Skip to Content.
Sympa Menu

wg-multicast - Re: bogon SAs from UC Davis?

Subject: All things related to multicast

List archive

Re: bogon SAs from UC Davis?


Chronological Thread 
  • From: Bill Owens <>
  • To: Eli Dart <>
  • Cc: wg-multicast <>
  • Subject: Re: bogon SAs from UC Davis?
  • Date: Tue, 8 Feb 2011 13:51:46 -0500

On Tue, Feb 08, 2011 at 10:36:11AM -0800, Eli Dart wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Bill,
>
> Something like this:
> term msdp-bogons {
> from {
> route-filter 225.0.0.0/8 orlonger;
> route-filter 226.0.0.0/8 orlonger;
> route-filter 227.0.0.0/8 orlonger;
> route-filter 228.0.0.0/8 orlonger;
> route-filter 229.0.0.0/8 orlonger;
> route-filter 230.0.0.0/8 orlonger;
> route-filter 231.0.0.0/8 orlonger;
> }
> then reject;
> }
>
> If I read your filter correctly, it does not cover the vast majority of
> unallocated multicast space (e.g. 225/8 through 231/8, 235/8 through 238/8).

Correct. And intentional - for which see below. This filter has its basis in
something that was originally proposed way back in 1999, according to my
archives. It has grown since then, reacting to the various annoyances that
people have observed (mostly idiot vendors picking multicast addresses out of
the air and then using them in widely-deployed software).

> The fun thing about MSDP is that most of the world is highly
> promiscuous....everybody floods everything to everybody. So, even if
> you have an inbound filter, you still allocate all the memory to hold
> the incoming RIB so that the filter can process it. Filtering means
> that you can keep your own MSDP mesh sane, and avoid flooding bogons to
> peers/customers, but to avoid seeing MSDP bogons it is my understanding
> that you really need to get your peers to filter.

Yes, and in fact the reason I'm not seeing the crazy number of MSDP groups is
because Internet2 is filtering at the edge with CENIC. And because we never
got around to turning up multicast between NYSERNet and ESnet at our peering
in NYC ;)

> RFC 5771 states that "applications MUST NOT use addressing in the IANA
> reserved blocks" - I think it's worth treating unallocated multicast
> space like bogons just as we treat unallocated unicast space like bogons
> (please, let's not rathole on the IPv4 runout).

True. Nobody should be doing that, the question is whether and how we want to
deal with those who are. This topic last came up in the mailing list almost
five years ago:
https://lists.internet2.edu/sympa/arc/wg-multicast/2006-05/msg00056.html

I skimmed that discussion just now and I think that it's still applicable. It
might be worth another pass through the SA cache (once the current mess is
done with) to see how many legitimate users are using illegitimate groups.

Bill.



Archive powered by MHonArc 2.6.16.

Top of Page