CH A P T E R
Security, Timers, and Traffic Engineering in IP Multicast Networks
This chapter provides recommendations for security measures, timer adjustments, and traffic engineering for an IP multicast network.
With IP multicast, it is important to protect the traffic from Denial-of-Service (DoS) attacks or stream hijacking by rogue sources or rogue RPs.
DoS attacks affect the availability and efficiency of a network. If a rogue application or device can generate enough traffic and target that traffic at a source, then CPU and memory resources can be severely impacted.
Stream hijacking allows any host on the network to become an active source for any legitimate multicast group. It is easy to download a free multicast-enabled chat application from the Internet and change the IP Multicast group address assignment to be the same as that used by legitimately configured multicast applications. If the network devices are not secured from “accepting” unauthorized sources, the rogue source can impact the IP Multicast streams. For the most part, receivers are ignorant of the details associated with which source is really responsible for which group.
Use the following commands on IP Multicast-enabled routers to guard against rogue sources and rogue RPs:
ip pim accept-register rp-announce-filter ip pim rp-address ip igmp access-group
A source is any host that is capable of sending IP Multicast traffic. Rogue sources are unauthorized sources that send IP Multicast traffic.
Cisco AVVID Network Infrastructure IP Multicast Design