All things related to multicast

[Bill Nickless <>]

-----BEGIN PGP SIGNED MESSAGE-----

At 06:03 PM 1/17/2001 -0500, Marshall Eubanks wrote:

>Bill;
>
>    You did indeed, now you seem clairvoyant.

Aiee!  I didn't mean to leave that impression--my earlier notes contained a 
write-up of the problem in detail that didn't go to some of the lists, 
which is why I reposted them to the wider audience.

>BUT, it seems to me that at base this is not a MSDP issue - it is an IGMP
>issue. Wouldn't it make more sense (although, alas, more work) to rate 
>limit IGMP joins ?

Good question.

I agree with Dave Meyer's comment, that the general problem is a lack of 
rate limiting on routing protocols subject to flooding, including 
MSDP.  Should we include IGMP in this list of protocols that should be rate 
limitable?  I'm not sure.

In this case, though, I don't think the problem could have been solved by 
rate limiting on IGMP.  The MSDP SAs were created from PIM Register 
packets, which were made from actual IP data packets by the (broken, ugly) 
scanner transmitted.  Thus, IGMP wasn't necessary for the problem to spread 
widely.

That being said, I would be interested to know if the kernel on the 
compromised hosts did actually do IGMP joins to receive any replies, or if 
the non-multicast-aware scanner did enough of the right socket calls.
===
Bill Nickless    http://www.mcs.anl.gov/people/nickless      +1 630 252 7390
PGP:0E 0F 16 80 C5 B1 69 52 E1 44 1A A5 0E 1B 74 F7     


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQCVAwUBOmY0mawgm7ipJDXBAQH3NQP+LXJKuzGeRNFVv9MC36fKUdLs+CkV/IgX
+AueKEVXeimx6+Cvr0iJMkUcUAV+w3OPQd+PtROX/wLEYrSeqbtF+MLtjzGOq3B0
9ZXdXGi9BwPomsornB87BpNJEb+RfsTBjYGYw/of0nWJcBLiPZM+xc9qxuHXl1lk
by+qEghwjtg=
=iNis
-----END PGP SIGNATURE-----