wg-multicast - Re: revised Abilene multicast 'cookbook' available
Subject: All things related to multicast
List archive
- From: Alan Crosswell <>
- To: Leonard Giuliano <>
- Cc: Matthew Davy <>, , John Kristoff <>
- Subject: Re: revised Abilene multicast 'cookbook' available
- Date: Wed, 28 Jul 2004 16:16:55 -0400
Yeah, that was the consensus opinion in the class and a security hole too, unless there's a way to declare the DR priority to a value better than one that will ever appear in PIM Hellos. Kinda like a localpref. What about leaving PIM enabled on the interface but using an inbound ACL to drop PIM Hellos?
/a
Leonard Giuliano wrote:
Correct. The PIM DR is the router responsible for joining the traffic, so
if you disable PIM on that interface you won't get any mcast forwarded
onto that interface in Juniper-ese.
-Lenny
On Wed, 28 Jul 2004, Matthew Davy wrote:
-) -----BEGIN PGP SIGNED MESSAGE-----
-) Hash: SHA1
-)
-) I don't believe you can disable PIM on host-only interfaces. I think
-) if you did this, the router would not provide multicast routing for
-) that interface. It would be easy enough to test though.
-)
-) - - Matt
-)
-)
-) On Jul 28, 2004, at 2:57 PM, Alan Crosswell wrote:
-)
-) > Oh, man, I can't dogfight with your campus? Sheesh:-)
-) >
-) > One question that came up during last week's workshop was whether one
-) > can disable PIM on a hosts-only interface (e.g. only listen to IGMP
-) > but ignore PIM DR election, etc.) Do you know if this can be done in
-) > Juniper- or Cisco-ese? Given that our routers are numbered .1 on our
-) > /24's, someone else can always win the DR election assuming the DR
-) > priority can't be set to infinity somehow. Of course they always win
-) > the IGMP Querier election:-)
-) > /a
-) >
-) >
-) > John Kristoff wrote:
-) >> On Tue, 27 Jul 2004 19:17:19 -0500
-) >> Brent Sweeny
<>
wrote:
-) >>> Based on suggestions from helpful readers (thanks!), I've made a
-) >>> number of
-) >>> revisions to the cookbook. As always, it's at
-) >>> www.abilene.iu.edu/mccook.html.
-) >>> In particular we'll be making some revisions to the filter lists
-) >>> which I'll
-) >>> add to the cookbook as they're agreed on here, and additional
-) >>> suggestions are
-) >>> always welcome.
-) >> In the 'MSDP Filter contents' for a Juniper config, the last line is:
-) >> route-filter 239.0.0.0/8 orlonger; ! GLOP space
-) >> The comment should be:
-) >> ! admin scoped
-) >> In addition, here is an example of what I do (an extract with some
-) >> minor details take out or changed for anonymity sake):
-) >> routing-options {
-) >> multicast {
-) >> scope sgi-dogfight {
-) >> prefix 224.0.1.2/32;
-) >> interface all;
-) >> }
-) >> scope ntp {
-) >> prefix 224.0.1.1/32;
-) >> interface all;
-) >> }
-) >> scope rwhod {
-) >> prefix 224.0.1.3/32;
-) >> interface all;
-) >> }
-) >> scope nis+ {
-) >> prefix 224.0.1.8/32;
-) >> interface all;
-) >> }
-) >> scope srvloc {
-) >> prefix 224.0.1.22/32;
-) >> interface all;
-) >> }
-) >> scope microsoft-ds {
-) >> prefix 224.0.1.24/32;
-) >> interface all;
-) >> }
-) >> scope nbc-pro {
-) >> prefix 224.0.1.25/32;
-) >> interface all;
-) >> }
-) >> scope srvloc-da {
-) >> prefix 224.0.1.35/32;
-) >> interface all;
-) >> }
-) >> scope cisco-rp-announce {
-) >> prefix 224.0.1.39/32;
-) >> interface all;
-) >> }
-) >> scope cisco-rp-discovery {
-) >> prefix 224.0.1.40/32;
-) >> interface all;
-) >> }
-) >> scope hp-device-discovery {
-) >> prefix 224.0.1.60/32;
-) >> interface all;
-) >> }
-) >> scope lucent-avaya-ap {
-) >> prefix 224.0.1.76/32;
-) >> interface all;
-) >> }
-) >> scope rwho-group {
-) >> prefix 224.0.2.1/32;
-) >> interface all;
-) >> }
-) >> scope sun-rpc {
-) >> prefix 224.0.2.2/32;
-) >> interface all;
-) >> }
-) >> scope cisco-aironet-ap {
-) >> prefix 224.1.0.1/32;
-) >> interface all;
-) >> }
-) >> scope retrospect {
-) >> prefix 224.1.0.38/32;
-) >> interface all;
-) >> }
-) >> scope norton-ghost {
-) >> prefix 224.77.0.0/16;
-) >> interface all;
-) >> }
-) >> scope igmp-control-224-128-0 {
-) >> prefix 224.128.0.0/24;
-) >> }
-) >> scope reserved-225 {
-) >> prefix 225.0.0.0/8;
-) >> interface all;
-) >> }
-) >> scope reserved-226 {
-) >> prefix 226.0.0.0/8;
-) >> interface all;
-) >> }
-) >> scope reserved-227 {
-) >> prefix 227.0.0.0/8;
-) >> interface all;
-) >> }
-) >> scope reserved-228 {
-) >> prefix 228.0.0.0/8;
-) >> interface all;
-) >> }
-) >> scope reserved-229 {
-) >> prefix 229.0.0.0/8;
-) >> interface all;
-) >> }
-) >> scope reserved-230 {
-) >> prefix 230.0.0.0/8;
-) >> interface all;
-) >> }
-) >> scope reserved-231 {
-) >> prefix 231.0.0.0/8;
-) >> interface all;
-) >> }
-) >> scope igmp-control-232-0-0 {
-) >> prefix 232.0.0.0/24;
-) >> interface all;
-) >> }
-) >> scope igmp-control-232-128-0 {
-) >> prefix 232.128.0.0/24;
-) >> interface all;
-) >> }
-) >> scope igmp-control-233-0-0 {
-) >> prefix 233.0.0.0/24;
-) >> interface all;
-) >> }
-) >> scope igmp-control-233-128-0 {
-) >> prefix 233.128.0.0/24;
-) >> interface all;
-) >> }
-) >> scope reserved-234 {
-) >> prefix 234.0.0.0/8;
-) >> interface all;
-) >> }
-) >> scope reserved-235 {
-) >> prefix 235.0.0.0/8;
-) >> interface all;
-) >> }
-) >> scope reserved-236 {
-) >> prefix 236.0.0.0/8;
-) >> interface all;
-) >> }
-) >> scope reserved-237 {
-) >> prefix 237.0.0.0/8;
-) >> interface all;
-) >> }
-) >> scope reserved-238 {
-) >> prefix 238.0.0.0/8;
-) >> interface all;
-) >> }
-) >> scope admin-scoped {
-) >> prefix 239.0.0.0/8;
-) >> interface all;
-) >> }
-) >> }
-) >> }
-) >> protocols {
-) >> igmp {
-) >> /* disable IGMP on interfaces where it is not needed */
-) >> interface [interface] {
-) >> disable;
-) >> }
-) >> }
-) >> sap;
-) >> msdp {
-) >> /* Global MSDP cache shielding using RED-based control of SAs
-) >> */
-) >> active-source-limit {
-) >> maximum 26000;
-) >> threshold 25000;
-) >> }
-) >> export [ multicast-bogons no-ssm ];
-) >> import [ multicast-bogons no-ssm ];
-) >> }
-) >> pim {
-) >> import multicast-bogons;
-) >> rp {
-) >> bootstrap-import no-bsr;
-) >> bootstrap-export no-bsr;
-) >> local {
-) >> family inet {
-) >> address [rp-address];
-) >> group-ranges {
-) >> /* control, adhoc, sap, assignments and IANA
-) >> reserved */
-) >> 224.0.0.0/8;
-) >> /* SSM */
-) >> 232.0.0.0/8;
-) >> /* GLOP */
-) >> 233.0.0.0/8;
-) >> }
-) >> }
-) >> }
-) >> }
-) >> interface all {
-) >> mode sparse;
-) >> version 2;
-) >> }
-) >> /* disable specific interfaces we don't need PIM on */
-) >> interface [interface] {
-) >> disable;
-) >> }
-) >> }
-) >> }
-) >> policy-options {
-) >> /* Reject all PIM bootstrap router (BSR) messages */
-) >> policy-statement no-bsr {
-) >> then reject;
-) >> }
-) >> policy-statement multicast-bogons {
-) >> term bogon-groups {
-) >> from {
-) >> /* Network Time Protocol (NTP) */
-) >> route-filter 224.0.1.1/32 exact;
-) >> /* SGI dogfight */
-) >> route-filter 224.0.1.2/32 exact;
-) >> /* rwhod */
-) >> route-filter 224.0.1.3/32 exact;
-) >> /* Sun's NIS+ */
-) >> route-filter 224.0.1.8/32 exact;
-) >> /* srvloc */
-) >> route-filter 224.0.1.22/32 exact;
-) >> /* microsoft-ds */
-) >> route-filter 224.0.1.24/32 exact;
-) >> /* nbc-pro */
-) >> route-filter 224.0.1.25/32 exact;
-) >> /* srvloc-da */
-) >> route-filter 224.0.1.35/32 exact;
-) >> /* cisco-rp-announce */
-) >> route-filter 224.0.1.39/32 exact;
-) >> /* cisco-rp-discovery */
-) >> route-filter 224.0.1.40/32 exact;
-) >> /* hp-device-discovery */
-) >> route-filter 224.0.1.60/32 exact;
-) >> /* Lucent/Avaya AP */
-) >> route-filter 224.0.1.76/32 exact;
-) >> /* rwho group (BSD) */
-) >> route-filter 224.0.2.1/32 exact;
-) >> /* SUN RPC */
-) >> route-filter 224.0.2.2/32 exact;
-) >> /* Cisco/Aironet AP */
-) >> route-filter 224.1.0.1/32 exact;
-) >> /* Dantz Retrospect */
-) >> route-filter 224.1.0.38/32 exact;
-) >> /* IGMP control */
-) >> route-filter 224.128.0.0/24 orlonger;
-) >> /* IANA reserved */
-) >> route-filter 225.0.0.0/8 orlonger;
-) >> /* IANA reserved */
-) >> route-filter 226.0.0.0/8 orlonger;
-) >> /* IANA reserved */
-) >> route-filter 227.0.0.0/8 orlonger;
-) >> /* IANA reserved */
-) >> route-filter 228.0.0.0/8 orlonger;
-) >> /* IANA reserved */
-) >> route-filter 229.0.0.0/8 orlonger;
-) >> /* IANA reserved */
-) >> route-filter 230.0.0.0/8 orlonger;
-) >> /* IANA reserved */
-) >> route-filter 231.0.0.0/8 orlonger;
-) >> /* IGMP control */
-) >> route-filter 232.0.0.0/24 orlonger;
-) >> /* IGMP control */
-) >> route-filter 232.128.0.0/24 orlonger;
-) >> /* IGMP control */
-) >> route-filter 233.0.0.0/24 orlonger;
-) >> /* IGMP control */
-) >> route-filter 233.128.0.0/24 orlonger;
-) >> /* IANA reserved */
-) >> route-filter 234.0.0.0/8 orlonger;
-) >> /* IANA reserved */
-) >> route-filter 235.0.0.0/8 orlonger;
-) >> /* IANA reserved */
-) >> route-filter 236.0.0.0/8 orlonger;
-) >> /* IANA reserved */
-) >> route-filter 237.0.0.0/8 orlonger;
-) >> /* IANA reserved */
-) >> route-filter 238.0.0.0/8 orlonger;
-) >> /* admin scoped */
-) >> route-filter 239.0.0.0/8 orlonger;
-) >> }
-) >> then reject;
-) >> }
-) >> term bogon-sources {
-) >> /* IANA reserved and special use */
-) >> from {
-) >> source-address-filter 0.0.0.0/8 orlonger;
-) >> source-address-filter 1.0.0.0/8 orlonger;
-) >> source-address-filter 2.0.0.0/8 orlonger;
-) >> source-address-filter 5.0.0.0/8 orlonger;
-) >> source-address-filter 7.0.0.0/8 orlonger;
-) >> source-address-filter 10.0.0.0/8 orlonger;
-) >> source-address-filter 23.0.0.0/8 orlonger;
-) >> source-address-filter 27.0.0.0/8 orlonger;
-) >> source-address-filter 31.0.0.0/8 orlonger;
-) >> source-address-filter 36.0.0.0/8 orlonger;
-) >> source-address-filter 37.0.0.0/8 orlonger;
-) >> source-address-filter 39.0.0.0/8 orlonger;
-) >> source-address-filter 41.0.0.0/8 orlonger;
-) >> source-address-filter 42.0.0.0/8 orlonger;
-) >> source-address-filter 49.0.0.0/8 orlonger;
-) >> source-address-filter 50.0.0.0/8 orlonger;
-) >> source-address-filter 71.0.0.0/8 orlonger;
-) >> source-address-filter 72.0.0.0/8 orlonger;
-) >> source-address-filter 73.0.0.0/8 orlonger;
-) >> source-address-filter 74.0.0.0/8 orlonger;
-) >> source-address-filter 75.0.0.0/8 orlonger;
-) >> source-address-filter 76.0.0.0/8 orlonger;
-) >> source-address-filter 77.0.0.0/8 orlonger;
-) >> source-address-filter 78.0.0.0/8 orlonger;
-) >> source-address-filter 79.0.0.0/8 orlonger;
-) >> source-address-filter 80.0.0.0/8 orlonger;
-) >> source-address-filter 89.0.0.0/8 orlonger;
-) >> source-address-filter 90.0.0.0/8 orlonger;
-) >> source-address-filter 91.0.0.0/8 orlonger;
-) >> source-address-filter 92.0.0.0/8 orlonger;
-) >> source-address-filter 93.0.0.0/8 orlonger;
-) >> source-address-filter 94.0.0.0/8 orlonger;
-) >> source-address-filter 95.0.0.0/8 orlonger;
-) >> source-address-filter 96.0.0.0/8 orlonger;
-) >> source-address-filter 97.0.0.0/8 orlonger;
-) >> source-address-filter 98.0.0.0/8 orlonger;
-) >> source-address-filter 99.0.0.0/8 orlonger;
-) >> source-address-filter 100.0.0.0/8 orlonger;
-) >> source-address-filter 101.0.0.0/8 orlonger;
-) >> source-address-filter 102.0.0.0/8 orlonger;
-) >> source-address-filter 103.0.0.0/8 orlonger;
-) >> source-address-filter 104.0.0.0/8 orlonger;
-) >> source-address-filter 105.0.0.0/8 orlonger;
-) >> source-address-filter 106.0.0.0/8 orlonger;
-) >> source-address-filter 107.0.0.0/8 orlonger;
-) >> source-address-filter 108.0.0.0/8 orlonger;
-) >> source-address-filter 109.0.0.0/8 orlonger;
-) >> source-address-filter 110.0.0.0/8 orlonger;
-) >> source-address-filter 111.0.0.0/8 orlonger;
-) >> source-address-filter 112.0.0.0/8 orlonger;
-) >> source-address-filter 113.0.0.0/8 orlonger;
-) >> source-address-filter 114.0.0.0/8 orlonger;
-) >> source-address-filter 115.0.0.0/8 orlonger;
-) >> source-address-filter 116.0.0.0/8 orlonger;
-) >> source-address-filter 117.0.0.0/8 orlonger;
-) >> source-address-filter 118.0.0.0/8 orlonger;
-) >> source-address-filter 119.0.0.0/8 orlonger;
-) >> source-address-filter 120.0.0.0/8 orlonger;
-) >> source-address-filter 121.0.0.0/8 orlonger;
-) >> source-address-filter 122.0.0.0/8 orlonger;
-) >> source-address-filter 123.0.0.0/8 orlonger;
-) >> source-address-filter 124.0.0.0/8 orlonger;
-) >> source-address-filter 125.0.0.0/8 orlonger;
-) >> source-address-filter 126.0.0.0/8 orlonger;
-) >> source-address-filter 127.0.0.0/8 orlonger;
-) >> source-address-filter 169.254.0.0/16 orlonger;
-) >> source-address-filter 172.16.0.0/12 orlonger;
-) >> source-address-filter 173.0.0.0/8 orlonger;
-) >> source-address-filter 174.0.0.0/8 orlonger;
-) >> source-address-filter 175.0.0.0/8 orlonger;
-) >> source-address-filter 176.0.0.0/8 orlonger;
-) >> source-address-filter 177.0.0.0/8 orlonger;
-) >> source-address-filter 178.0.0.0/8 orlonger;
-) >> source-address-filter 179.0.0.0/8 orlonger;
-) >> source-address-filter 180.0.0.0/8 orlonger;
-) >> source-address-filter 181.0.0.0/8 orlonger;
-) >> source-address-filter 182.0.0.0/8 orlonger;
-) >> source-address-filter 183.0.0.0/8 orlonger;
-) >> source-address-filter 184.0.0.0/8 orlonger;
-) >> source-address-filter 185.0.0.0/8 orlonger;
-) >> source-address-filter 186.0.0.0/8 orlonger;
-) >> source-address-filter 187.0.0.0/8 orlonger;
-) >> source-address-filter 189.0.0.0/8 orlonger;
-) >> source-address-filter 190.0.0.0/8 orlonger;
-) >> source-address-filter 192.0.2.0/24 orlonger;
-) >> source-address-filter 197.0.0.0/8 orlonger;
-) >> source-address-filter 223.0.0.0/8 orlonger;
-) >> source-address-filter 224.0.0.0/3 orlonger;
-) >> }
-) >> then reject;
-) >> }
-) >> term default {
-) >> then accept;
-) >> }
-) >> }
-) >> /* Reject all single source multicast (SSM) */
-) >> policy-statement no-ssm {
-) >> term ssm {
-) >> from {
-) >> route-filter 232.0.0.0/8 orlonger;
-) >> }
-) >> then reject;
-) >> }
-) >> }
-) >> }
-) >> Then also loopback filter MSDP packets to allow only MSDP peers (by IP
-) >> address and protocol TCP and port msdp). Also filter SAPs to arrive
-) >> on
-) >> 224.2.127.254/32:udp:9875. Furthermore, filter so that IGMP is only
-) >> from local peer IP, multicast data packets are only 224/4:UDP. Only
-) >> allow multicast 224.0.0.13:pim from peers. ...and if you need to, do
-) >> some rate limiting of multicast.
-) >> Doing all that keeps out quite a bit of the known bad stuff while
-) >> allowing the known good stuff to pass.
-) >> John
-) -----BEGIN PGP SIGNATURE-----
-) Version: GnuPG v1.2.3 (Darwin)
-)
-) iD8DBQFBCAcElW/4XGQiy+sRAlMKAKCOGPqkK0EbcTh/8jgL+b0jWe7ttQCgoUSi
-) xQ67Qc+9a7B3waybU94nHFo=
-) =cu6W
-) -----END PGP SIGNATURE-----
-)
- revised Abilene multicast 'cookbook' available, Brent Sweeny, 07/16/2004
- Re: revised Abilene multicast 'cookbook' available, Brent Sweeny, 07/27/2004
- Re: revised Abilene multicast 'cookbook' available, John Kristoff, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Matthew Davy, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Alan Crosswell, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Matthew Davy, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Leonard Giuliano, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Alan Crosswell, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Leonard Giuliano, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Dave McGaugh, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Charles R. Anderson, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Alan Crosswell, 07/29/2004
- Re: revised Abilene multicast 'cookbook' available, Alan Crosswell, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Leonard Giuliano, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Matthew Davy, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, John Kristoff, 07/28/2004
- Re: revised Abilene multicast 'cookbook' available, Brent Sweeny, 07/27/2004
Archive powered by MHonArc 2.6.16.