Security, Timers, and Traffic Engineering in IP Multicast Networks
A rogue RP is any router that, by mistake or maliciously, acts as an RP for a group. To guard against maliciously configured routers acting as a candidate RP, use the following commands:
The ip pim rp-announce-filter command is used on Mapping Agents to filter Auto-RP announcement messages coming from the RP. This command can be used only when Auto-RP is deployed.
In the following example, the router is configured to accept RP announcements from RPs in access list 11 for group ranges described in access list 12.
permit 188.8.131.52 0.0.3.255
permit 184.108.40.206 0.0.3.255
permit 220.127.116.11 0.0.3.255
permit 18.104.22.168 0.0.255.255
deny 22.214.171.124 0.255.255.255
12 permit 126.96.36.199 188.8.131.52
ip pim rp-announce-filter rp-list 11 group-list 12
IP address of permitted RP Permit MoH Permit low stream Permit medium stream Permit high stream Deny remaining administratively scoped range Permit link local/reserved address
The ip pim rp-address command configures the PIM RP address for a particular group or group range. Without an associated group-acl, the default group range is 184.108.40.206/4. The RP address is used by first-hop routers to send Register messages on behalf of source multicast hosts. The RP address is also used by routers on behalf of multicast hosts that want to become members of a group. These routers send Join and Prune messages to the RP. Although the command is not used specifically for security purposes, it does help to ensure that a non-RP router uses the authorized RPs for the network.
In Chapter 2, “IP Multicast in a Campus Network,” a filter was used to control which groups an RP was responsible for. If a source becomes active for a group that is not in the ACL for the RP group-list, then there will be no active RP for the newly defined group. This will cause the group to fall into dense-mode. As an extra layer of precaution against configurations mistakes or acts of DoS, an RP should be defined that covers all unused multicast groups. This will ensure that undefined groups have an RP on the network and they will not fall into dense-mode nor will the groups be forwarded. This method, commonly referred to as a “Garbage-can RP” can also be used to “log” attempts by rogue sources and groups to register on the network.
The ip igmp access-group command is applied to an interface to restrict the group ranges to which devices are permitted to become members. The interface will discard Join messages for illegal groups. The following example shows that the members of VLAN 10 are only allowed to join the group w.x.y.z.
interface Vlan 10 ip igmp access-group 1 ! access-list 1 permit w.x.y.z
The use of IGMP-based ACLs can become a management issue if widely deployed. If there is a need to restrict which groups that the clients can join, try to restrict the groups on the RP, Mapping Agents, or PIM-enable, first-hop routers. If IGMP-based ACLs have been deployed and a group is added or deleted, the ACLs will have to be reconfigured on each VLAN or physical interface to which the clients are attached.
The streams sent by rogue sources would flow on the local subnet where the source resides. Also, depending on the topological layout of the network, the accept-register feature may not block all sources.
Cisco AVVID Network Infrastructure IP Multicast Design