[Xorp-users] Security in my multicast
Pavlin Radoslavov
pavlin at icir.org
Tue Jan 2 10:59:57 PST 2007
> With Xorp I can configure my multicast distribution tree, but, any PC
> attached to any multicast router can access to the tree if knows the
> multicast address. How do I configure some kind of restriction? something
> like keys or something like that.
The simple answer is: you can't (within XORP).
There are lots of issues in the multicast+security space, so there
is no easy or simple solution.
If you are looking for an end-to-end solution (above the IGMP and
PIM-SM level), this is the focus of the MSEC IETF Working Group:
http://www.securemulticast.org/msec-index.htm
See also RFC 3740 for description of the MSEC architecture.
However, this work is relatively new and is not widely adopted.
The brute-force solution is just to disable IGMP on a particular
interface. This will stop all hosts connected to that interface to
use IGMP to join any multicast group.
If you need a finer granularity control (per interface per host),
you could try to use IPsec for the IGMP messages (between the
multicast router and the hosts allowed to join specific multicast
groups). However, getting it working is probably going to be a
nightmare (at best).
In addition, if a legitimate host has joined group X, this won't
prevent other hosts (connected to the same subnet) from receiving
same multicast data.
Regards,
Pavlin
More information about the Xorp-users
mailing list