All things related to multicast

[Chris Costa <>]

Edited the MSDP SA ingress filters facing UCR to filter out the unallocated 
blocks mentioned below

route-map MSDP-SA-FILTER deny 10
 match ip address  111
route-map MSDP-SA-FILTER permit 20
 match ip address  113

access-list 111 remark *** MSDP SA Filter ***
access-list 111 permit ip any host 224.0.1.2 
access-list 111 permit ip any host 224.0.1.3 
access-list 111 permit ip any host 224.0.1.8 
access-list 111 permit ip any host 224.0.1.22 
access-list 111 permit ip any host 224.0.1.24 
access-list 111 permit ip any host 224.0.1.25 
access-list 111 permit ip any host 224.0.1.35 
access-list 111 permit ip any host 224.0.1.39 
access-list 111 permit ip any host 224.0.1.40 
access-list 111 permit ip any host 224.0.1.60 
access-list 111 permit ip any host 224.0.2.1 
access-list 111 permit ip any host 224.0.2.2 
access-list 111 permit ip any host 224.0.1.39 
access-list 111 permit ip any host 224.0.1.40 
access-list 111 permit ip any host 224.0.1.41 
access-list 111 permit ip any 224.77.0.0 0.0.255.255 
access-list 111 permit ip any host 225.1.2.3 
access-list 111 permit ip any host 229.55.150.208 
access-list 111 permit ip any 225.0.0.0 0.255.255.255 
access-list 111 permit ip any 226.0.0.0 0.255.255.255 
access-list 111 permit ip any 227.0.0.0 0.255.255.255 
access-list 111 permit ip any 228.0.0.0 0.255.255.255 
access-list 111 permit ip any 229.0.0.0 0.255.255.255 
access-list 111 permit ip any 230.0.0.0 0.255.255.255 
access-list 111 permit ip any 231.0.0.0 0.255.255.255 
access-list 111 permit ip any 232.0.0.0 0.255.255.255 
access-list 111 permit ip any 234.42.42.40 0.0.0.3 
access-list 111 permit ip any 234.142.142.42 0.0.0.1 
access-list 111 permit ip any 234.142.142.44 0.0.0.3 
access-list 111 permit ip any 234.142.142.48 0.0.0.15             
access-list 111 permit ip any 234.142.142.64 0.0.0.31             
access-list 111 permit ip any 234.142.142.128 0.0.0.7             
access-list 111 permit ip any 234.142.142.136 0.0.0.3             
access-list 111 permit ip any 234.142.142.140 0.0.0.1             
access-list 111 permit ip any host 234.142.142.142                
access-list 111 permit ip any 239.0.0.0 0.255.255.255             
access-list 111 permit ip 10.0.0.0 0.255.255.255 any              
access-list 111 permit ip 127.0.0.0 0.255.255.255 any             
access-list 111 permit ip 172.16.0.0 0.15.255.255 any             
access-list 111 permit ip 192.168.0.0 0.0.255.255 any  

access-list 113 permit ip any any 


Chris


--
Chris Costa
CENIC


On Feb 8, 2011, at 10:36 AM, Eli Dart wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Bill,
> 
> Something like this:
>        term msdp-bogons {
>            from {
>                route-filter 225.0.0.0/8 orlonger;
>                route-filter 226.0.0.0/8 orlonger;
>                route-filter 227.0.0.0/8 orlonger;
>                route-filter 228.0.0.0/8 orlonger;
>                route-filter 229.0.0.0/8 orlonger;
>                route-filter 230.0.0.0/8 orlonger;
>                route-filter 231.0.0.0/8 orlonger;
>            }
>            then reject;
>        }
> 
> If I read your filter correctly, it does not cover the vast majority of
> unallocated multicast space (e.g. 225/8 through 231/8, 235/8 through 238/8).
> 
> The fun thing about MSDP is that most of the world is highly
> promiscuous....everybody floods everything to everybody.  So, even if
> you have an inbound filter, you still allocate all the memory to hold
> the incoming RIB so that the filter can process it.  Filtering means
> that you can keep your own MSDP mesh sane, and avoid flooding bogons to
> peers/customers, but to avoid seeing MSDP bogons it is my understanding
> that you really need to get your peers to filter.
> 
> RFC 5771 states that "applications MUST NOT use addressing in the IANA
> reserved blocks" - I think it's worth treating unallocated multicast
> space like bogons just as we treat unallocated unicast space like bogons
> (please, let's not rathole on the IPv4 runout).
> 
> Thanks,
> 
>               --eli
> 
> 
> 
> On 2/8/11 10:20 AM, Bill Owens wrote:
>> On Tue, Feb 08, 2011 at 10:13:51AM -0800, Eli Dart wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>> 
>>> we're still seeing SA thresholds kick in (we warn at 125k SAs).
>>> 
>>> Any chance folks might be interested in putting bogon filters on MSDP?
>>> A huge amount of this is for unallocated space....
>> 
>> You mean like this:
>> 
>> nyc-7600#sh access-list 111
>> Extended IP access list 111
>>    10 deny ip any host 224.0.1.2
>>    20 deny ip any host 224.0.1.3
>>    30 deny ip any host 224.0.1.22 (55856958 matches)
>>    40 deny ip any host 224.0.1.24 (1229686 matches)
>>    50 deny ip any host 224.0.1.35 (4277170 matches)
>>    60 deny ip any host 224.0.1.39
>>    70 deny ip any host 224.0.1.40
>>    80 deny ip any host 224.0.1.60 (20458891 matches)
>>    90 deny ip any host 224.0.2.2 (201 matches)
>>    100 deny ip any 224.0.0.0 0.0.0.255
>>    110 deny ip any 232.0.0.0 0.255.255.255 (410 matches)
>>    120 deny ip any 239.0.0.0 0.255.255.255 (106878518 matches)
>>    130 deny ip 10.0.0.0 0.255.255.255 any (1494 matches)
>>    140 deny ip 127.0.0.0 0.255.255.255 any
>>    150 deny ip 172.16.0.0 0.15.255.255 any (1347864 matches)
>>    160 deny ip 192.168.0.0 0.0.255.255 any (65275056 matches)
>>    170 permit ip any any (1700264484 matches)
>> 
>> I guess that's why I'm only seeing 17k (as of right now) and you're seeing 
>> 125k?
>> 
>> Bill.
> 
> - -- 
> Eli Dart                                            NOC: (510) 486-7600
> ESnet Network Engineering Group (AS293)                  (800) 333-7638
> Lawrence Berkeley National Laboratory
> PGP Key fingerprint = C970 F8D3 CFDD 8FFF 5486 343A 2D31 4478 5F82 B2B3
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (Darwin)
> 
> iEYEARECAAYFAk1RjRsACgkQLTFEeF+CsrPRrwCguG1zir3zmnPlGW+Cd4qTqDfz
> nycAoIFUkdbypDy/L6Pf/so4E8bZsVQi
> =CsLt
> -----END PGP SIGNATURE-----