draft-ietf-mboned-mroutesec-02.txt   draft-ietf-mboned-mroutesec-03.txt 
MBONED WG P. Savola MBONED WG P. Savola
Internet-Draft CSC/FUNET Internet-Draft CSC/FUNET
Expires: December 23, 2004 R. Lehtonen Expires: February 17, 2005 R. Lehtonen
TeliaSonera TeliaSonera
D. Meyer D. Meyer
June 24, 2004 August 19, 2004
PIM-SM Multicast Routing Security Issues and Enhancements PIM-SM Multicast Routing Security Issues and Enhancements
draft-ietf-mboned-mroutesec-02.txt draft-ietf-mboned-mroutesec-03.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, I certify that any applicable This document is an Internet-Draft and is subject to all provisions
patent or other IPR claims of which I am aware have been disclosed, of section 3 of RFC 3667. By submitting this Internet-Draft, each
and any of which I become aware will be disclosed, in accordance with author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with
RFC 3668. RFC 3668.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 23, 2004. This Internet-Draft will expire on February 17, 2005.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved. Copyright (C) The Internet Society (2004).
Abstract Abstract
This memo describes security threats for the larger (intra-domain, or This memo describes security threats for the larger (intra-domain, or
inter-domain) multicast routing infrastructures. Only Protocol inter-domain) multicast routing infrastructures. Only Protocol
Independent Multicast - Sparse Mode (PIM-SM) is analyzed, in its Independent Multicast - Sparse Mode (PIM-SM) is analyzed, in its
three main operational modes: the traditional Any Source Multicast three main operational modes: the traditional Any Source Multicast
(ASM) model, Source-Specific Multicast (SSM) model, and the ASM model (ASM) model, Source-Specific Multicast (SSM) model, and the ASM model
enhanced by the Embedded-RP group-to-RP mapping mechanism. This memo enhanced by the Embedded-RP group-to-RP mapping mechanism. This memo
also describes enhancements to the protocol operations to mitigate also describes enhancements to the protocol operations to mitigate
skipping to change at page 2, line 32 skipping to change at page 2, line 34
5. PIM Security Enhancements . . . . . . . . . . . . . . . . . . 11 5. PIM Security Enhancements . . . . . . . . . . . . . . . . . . 11
5.1 Remote Routability Signalling . . . . . . . . . . . . . . 11 5.1 Remote Routability Signalling . . . . . . . . . . . . . . 11
5.2 Rate-limiting Possibilities . . . . . . . . . . . . . . . 12 5.2 Rate-limiting Possibilities . . . . . . . . . . . . . . . 12
5.3 Specific Rate-limiting Suggestions . . . . . . . . . . . . 13 5.3 Specific Rate-limiting Suggestions . . . . . . . . . . . . 13
5.3.1 Group Management Protocol Rate-limiter . . . . . . . . 13 5.3.1 Group Management Protocol Rate-limiter . . . . . . . . 13
5.3.2 Source Transmission Rate-limiter . . . . . . . . . . . 14 5.3.2 Source Transmission Rate-limiter . . . . . . . . . . . 14
5.3.3 PIM Signalling Rate-limiter . . . . . . . . . . . . . 14 5.3.3 PIM Signalling Rate-limiter . . . . . . . . . . . . . 14
5.3.4 Unicast-decapsulation Rate-limiter . . . . . . . . . . 14 5.3.4 Unicast-decapsulation Rate-limiter . . . . . . . . . . 14
5.3.5 PIM Register Rate-limiter . . . . . . . . . . . . . . 15 5.3.5 PIM Register Rate-limiter . . . . . . . . . . . . . . 15
5.3.6 MSDP Source-Active Rate-limiter . . . . . . . . . . . 15 5.3.6 MSDP Source-Active Rate-limiter . . . . . . . . . . . 15
5.4 Passive Mode for PIM . . . . . . . . . . . . . . . . . . . 15
6. Security Considerations . . . . . . . . . . . . . . . . . . . 15 6. Security Considerations . . . . . . . . . . . . . . . . . . . 15
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16
9.1 Normative References . . . . . . . . . . . . . . . . . . . . 16 9.1 Normative References . . . . . . . . . . . . . . . . . . . . 16
9.2 Informative References . . . . . . . . . . . . . . . . . . . 16 9.2 Informative References . . . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 17
A. RPF Considers Interface, Not Neighbor . . . . . . . . . . . . 18 A. RPF Considers Interface, Not Neighbor . . . . . . . . . . . . 18
B. Return Routability Extensions . . . . . . . . . . . . . . . . 18 B. Return Routability Extensions . . . . . . . . . . . . . . . . 18
B.1 Sending PIM-Prune Messages Down the Tree . . . . . . . . . 18 B.1 Sending PIM-Prune Messages Down the Tree . . . . . . . . . 19
B.2 Analysing Multicast Group Traffic at DR . . . . . . . . . 19 B.2 Analysing Multicast Group Traffic at DR . . . . . . . . . 19
B.3 Comparison of the Above Approaches . . . . . . . . . . . . 19 B.3 Comparison of the Above Approaches . . . . . . . . . . . . 20
Intellectual Property and Copyright Statements . . . . . . . . 21 Intellectual Property and Copyright Statements . . . . . . . . 21
1. Introduction 1. Introduction
This memo describes security threats to the Protocol Independent This memo describes security threats to the Protocol Independent
Multicast - Sparse Mode (PIM-SM) multicast routing infrastructures, Multicast - Sparse Mode (PIM-SM) multicast routing infrastructures,
and suggests ways to make these architectures more resistant to the and suggests ways to make these architectures more resistant to the
described threats. described threats.
Only attacks which have an effect on the multicast routing (whether Only attacks which have an effect on the multicast routing (whether
skipping to change at page 15, line 33 skipping to change at page 15, line 33
SAG_RATE tokens per second. Example values could be SAG_RATE=1 and SAG_RATE tokens per second. Example values could be SAG_RATE=1 and
SAG_DEPTH=10. SAG_DEPTH=10.
This would be a second-order defense, both at the MSDP SA sending and This would be a second-order defense, both at the MSDP SA sending and
receiving sites, against data flooding and MSDP vulnerabilities in receiving sites, against data flooding and MSDP vulnerabilities in
particular. The specific threat being addressed here is a source (or particular. The specific threat being addressed here is a source (or
multiple different sources) trying to "probe" (e.g., virus or worm) multiple different sources) trying to "probe" (e.g., virus or worm)
different multicast addresses. [14] discusses different MSDP attack different multicast addresses. [14] discusses different MSDP attack
prevention mechanisms at length. prevention mechanisms at length.
5.4 Passive Mode for PIM
As described in the last paragraph of section 3, hosts are also able
to form PIM adjacencies and send disrupting traffic unless great care
is observed at the routers. This stems from the fact that most
implementations require that stub LANs with only one PIM router must
also have PIM enabled (to enable PIM processing of the sourced data
etc.) Such stub networks however do not require to actually run the
PIM protocol on the link. Therefore such implementations should
provide an option to specify that the interface is "passive" with
regard to PIM: no PIM packets are sent or processed (if received),
but hosts can still send and receive multicast on that interface.
6. Security Considerations 6. Security Considerations
This memo analyzes the security of PIM routing infrastructures in This memo analyzes the security of PIM routing infrastructures in
some detail, and proposes enhancements to mitigate the observed some detail, and proposes enhancements to mitigate the observed
threats. threats.
This document does not discuss adding (strong) authentication to the This document does not discuss adding (strong) authentication to the
multicast protocols. PIM-SM specification [1] describes the multicast protocols. PIM-SM specification [1] describes the
application of IPsec for routing authentication; it is worth noting application of IPsec for routing authentication; it is worth noting
that being able to authenticate the register messages and being able that being able to authenticate the register messages and being able
skipping to change at page 16, line 27 skipping to change at page 16, line 40
Kamil Sarac discussed "return routability" issues at length. Stig Kamil Sarac discussed "return routability" issues at length. Stig
Venaas provided feedback to improve the document quality. Venaas provided feedback to improve the document quality.
9. References 9. References
9.1 Normative References 9.1 Normative References
[1] Fenner, B., Handley, M., Holbrook, H. and I. Kouvelas, "Protocol [1] Fenner, B., Handley, M., Holbrook, H. and I. Kouvelas, "Protocol
Independent Multicast - Sparse Mode PIM-SM): Protocol Independent Multicast - Sparse Mode PIM-SM): Protocol
Specification (Revised)", draft-ietf-pim-sm-v2-new-09 (work in Specification (Revised)", draft-ietf-pim-sm-v2-new-10 (work in
progress), February 2004. progress), July 2004.
[2] Fenner, B. and D. Meyer, "Multicast Source Discovery Protocol [2] Fenner, B. and D. Meyer, "Multicast Source Discovery Protocol
(MSDP)", RFC 3618, October 2003. (MSDP)", RFC 3618, October 2003.
[3] Holbrook, H. and B. Cain, "Source-Specific Multicast for IP", [3] Holbrook, H. and B. Cain, "Source-Specific Multicast for IP",
draft-ietf-ssm-arch-04 (work in progress), October 2003. draft-ietf-ssm-arch-05 (work in progress), July 2004.
[4] Savola, P. and B. Haberman, "Embedding the Rendezvous Point (RP) [4] Savola, P. and B. Haberman, "Embedding the Rendezvous Point (RP)
Address in an IPv6 Multicast Address", Address in an IPv6 Multicast Address",
draft-ietf-mboned-embeddedrp-05 (work in progress), June 2004. draft-ietf-mboned-embeddedrp-07 (work in progress), July 2004.
[5] Barbir, A., Murphy, S. and Y. Yang, "Generic Threats to Routing [5] Barbir, A., Murphy, S. and Y. Yang, "Generic Threats to Routing
Protocols", draft-ietf-rpsec-routing-threats-06 (work in Protocols", draft-ietf-rpsec-routing-threats-06 (work in
progress), April 2004. progress), April 2004.
9.2 Informative References 9.2 Informative References
[6] Deering, S., "Host extensions for IP multicasting", STD 5, RFC [6] Deering, S., "Host extensions for IP multicasting", STD 5, RFC
1112, August 1989. 1112, August 1989.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/