Jude
>>
>>
>> 2008-05-31
>>
>>
>>
>> Jude Chou
>>
>>
>>
>> 7"<~HK#: Thomas Fowles
>> 7"KMJ1<d#: 2008-05-31 11:57:43
>> JU<~HK#: David Lonnie
>> 3-KM#: Cisco certification
>> VwLb#: Re: rp spoofing
>> David-
>>
>> You would want to configure it more like this:
>>
>> access-list 11 deny 50.50.1.1
>> access-list 11 permit any
>> access-list 22 deny 224.10.10.10
>> access-list 22 permit any
>> ip pim rp-announce-filter rp-list 11 group-list 22
>>
>> What this says is for all RPs except 50.50.1.1, allow everything except
>> 224.10.10.10.
>>
>> If you want to experiment, run "debug ip pim auto-rp" and type "clear ip
>> pim
>> rp-mapping" to see the effects of various changes to the access-lists.
>> You
>> can also have multiple filters defined.
>>
>> Here is a great document that explains this quite well:
>>
>> http://www.cisco.com/en/US/tech/tk828/technologies_configuration_example09186a00801cb923.shtml
>>
>> HTH
>>
>> -Tom
>> CCIE#18762
>>
>> http://www.linkedin.com/in/thomasfowles
>>
>>
>> On Fri, May 30, 2008 at 10:37 PM, David Lonnie <david.lonnie@gmail.com >
>> wrote:
>>
>> > Hi,exports:
>> >
>> > There is a router R1 in a multicast domain (for example,224.10.10.10).
>> > It's auto-rp, and at the same time,it's rp-agent.
>> >
>> > R1:
>> > ip multcast-routing
>> > interface lo0
>> > ip address 50.50.1.1 255.255.255.0
>> > ip pim sparse-dense-mode
>> >
>> > access-list 1 permit 224.10.10.10
>> > ip pim send-rp-announce lo0 scope 16 group-list 1
>> > ip pim send-rp-discovery lo0 scope 16
>> >
>> > This is my question. How to configure R1to prevent RP spoofing,only
>> accept
>> > loopback0 as RP for group 224.10.10.10
>> >
>> > I check it on Document CD.
>> >
>> >
>> http://www.cisco.com/en/US/docs/ios/ipmulti/command/reference/imc_04.html#wp1014569
>> > ip pim rp-announce-filter
>> >
>> > To filter incoming Auto-RP announcement messages coming from the
>> rendezvous
>> > point (RP), use the *ip pim rp-announce-filter* command in global
>> > configuration mode. To remove the filter, use the *no* form of this
>> > command.
>> >
>> >
>> >
>> > So I add these configurations.
>> >
>> > access-list 2 deny host 50.50.1.1
>> > access-list 2 permit ip any
>> > ip pim rp-announce-filter rp-list 2 group-list 1
>> >
>> > Is it correct? And anything else should be configured?
>> > Please correct me if I'm wrong.I'll be very appreciated.
>> >
>> >
>> > David
>> >
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Yash Arb: "R&S Lab date Dubai, Swap"
• Previous message: Kiran Parashare: "OSPF-Authenticatio"
• Maybe in reply to: David Lonnie: "rp spoofing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2008 - 06:59:19 ART