Skip to Content.
Sympa Menu

wg-multicast - Re: notes from Vancouver BoF 7/18/05

Subject: All things related to multicast

List archive

Re: notes from Vancouver BoF 7/18/05


Chronological Thread 
  • From: debbie fligor <>
  • To: Peter John Hill <>
  • Cc: debbie fligor <>, Alan Crosswell <>,
  • Subject: Re: notes from Vancouver BoF 7/18/05
  • Date: Wed, 27 Jul 2005 15:01:38 -0500

At 12:22 -0700 7/26/05, Peter John Hill wrote:
On Jul 26, 2005, at 11:21 AM, debbie fligor wrote:

At 9:24 -0400 7/25/05, Alan Crosswell wrote:

- Firewall w/multicast?
-> - Ask Debbie
Fligor@UIUC

Yikes... are you talking about GRE tunnels and sending the multicast around them? Are you also doing something like msdp with prefix lists for filters to limit the traffic somewhat through the gre tunnel... what sources are allowed to be known from one side to the other?


We're sending multicast traffic around the campus exit firewall/webcache/ips structure via a dedicated gigE link, while the unicast traffic (including that to the RP, which is on the untrusted side of our dmz) flows through the firewalls.

The hardest part getting it all working was getting the PIM bugs worked out of the switch vendor's code, and getting them to change their static mroute command to accept administrative distance when specifying an rpf_address not an interface.

If anyone else is trying to setup something like this and wants to hear how we're getting ours to work, just let me know.



I am curious as to the applications that one would want to run across a firewall that use multicast... I also wonder if there are better solutions then sending the multicast directly through? Something along the lines of what Tibco (yuck) does... or perhaps for something like video, a reflector outside the "trust boundary" of the firewall.

Just remember, multicast is fun!

it's job security, that's for sure :)


Peter



I know more about how to bypass them than how to make them work.

--

-debbie
Debbie Fligor, n9dn Network Engineer, CITES, Univ. of Il
email:

<http://www.uiuc.edu/ph/www/fligor>
"Every keystroke can be monitored. And the computers never forget."


--

-debbie
Debbie Fligor, n9dn Network Engineer, CITES, Univ. of Il
email:

<http://www.uiuc.edu/ph/www/fligor>
"Every keystroke can be monitored. And the computers never forget."



Archive powered by MHonArc 2.6.16.

Top of Page