wg-multicast - Re: revised Abilene multicast 'cookbook' available
Subject: All things related to multicast
List archive
- From: John Kristoff <>
- To:
- Subject: Re: revised Abilene multicast 'cookbook' available
- Date: Wed, 28 Jul 2004 11:28:51 -0500
On Tue, 27 Jul 2004 19:17:19 -0500
Brent Sweeny
<>
wrote:
> Based on suggestions from helpful readers (thanks!), I've made a number of
> revisions to the cookbook. As always, it's at
> www.abilene.iu.edu/mccook.html.
> In particular we'll be making some revisions to the filter lists which I'll
> add to the cookbook as they're agreed on here, and additional suggestions
> are
> always welcome.
In the 'MSDP Filter contents' for a Juniper config, the last line is:
route-filter 239.0.0.0/8 orlonger; ! GLOP space
The comment should be:
! admin scoped
In addition, here is an example of what I do (an extract with some
minor details take out or changed for anonymity sake):
routing-options {
multicast {
scope sgi-dogfight {
prefix 224.0.1.2/32;
interface all;
}
scope ntp {
prefix 224.0.1.1/32;
interface all;
}
scope rwhod {
prefix 224.0.1.3/32;
interface all;
}
scope nis+ {
prefix 224.0.1.8/32;
interface all;
}
scope srvloc {
prefix 224.0.1.22/32;
interface all;
}
scope microsoft-ds {
prefix 224.0.1.24/32;
interface all;
}
scope nbc-pro {
prefix 224.0.1.25/32;
interface all;
}
scope srvloc-da {
prefix 224.0.1.35/32;
interface all;
}
scope cisco-rp-announce {
prefix 224.0.1.39/32;
interface all;
}
scope cisco-rp-discovery {
prefix 224.0.1.40/32;
interface all;
}
scope hp-device-discovery {
prefix 224.0.1.60/32;
interface all;
}
scope lucent-avaya-ap {
prefix 224.0.1.76/32;
interface all;
}
scope rwho-group {
prefix 224.0.2.1/32;
interface all;
}
scope sun-rpc {
prefix 224.0.2.2/32;
interface all;
}
scope cisco-aironet-ap {
prefix 224.1.0.1/32;
interface all;
}
scope retrospect {
prefix 224.1.0.38/32;
interface all;
}
scope norton-ghost {
prefix 224.77.0.0/16;
interface all;
}
scope igmp-control-224-128-0 {
prefix 224.128.0.0/24;
}
scope reserved-225 {
prefix 225.0.0.0/8;
interface all;
}
scope reserved-226 {
prefix 226.0.0.0/8;
interface all;
}
scope reserved-227 {
prefix 227.0.0.0/8;
interface all;
}
scope reserved-228 {
prefix 228.0.0.0/8;
interface all;
}
scope reserved-229 {
prefix 229.0.0.0/8;
interface all;
}
scope reserved-230 {
prefix 230.0.0.0/8;
interface all;
}
scope reserved-231 {
prefix 231.0.0.0/8;
interface all;
}
scope igmp-control-232-0-0 {
prefix 232.0.0.0/24;
interface all;
}
scope igmp-control-232-128-0 {
prefix 232.128.0.0/24;
interface all;
}
scope igmp-control-233-0-0 {
prefix 233.0.0.0/24;
interface all;
}
scope igmp-control-233-128-0 {
prefix 233.128.0.0/24;
interface all;
}
scope reserved-234 {
prefix 234.0.0.0/8;
interface all;
}
scope reserved-235 {
prefix 235.0.0.0/8;
interface all;
}
scope reserved-236 {
prefix 236.0.0.0/8;
interface all;
}
scope reserved-237 {
prefix 237.0.0.0/8;
interface all;
}
scope reserved-238 {
prefix 238.0.0.0/8;
interface all;
}
scope admin-scoped {
prefix 239.0.0.0/8;
interface all;
}
}
}
protocols {
igmp {
/* disable IGMP on interfaces where it is not needed */
interface [interface] {
disable;
}
}
sap;
msdp {
/* Global MSDP cache shielding using RED-based control of SAs */
active-source-limit {
maximum 26000;
threshold 25000;
}
export [ multicast-bogons no-ssm ];
import [ multicast-bogons no-ssm ];
}
pim {
import multicast-bogons;
rp {
bootstrap-import no-bsr;
bootstrap-export no-bsr;
local {
family inet {
address [rp-address];
group-ranges {
/* control, adhoc, sap, assignments and IANA reserved
*/
224.0.0.0/8;
/* SSM */
232.0.0.0/8;
/* GLOP */
233.0.0.0/8;
}
}
}
}
interface all {
mode sparse;
version 2;
}
/* disable specific interfaces we don't need PIM on */
interface [interface] {
disable;
}
}
}
policy-options {
/* Reject all PIM bootstrap router (BSR) messages */
policy-statement no-bsr {
then reject;
}
policy-statement multicast-bogons {
term bogon-groups {
from {
/* Network Time Protocol (NTP) */
route-filter 224.0.1.1/32 exact;
/* SGI dogfight */
route-filter 224.0.1.2/32 exact;
/* rwhod */
route-filter 224.0.1.3/32 exact;
/* Sun's NIS+ */
route-filter 224.0.1.8/32 exact;
/* srvloc */
route-filter 224.0.1.22/32 exact;
/* microsoft-ds */
route-filter 224.0.1.24/32 exact;
/* nbc-pro */
route-filter 224.0.1.25/32 exact;
/* srvloc-da */
route-filter 224.0.1.35/32 exact;
/* cisco-rp-announce */
route-filter 224.0.1.39/32 exact;
/* cisco-rp-discovery */
route-filter 224.0.1.40/32 exact;
/* hp-device-discovery */
route-filter 224.0.1.60/32 exact;
/* Lucent/Avaya AP */
route-filter 224.0.1.76/32 exact;
/* rwho group (BSD) */
route-filter 224.0.2.1/32 exact;
/* SUN RPC */
route-filter 224.0.2.2/32 exact;
/* Cisco/Aironet AP */
route-filter 224.1.0.1/32 exact;
/* Dantz Retrospect */
route-filter 224.1.0.38/32 exact;
/* IGMP control */
route-filter 224.128.0.0/24 orlonger;
/* IANA reserved */
route-filter 225.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 226.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 227.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 228.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 229.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 230.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 231.0.0.0/8 orlonger;
/* IGMP control */
route-filter 232.0.0.0/24 orlonger;
/* IGMP control */
route-filter 232.128.0.0/24 orlonger;
/* IGMP control */
route-filter 233.0.0.0/24 orlonger;
/* IGMP control */
route-filter 233.128.0.0/24 orlonger;
/* IANA reserved */
route-filter 234.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 235.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 236.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 237.0.0.0/8 orlonger;
/* IANA reserved */
route-filter 238.0.0.0/8 orlonger;
/* admin scoped */
route-filter 239.0.0.0/8 orlonger;
}
then reject;
}
term bogon-sources {
/* IANA reserved and special use */
from {
source-address-filter 0.0.0.0/8 orlonger;
source-address-filter 1.0.0.0/8 orlonger;
source-address-filter 2.0.0.0/8 orlonger;
source-address-filter 5.0.0.0/8 orlonger;
source-address-filter 7.0.0.0/8 orlonger;
source-address-filter 10.0.0.0/8 orlonger;
source-address-filter 23.0.0.0/8 orlonger;
source-address-filter 27.0.0.0/8 orlonger;
source-address-filter 31.0.0.0/8 orlonger;
source-address-filter 36.0.0.0/8 orlonger;
source-address-filter 37.0.0.0/8 orlonger;
source-address-filter 39.0.0.0/8 orlonger;
source-address-filter 41.0.0.0/8 orlonger;
source-address-filter 42.0.0.0/8 orlonger;
source-address-filter 49.0.0.0/8 orlonger;
source-address-filter 50.0.0.0/8 orlonger;
source-address-filter 71.0.0.0/8 orlonger;
source-address-filter 72.0.0.0/8 orlonger;
source-address-filter 73.0.0.0/8 orlonger;
source-address-filter 74.0.0.0/8 orlonger;
source-address-filter 75.0.0.0/8 orlonger;
source-address-filter 76.0.0.0/8 orlonger;
source-address-filter 77.0.0.0/8 orlonger;
source-address-filter 78.0.0.0/8 orlonger;
source-address-filter 79.0.0.0/8 orlonger;
source-address-filter 80.0.0.0/8 orlonger;
source-address-filter 89.0.0.0/8 orlonger;
source-address-filter 90.0.0.0/8 orlonger;
source-address-filter 91.0.0.0/8 orlonger;
source-address-filter 92.0.0.0/8 orlonger;
source-address-filter 93.0.0.0/8 orlonger;
source-address-filter 94.0.0.0/8 orlonger;
source-address-filter 95.0.0.0/8 orlonger;
source-address-filter 96.0.0.0/8 orlonger;
source-address-filter 97.0.0.0/8 orlonger;
source-address-filter 98.0.0.0/8 orlonger;
source-address-filter 99.0.0.0/8 orlonger;
source-address-filter 100.0.0.0/8 orlonger;
source-address-filter 101.0.0.0/8 orlonger;
source-address-filter 102.0.0.0/8 orlonger;
source-address-filter 103.0.0.0/8 orlonger;
source-address-filter 104.0.0.0/8 orlonger;
source-address-filter 105.0.0.0/8 orlonger;
source-address-filter 106.0.0.0/8 orlonger;
source-address-filter 107.0.0.0/8 orlonger;
source-address-filter 108.0.0.0/8 orlonger;
source-address-filter 109.0.0.0/8 orlonger;
source-address-filter 110.0.0.0/8 orlonger;
source-address-filter 111.0.0.0/8 orlonger;
source-address-filter 112.0.0.0/8 orlonger;
source-address-filter 113.0.0.0/8 orlonger;
source-address-filter 114.0.0.0/8 orlonger;
source-address-filter 115.0.0.0/8 orlonger;
source-address-filter 116.0.0.0/8 orlonger;
source-address-filter 117.0.0.0/8 orlonger;
source-address-filter 118.0.0.0/8 orlonger;
source-address-filter 119.0.0.0/8 orlonger;
source-address-filter 120.0.0.0/8 orlonger;
source-address-filter 121.0.0.0/8 orlonger;
source-address-filter 122.0.0.0/8 orlonger;
source-address-filter 123.0.0.0/8 orlonger;
source-address-filter 124.0.0.0/8 orlonger;
source-address-filter 125.0.0.0/8 orlonger;
source-address-filter 126.0.0.0/8 orlonger;
source-address-filter 127.0.0.0/8 orlonger;
source-address-filter 169.254.0.0/16 orlonger;
source-address-filter 172.16.0.0/12 orlonger;
source-address-filter 173.0.0.0/8 orlonger;
source-address-filter 174.0.0.0/8 orlonger;
source-address-filter 175.0.0.0/8 orlonger;
source-address-filter 176.0.0.0/8 orlonger;
source-address-filter 177.0.0.0/8 orlonger;
source-address-filter 178.0.0.0/8 orlonger;
source-address-filter 179.0.0.0/8 orlonger;
source-address-filter 180.0.0.0/8 orlonger;
source-address-filter 181.0.0.0/8 orlonger;
source-address-filter 182.0.0.0/8 orlonger;
source-address-filter 183.0.0.0/8 orlonger;
source-address-filter 184.0.0.0/8 orlonger;
source-address-filter 185.0.0.0/8 orlonger;
source-address-filter 186.0.0.0/8 orlonger;
source-address-filter 187.0.0.0/8 orlonger;
source-address-filter 189.0.0.0/8 orlonger;
source-address-filter 190.0.0.0/8 orlonger;
source-address-filter 192.0.2.0/24 orlonger;
source-address-filter 197.0.0.0/8 orlonger;
source-address-filter 223.0.0.0/8 orlonger;
source-address-filter 224.0.0.0/3 orlonger;
}
then reject;
}
term default {
then accept;
}
}
/* Reject all single source multicast (SSM) */
policy-statement no-ssm {
term ssm {
from {
route-filter 232.0.0.0/8 orlonger;
}
then reject;
}
}
}
Then also loopback filter MSDP packets to allow only MSDP peers (by IP
address and protocol TCP and port msdp). Also filter SAPs to arrive on
224.2.127.254/32:udp:9875. Furthermore, filter so that IGMP is only
from local peer IP, multicast data packets are only 224/4:UDP. Only
allow multicast 224.0.0.13:pim from peers. ...and if you need to, do
some rate limiting of multicast.
Doing all that keeps out quite a bit of the known bad stuff while
allowing the known good stuff to pass.
John
- revised Abilene multicast 'cookbook' available, Brent Sweeny, 07/16/2004
- Re: revised Abilene multicast 'cookbook' available, Brent Sweeny, 07/27/2004
- Re: revised Abilene multicast 'cookbook' available, John Kristoff, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Matthew Davy, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Alan Crosswell, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Matthew Davy, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Leonard Giuliano, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Alan Crosswell, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Leonard Giuliano, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Dave McGaugh, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Charles R. Anderson, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Alan Crosswell, 07/29/2004
- Re: revised Abilene multicast 'cookbook' available, Alan Crosswell, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Leonard Giuliano, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Matthew Davy, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, John Kristoff, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Brent Sweeny, 07/27/2004
Archive powered by MHonArc 2.6.16.