Skip to Content.
Sympa Menu

wg-multicast - Re: bogon SAs from UC Davis?

Subject: All things related to multicast

List archive

Re: bogon SAs from UC Davis?


Chronological Thread 
  • From: Chris Costa <>
  • To:
  • Cc: Bill Owens <>, wg-multicast <>, Tony Nguyen <>
  • Subject: Re: bogon SAs from UC Davis?
  • Date: Tue, 8 Feb 2011 11:13:33 -0800

Edited the MSDP SA ingress filters facing UCR to filter out the unallocated
blocks mentioned below

route-map MSDP-SA-FILTER deny 10
match ip address 111
route-map MSDP-SA-FILTER permit 20
match ip address 113

access-list 111 remark *** MSDP SA Filter ***
access-list 111 permit ip any host 224.0.1.2
access-list 111 permit ip any host 224.0.1.3
access-list 111 permit ip any host 224.0.1.8
access-list 111 permit ip any host 224.0.1.22
access-list 111 permit ip any host 224.0.1.24
access-list 111 permit ip any host 224.0.1.25
access-list 111 permit ip any host 224.0.1.35
access-list 111 permit ip any host 224.0.1.39
access-list 111 permit ip any host 224.0.1.40
access-list 111 permit ip any host 224.0.1.60
access-list 111 permit ip any host 224.0.2.1
access-list 111 permit ip any host 224.0.2.2
access-list 111 permit ip any host 224.0.1.39
access-list 111 permit ip any host 224.0.1.40
access-list 111 permit ip any host 224.0.1.41
access-list 111 permit ip any 224.77.0.0 0.0.255.255
access-list 111 permit ip any host 225.1.2.3
access-list 111 permit ip any host 229.55.150.208
access-list 111 permit ip any 225.0.0.0 0.255.255.255
access-list 111 permit ip any 226.0.0.0 0.255.255.255
access-list 111 permit ip any 227.0.0.0 0.255.255.255
access-list 111 permit ip any 228.0.0.0 0.255.255.255
access-list 111 permit ip any 229.0.0.0 0.255.255.255
access-list 111 permit ip any 230.0.0.0 0.255.255.255
access-list 111 permit ip any 231.0.0.0 0.255.255.255
access-list 111 permit ip any 232.0.0.0 0.255.255.255
access-list 111 permit ip any 234.42.42.40 0.0.0.3
access-list 111 permit ip any 234.142.142.42 0.0.0.1
access-list 111 permit ip any 234.142.142.44 0.0.0.3
access-list 111 permit ip any 234.142.142.48 0.0.0.15
access-list 111 permit ip any 234.142.142.64 0.0.0.31
access-list 111 permit ip any 234.142.142.128 0.0.0.7
access-list 111 permit ip any 234.142.142.136 0.0.0.3
access-list 111 permit ip any 234.142.142.140 0.0.0.1
access-list 111 permit ip any host 234.142.142.142
access-list 111 permit ip any 239.0.0.0 0.255.255.255
access-list 111 permit ip 10.0.0.0 0.255.255.255 any
access-list 111 permit ip 127.0.0.0 0.255.255.255 any
access-list 111 permit ip 172.16.0.0 0.15.255.255 any
access-list 111 permit ip 192.168.0.0 0.0.255.255 any

access-list 113 permit ip any any


Chris


--
Chris Costa
CENIC


On Feb 8, 2011, at 10:36 AM, Eli Dart wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Bill,
>
> Something like this:
> term msdp-bogons {
> from {
> route-filter 225.0.0.0/8 orlonger;
> route-filter 226.0.0.0/8 orlonger;
> route-filter 227.0.0.0/8 orlonger;
> route-filter 228.0.0.0/8 orlonger;
> route-filter 229.0.0.0/8 orlonger;
> route-filter 230.0.0.0/8 orlonger;
> route-filter 231.0.0.0/8 orlonger;
> }
> then reject;
> }
>
> If I read your filter correctly, it does not cover the vast majority of
> unallocated multicast space (e.g. 225/8 through 231/8, 235/8 through 238/8).
>
> The fun thing about MSDP is that most of the world is highly
> promiscuous....everybody floods everything to everybody. So, even if
> you have an inbound filter, you still allocate all the memory to hold
> the incoming RIB so that the filter can process it. Filtering means
> that you can keep your own MSDP mesh sane, and avoid flooding bogons to
> peers/customers, but to avoid seeing MSDP bogons it is my understanding
> that you really need to get your peers to filter.
>
> RFC 5771 states that "applications MUST NOT use addressing in the IANA
> reserved blocks" - I think it's worth treating unallocated multicast
> space like bogons just as we treat unallocated unicast space like bogons
> (please, let's not rathole on the IPv4 runout).
>
> Thanks,
>
> --eli
>
>
>
> On 2/8/11 10:20 AM, Bill Owens wrote:
>> On Tue, Feb 08, 2011 at 10:13:51AM -0800, Eli Dart wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> we're still seeing SA thresholds kick in (we warn at 125k SAs).
>>>
>>> Any chance folks might be interested in putting bogon filters on MSDP?
>>> A huge amount of this is for unallocated space....
>>
>> You mean like this:
>>
>> nyc-7600#sh access-list 111
>> Extended IP access list 111
>> 10 deny ip any host 224.0.1.2
>> 20 deny ip any host 224.0.1.3
>> 30 deny ip any host 224.0.1.22 (55856958 matches)
>> 40 deny ip any host 224.0.1.24 (1229686 matches)
>> 50 deny ip any host 224.0.1.35 (4277170 matches)
>> 60 deny ip any host 224.0.1.39
>> 70 deny ip any host 224.0.1.40
>> 80 deny ip any host 224.0.1.60 (20458891 matches)
>> 90 deny ip any host 224.0.2.2 (201 matches)
>> 100 deny ip any 224.0.0.0 0.0.0.255
>> 110 deny ip any 232.0.0.0 0.255.255.255 (410 matches)
>> 120 deny ip any 239.0.0.0 0.255.255.255 (106878518 matches)
>> 130 deny ip 10.0.0.0 0.255.255.255 any (1494 matches)
>> 140 deny ip 127.0.0.0 0.255.255.255 any
>> 150 deny ip 172.16.0.0 0.15.255.255 any (1347864 matches)
>> 160 deny ip 192.168.0.0 0.0.255.255 any (65275056 matches)
>> 170 permit ip any any (1700264484 matches)
>>
>> I guess that's why I'm only seeing 17k (as of right now) and you're seeing
>> 125k?
>>
>> Bill.
>
> - --
> Eli Dart NOC: (510) 486-7600
> ESnet Network Engineering Group (AS293) (800) 333-7638
> Lawrence Berkeley National Laboratory
> PGP Key fingerprint = C970 F8D3 CFDD 8FFF 5486 343A 2D31 4478 5F82 B2B3
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (Darwin)
>
> iEYEARECAAYFAk1RjRsACgkQLTFEeF+CsrPRrwCguG1zir3zmnPlGW+Cd4qTqDfz
> nycAoIFUkdbypDy/L6Pf/so4E8bZsVQi
> =CsLt
> -----END PGP SIGNATURE-----




Archive powered by MHonArc 2.6.16.

Top of Page