[Xorp-users] Multicast without PIM on internal interface while PIM on external

Pavlin Radoslavov pavlin@icir.org
Wed, 15 Jun 2005 13:16:11 -0700 

> 	There are no other router within the subnet, so there are no PIM 
> neighbors on it. No PIM messages should be received nor sent on it. 
> There are multicast hosts, so multicast packets should be routed to and 
> from the subnet. Hosts are not allowed to send PIM Register by self.

Just for the record, this is a copy of the reply I sent in another
(off-topic) thread:

===
The short answer is that currently XORP doesn't support it.
We would like to implement it, but it may take a while until we
design and implement it properly as part of a more general multicast
routing policy mechanism.
As a temporary soultion we could add a PIM-SM configuration switch
per interface that disables the sending and receiving of all PIM
packets, but this switch may go away once we have the multicast
routing policy in place.
===

FYI, you cannot prevent the hosts from originating PIM Register
messages by applying the above solution, because the PIM Register
messages are directly unicast to the RP. You would either have to
apply firewall rules to filter those messages in all routers
directly connected to the hosts, or you would have to reconfigure
(if the configuration syntax allows that) your RP(s) to throw away
the PIM Register messages from those hosts.

If your RP is a XORP router, you should know that currently we don't
have a configuration option to selectively accept the PIM Register
messages, so for the time being you would have to use the
firewall rules to stop the PIM Register messages.
While on the subject, PIM Register-Stop messages are also unicast
(from the RP to the DRs), so if you are really paranoid you need to
protect your DRs against forged Register-Stop messages as well
(though, for such attack the attacker must use the RP address as the
source address).
In any case, such discussion moves us into the topic of multicast
security and implementation-wise there is much more we need to do
about it.

> > If you are sure that the NOCACHE message is triggered by IGMP messages, there might be possibility FBSD kernel also contain similar bug.
> 
> 	I'm almost sure. At the time I seen it there has been no active PIM 
> routers on any interface (i have statis RP configured in), so NOCACHE 
> can't be trigered by PIM activity.

Can you replicate the problem by running a multicast receiver
(only). I have suspicions that the multicast data packets originated
by an application that is both a sender and a receiver are the
trigger for the NOCACHE.

Pavlin