All things related to multicast

[Simon Leinen <>]

Taylor, Scott J writes:
> We are seeing a noticeable multicast group count increase this morning.
> It looks like the group 224.9.9.9 accounts for most of the increase.

Interesting.  I hacked up a small Perl script[1] to walk a router's
MSDP cache and summarize the most prevalent groups.  224.9.9.9 has 524
sources, most of them announced from AS55 (UPenn).

   524       224.9.9.9
       455 AS55
        32 AS20130
        23 AS7386
         7 AS26934
         3 AS34
         1 AS12145
         1 AS1103
         1 AS2833
         1 AS683

Cursory manual inspection indicates that many sources are in wireless
and dormitory nets, but then that's probably just where most
innovation is taking place, especially on week-ends.

> Are other people seeing this group and these sources or are you
> dropping these at your edge?  From what I found it looks like this
> group is likely something to do with SQUID proxy configuration and
> not legitimate traffic that users on our network would be interested
> in.

Maybe these (few) wireless and dorm nets distribute a multicast-
enabled Squid configuration, and let those multicasts leak out.
Anyone in contact with the UPenn wireless/dorm net folks can check?

If you filter out announcements for groups outside the official ranges
(see Chuck Anderson's pointer to the secure multicast template), you
won't see this.  Personally I'm a little reluctant to do that, because
I don't want to stifle accidental discoveries of useful cross-site
multicast applications by curious students/researchers.
-- 
Simon.
[1]
#!/usr/bin/perl -w
###
### Run over a text file containing "show ip msdp sa-cache" output.
### This will show the top groups according to source count, and break
### down the sources by MSDP origin AS for each group.

use strict;
use warnings;

sub read_msdp_dump ();
sub write_output ();

## Only groups with at least this many sources will be listed.
##
my $source_threshold = 100;

## Only ASes originating at least this many sources will be listed for
## each group listed.
##
my $as_threshold = 2;

my %source_count = ();
my %sources = ();

read_msdp_dump;
write_output;

sub read_msdp_dump () {
    while (<>) {
        next if /^\d+ matches for /;
        if (/\(([0-9.]{7,15}), ([0-9.]{7,15})\), RP ([0-9.]{7,15}), MBGP\/AS 
(\d+), (.*), Peer ([0-9.]{7,15})/) {
            my ($s, $g, $rp, $as, $uptime, $peer) = ($1, $2, $3, $4, $5, $6, 
$7);
            ++$source_count{$g};
            push @{$sources{$g}}, [$s, $as];
        }
    }
    1;
}

sub write_output () {
    foreach my $g (sort { $source_count{$b} <=> $source_count{$a} } keys 
%source_count) {
        last if $source_count{$g} < $source_threshold;
        printf "%6d %15s\n", $source_count{$g}, $g;
        my %by_as = ();
        foreach my $source (@{$sources{$g}}) {
            ++$by_as{$source->[1]};
        }
        foreach my $as (sort { $by_as{$b} <=> $by_as{$a} } keys %by_as) {
            last unless $by_as{$as} >= $as_threshold;
            printf "    %6d AS%d\n", $by_as{$as}, $as;
        }
    }
}