All things related to multicast

[Marshall Eubanks <>]

Hugh LaMaster wrote:

> We've mostly seen discussion on the technical aspects of this;
> I'm wondering at this point about the layer-8 effects.
> For example, I'm told that as of the end of the I2 meeting,
> the Japanese research network (NACSIS?) and the Korean network
> had turned off MBGP/MSDP peering completely, because the activity
> was causing their unicast routing to fail (I don't have specifics).
> I'm told they don't plan resume peering until the storms stop.
>
> Several questions here.
>
> How widespread were the Juniper problems?  What version of
> JunOS was running?  (I think 4.2R2.4 is fairly current.)
> Were the Juniper problems on boxes that had many MSDP peers?
> What patches are desired?  (e.g. the SA-limit stuff like Cisco has?)
> What changes would restore everyone's comfort level?
>
> With regard to Cisco routers, Cisco went through publicized
> addition of a couple of features to ameliorate the problem.
> Based on the SA monitors out there, it looks like many people
> upgraded and put in SA-limits.  How satisfied are people now
> that these features will protect their networks?
>

Hello, Hugh;

   I do not believe that there is a fix for 12.1 IOS builds yet, and
that is what we run. We have had luck rate limiting the appropriate port,
though.

   ·Has anyone noticed that the CAIDA site,
http://www.caida.org/tools/measurement/Mantra/session-mon/session-mon.html
which seemed to successfully rate limit the storms starting 2 weeks ago,
now is being hit again ?


>
> Presumably, as the storms flare up from time to time, and
> we bang up against various configured limits, some legitimate
> SA's must not be getting announced all the way through.  How
> widespread is this now?

My guess is pretty widespread -

on the current
http://beaconserver.accessgrid.org:9999/

there are 50 beacons

Multicasttech cannot be seen by 23 beacons
UOregon cannot be seen by 26 beacons
GATech can only see unm.edu
The Swiss sites can see us (multicasttech) and themselves, and no one else.

Nysernet can see 11 sites (including themselves) but can only be seen by 8 
sites.

UMaine, Microsoft, ten.cz, arsc.edu, sc.edu, sdsc.edu, net.il and icair.org 
report seeing NO external beacons.

Some of this may be due to, e.g., the IOS bug that the Abilene network is 
replacing throughout their network,
but my feel is that the beacon connectivity is much worse than before the 
storms. One problem here is that
there is not a good monitoring tool for this - I cannot really quantify my 
intuition.
It would be useful if MTRG type monitoring time plots could be obtained, 
e.g., for each pair of beacons.

>
>
> Is there any reason for people to remain unconnected today?
>
> Long term, what is the solution here?  A configurable limit on
> the number of ISM groups and SSM (S,G)'s an interface can join?
> My feeling is that this might be a good solution.  If the default
> was fairly low, 2000 groups and 10000 (S,G)'s say, it would cover
> most campus situations, protect routers from both PIM and MSDP state,
> and people who then needed larger limits could configure them in.
> Ultimately, something (like this?) will be needed anyway, to protect
> the local routers against similar activity originating on user LANs.
>

This would make for a very simple DOS - just fill up the available slots.
I think that rate limits might be more effective.

I think that SSM will help here - many of the possible DOS attacks are really
RP attacks.

But, also, a defense in depth is needed. IGMP, PIM routers, and PIM RP's all 
need to
filter on incoming joins (& leaves) and incoming multigroup traffic.

Marshall


>
> Comments?
>
> --
>  Hugh LaMaster, M/S 233-21,    Email: 
> 
>  NASA Ames Research Center     Or:    
> 
>  Moffett Field, CA 94035-1000  Or:    
> 
>  Phone: 650/604-1056           Disc:  Unofficial, personal *opinion*.




--

T.M. Eubanks
Multicast Technologies, Inc
10301 Democracy Lane, Suite 410
Fairfax, Virginia 22030
Phone : 703-293-9624
Fax     : 703-293-9609
e-mail : 

     


http://www.on-the-i.com http://www.buzzwaves.com