X hits on this document

PDF document

Cisco AVVID Network Infrastructure IP Multicast Design - page 92 / 98

270 views

0 shares

0 downloads

0 comments

92 / 98

Chapter 8

Security, Timers, and Traffic Engineering in IP Multicast Networks

Rogue Sources

Sources send group traffic to the first-hop router. The first-hop router sends a Register message to the RP with information about the active source. To protect the router from unauthorized Register messages, use the ip pim accept-register command. This command, which can be used only on candidate RPs, configures the RP to accept Register messages only from a specific source. If a Register message is denied, a Register-Stop is sent back to the originator of the Register.

If the list acl attribute is used, extended access lists can be configured to determine which pairs (source and group) are permitted or denied when seen in a Register message.

If the route-map map attribute is used, typical route-map operations can be applied on the router for the source address that appears in a Register message.

Note

The keywords list and route-map cannot be used together.

The following example illustrates a configuration that permits a registration from the sources listed (10.5.10.20 MoH server and 10.5.11.20 IP/TV Server).

ip pim accept-register list 101

access-list 101 permit ip host 10.5.10.20 any access-list 101 permit ip host 10.5.11.20 any

Note

For more information about the addresses used, see Table 6-1.

Additionally, a list can be configured that indicates which groups are permitted from the sources at time of registration. The following example illustrates a configuration that permits the MoH group address from the MoH server and the three IP/TV groups from the IP/TV server.

access-list 101 permit ip host 10.5.10.20 239.192.240.0 0.0.3.255 access-list 101 permit ip host 10.5.11.20 239.192.244.0 0.0.3.255 access-list 101 permit ip host 10.5.11.20 239.192.248.0 0.0.3.255 access-list 101 permit ip host 10.5.11.20 239.255.0.0 0.0.255.255

If an unauthorized source comes online and the first-hop router attempts to register this new source with the RP, the registration will be rejected. The following example shows the debug output for a failed registration attempt by router 10.0.0.37 for source 10.5.12.1 and group 239.194.1.1.

1d03h: PIM: Received v2 Register on Vlan59 from 10.0.0.37

1d03h:

(Data-header) for 10.5.12.1, group 239.194.1.1

1d03h: PIM Register for 10.5.12.1, group 239.194.1.1 rejected

1d03h: PIM: Send v2 Register-Stop to 10.0.0.37 for 10.5.12.1, group 239.194.1.1

Note

The streams sent by rogue sources would flow on the local subnet where the source resides. In addition to not blocking the source on the local subnet, there are other topological cases where the “accept-register” mechanism fails to block rogue sources.

Cisco AVVID Network Infrastructure IP Multicast Design

8-2

956651

Document info
Document views270
Page views270
Page last viewedSat Dec 10 23:21:14 UTC 2016
Pages98
Paragraphs2650
Words25637

Comments