All things related to multicast

[John Meylor <>]

Leonard Giuliano wrote:
> 
> In my opinion, the best defense against SA storms is vigiliance.  

Agree, and would include that proper way to defend against
sa-storms is with local filtering, particularly on ingress,
where there is some chance of applying policy:

  before you accept a register, filter:
    eg: ip pim accept-register list <acl> | route-map <map>

  before you originate an sa-message, filter:
    eg: ip msdp redistribute [list <acl>] [asn <aspath-acl>] [route-map <map>]

  before you accept an sa-message, filter:
    eg: ip msdp sa-filter in <ip-address-or-name>
                               [list <acl>] [route-map <map>]
                               [rp-list <acl> | rp-route-map <map>]

  before you accept it or pass it on, filter:
    eg: ip msdp sa-filter out <ip-address-or-name>
                               [list <acl>] [route-map <map>]
                               [rp-list <acl> | rp-route-map <map>]

This way, by the time we get to the global cache being 
exchanged, we have some level of confidence that what
is being exchanged, should be there in the first place.

 At that point, its possible as a last-resort measure, 
 to apply lists which prevent unexpected cache growth:
   eg: ip msdp sa-limit <peer-address-or-name> <limit>

although clearly, this is only last resort, and ideally only
transient until folks get local filtering in place, as it 
simply clips the list without applying any logic to what gets
clipped.  


 John


Keep a
> close eye on SA cache, and when it exceeds certain high levels,
> investigate- don't just blindly drop packets.  If it is an attack, throw
> on a temporary SA filter to stop the attack.  A proactive measure is
> always optimal, but in this case there is none that doesn't create newer
> and potentialy worse problems...yet.
> 
> -Lenny