All things related to multicast

[Eli Dart <>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Bill,

Something like this:
        term msdp-bogons {
            from {
                route-filter 225.0.0.0/8 orlonger;
                route-filter 226.0.0.0/8 orlonger;
                route-filter 227.0.0.0/8 orlonger;
                route-filter 228.0.0.0/8 orlonger;
                route-filter 229.0.0.0/8 orlonger;
                route-filter 230.0.0.0/8 orlonger;
                route-filter 231.0.0.0/8 orlonger;
            }
            then reject;
        }

If I read your filter correctly, it does not cover the vast majority of
unallocated multicast space (e.g. 225/8 through 231/8, 235/8 through 238/8).

The fun thing about MSDP is that most of the world is highly
promiscuous....everybody floods everything to everybody.  So, even if
you have an inbound filter, you still allocate all the memory to hold
the incoming RIB so that the filter can process it.  Filtering means
that you can keep your own MSDP mesh sane, and avoid flooding bogons to
peers/customers, but to avoid seeing MSDP bogons it is my understanding
that you really need to get your peers to filter.

RFC 5771 states that "applications MUST NOT use addressing in the IANA
reserved blocks" - I think it's worth treating unallocated multicast
space like bogons just as we treat unallocated unicast space like bogons
(please, let's not rathole on the IPv4 runout).

Thanks,

                --eli



On 2/8/11 10:20 AM, Bill Owens wrote:
> On Tue, Feb 08, 2011 at 10:13:51AM -0800, Eli Dart wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> we're still seeing SA thresholds kick in (we warn at 125k SAs).
>>
>> Any chance folks might be interested in putting bogon filters on MSDP?
>>  A huge amount of this is for unallocated space....
> 
> You mean like this:
> 
> nyc-7600#sh access-list 111
> Extended IP access list 111
>     10 deny ip any host 224.0.1.2
>     20 deny ip any host 224.0.1.3
>     30 deny ip any host 224.0.1.22 (55856958 matches)
>     40 deny ip any host 224.0.1.24 (1229686 matches)
>     50 deny ip any host 224.0.1.35 (4277170 matches)
>     60 deny ip any host 224.0.1.39
>     70 deny ip any host 224.0.1.40
>     80 deny ip any host 224.0.1.60 (20458891 matches)
>     90 deny ip any host 224.0.2.2 (201 matches)
>     100 deny ip any 224.0.0.0 0.0.0.255
>     110 deny ip any 232.0.0.0 0.255.255.255 (410 matches)
>     120 deny ip any 239.0.0.0 0.255.255.255 (106878518 matches)
>     130 deny ip 10.0.0.0 0.255.255.255 any (1494 matches)
>     140 deny ip 127.0.0.0 0.255.255.255 any
>     150 deny ip 172.16.0.0 0.15.255.255 any (1347864 matches)
>     160 deny ip 192.168.0.0 0.0.255.255 any (65275056 matches)
>     170 permit ip any any (1700264484 matches)
> 
> I guess that's why I'm only seeing 17k (as of right now) and you're seeing 
> 125k?
> 
> Bill.

- -- 
Eli Dart                                            NOC: (510) 486-7600
ESnet Network Engineering Group (AS293)                  (800) 333-7638
Lawrence Berkeley National Laboratory
PGP Key fingerprint = C970 F8D3 CFDD 8FFF 5486 343A 2D31 4478 5F82 B2B3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)

iEYEARECAAYFAk1RjRsACgkQLTFEeF+CsrPRrwCguG1zir3zmnPlGW+Cd4qTqDfz
nycAoIFUkdbypDy/L6Pf/so4E8bZsVQi
=CsLt
-----END PGP SIGNATURE-----