Security, Timers, and Traffic Engineering in IP Multicast Networks
Sources send group traffic to the first-hop router. The first-hop router sends a Register message to the RP with information about the active source. To protect the router from unauthorized Register messages, use the ip pim accept-register command. This command, which can be used only on candidate RPs, configures the RP to accept Register messages only from a specific source. If a Register message is denied, a Register-Stop is sent back to the originator of the Register.
If the list acl attribute is used, extended access lists can be configured to determine which pairs (source and group) are permitted or denied when seen in a Register message.
If the route-map map attribute is used, typical route-map operations can be applied on the router for the source address that appears in a Register message.
The keywords list and route-map cannot be used together.
The following example illustrates a configuration that permits a registration from the sources listed (10.5.10.20 MoH server and 10.5.11.20 IP/TV Server).
ip pim accept-register list 101
access-list 101 permit ip host 10.5.10.20 any access-list 101 permit ip host 10.5.11.20 any
For more information about the addresses used, see Table 6-1.
Additionally, a list can be configured that indicates which groups are permitted from the sources at time of registration. The following example illustrates a configuration that permits the MoH group address from the MoH server and the three IP/TV groups from the IP/TV server.
access-list 101 permit ip host 10.5.10.20 184.108.40.206 0.0.3.255 access-list 101 permit ip host 10.5.11.20 220.127.116.11 0.0.3.255 access-list 101 permit ip host 10.5.11.20 18.104.22.168 0.0.3.255 access-list 101 permit ip host 10.5.11.20 22.214.171.124 0.0.255.255
If an unauthorized source comes online and the first-hop router attempts to register this new source with the RP, the registration will be rejected. The following example shows the debug output for a failed registration attempt by router 10.0.0.37 for source 10.5.12.1 and group 126.96.36.199.
1d03h: PIM: Received v2 Register on Vlan59 from 10.0.0.37
(Data-header) for 10.5.12.1, group 188.8.131.52
1d03h: PIM Register for 10.5.12.1, group 184.108.40.206 rejected
1d03h: PIM: Send v2 Register-Stop to 10.0.0.37 for 10.5.12.1, group 220.127.116.11
The streams sent by rogue sources would flow on the local subnet where the source resides. In addition to not blocking the source on the local subnet, there are other topological cases where the “accept-register” mechanism fails to block rogue sources.
Cisco AVVID Network Infrastructure IP Multicast Design