All things related to multicast

[Bill Owens <>]

At 14:10 -0800 1/17/01, Greg Shepherd wrote:
> The scan sweeps across the class D address range, which is seen as a
> source by the first-hop router, which registers the packets to the RP,
> which sends an SA.
>
> Greg
>
> On Wed, 17 Jan 2001, Kevin Thompson wrote:
>
> >  if true, how does the scan result in the sa explosion - is the scan traffic
> >  coming in on a PIM-DM interface on a router configured w/ proxy-register on
> >  the edge of a PIM-SM domain?
>  > kevin

It's actually pretty easy to simulate. Grab a copy of hping2, and 
fire off a SYN packet to the FTP port of an arbitrary multicast 
address - that's more or less what synscan is doing. For example, 
using my GLOP space:

[root@adelie]#
 ./hping2 -c 1 -p 21 -S 233.14.172.1
eth0 default routing interface selected (according to /proc)
HPING 233.14.172.1 (eth0 233.14.172.1): S set, 40 headers + 0 data bytes

--- 233.14.172.1 hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

c7206-1#sho ip pim rp
Group: 233.14.172.1, RP: 199.109.32.254, v2, next RP-reachable in 00:01:16

And from the Abilene router proxy on CLEV:

show ip msdp sa-cache | include 233.14.172.1

(199.109.32.33, 233.14.172.1), RP 199.109.32.254, MBGP/AS 3756, 
00:00:51/00:05:08

Piece of cake. And of course that's a Really Bad Thing. . .

Bill.